LogoLogo
WarpStream.comSlackDiscordContact UsCreate Account
  • Overview
    • Introduction
    • Architecture
      • Service Discovery
      • Write Path
      • Read Path
      • Life of a Request (Simplified)
    • Change Log
  • Getting Started
    • Install the WarpStream Agent / CLI
    • Run the Demo
    • "Hello World" for Apache Kafka
  • BYOC
    • Run the Agents Locally
    • Deploy the Agents
      • Object Storage Configuration
      • Kubernetes Known Issues
      • Rolling Restarts and Upgrades
    • Infrastructure as Code
      • Terraform Provider
      • Helm charts
      • Terraform Modules
    • Monitoring
      • Pre-made Datadog Dashboard
      • Pre-made Grafana Dashboard
      • Important Metrics and Logs
      • Recommended List of Alerts
      • Monitoring Consumer Groups
      • Hosted Prometheus Endpoint
    • Client Configuration
      • Tuning for Performance
      • Configure Clients to Eliminate AZ Networking Costs
        • Force Interzone Load Balancing
      • Configuring Kafka Client ID Features
      • Known Issues
    • Authentication
      • SASL Authentication
      • Mutual TLS (mTLS)
      • Basic Authentication
    • Advanced Agent Deployment Options
      • Agent Roles
      • Agent Groups
      • Protect Data in Motion with TLS Encryption
      • Low Latency Clusters
      • Network Architecture Considerations
      • Agent Configuration Reference
      • Reducing Infrastructure Costs
      • Client Configuration Auto-tuning
    • Hosted Metadata Endpoint
    • Managed Data Pipelines
      • Cookbooks
    • Schema Registry
      • WarpStream BYOC Schema Registry
      • Schema Validation
      • WarpStream Schema Linking
    • Port Forwarding (K8s)
    • Orbit
    • Enable SAML Single Sign-on (SSO)
    • Trusted Domains
    • Diagnostics
      • GoMaxProcs
      • Small Files
  • Reference
    • ACLs
    • Billing
      • Direct billing
      • AWS Marketplace
    • Benchmarking
    • Compression
    • Protocol and Feature Support
      • Kafka vs WarpStream Configuration Reference
      • Compacted topics
    • Secrets Overview
    • Security and Privacy Considerations
    • API Reference
      • API Keys
        • Create
        • Delete
        • List
      • Virtual Clusters
        • Create
        • Delete
        • Describe
        • List
        • DescribeConfiguration
        • UpdateConfiguration
      • Virtual Clusters Credentials
        • Create
        • Delete
        • List
      • Monitoring
        • Describe All Consumer Groups
      • Pipelines
        • List Pipelines
        • Create Pipeline
        • Delete Pipeline
        • Describe Pipeline
        • Create Pipeline Configuration
        • Change Pipeline State
      • Invoices
        • Get Pending Invoice
        • Get Past Invoice
    • CLI Reference
      • warpstream agent
      • warpstream demo
      • warpstream cli
      • warpstream cli-beta
        • benchmark-consumer
        • benchmark-producer
        • console-consumer
        • console-producer
        • consumer-group-lag
        • diagnose-record
        • file-reader
        • file-scrubber
      • warpstream playground
    • Integrations
      • Arroyo
      • AWS Lambda Triggers
      • ClickHouse
      • Debezium
      • Decodable
      • DeltaStream
      • docker-compose
      • DuckDB
      • ElastiFlow
      • Estuary
      • Fly.io
      • Imply
      • InfluxDB
      • Kestra
      • Materialize
      • MinIO
      • MirrorMaker
      • MotherDuck
      • Ockam
      • OpenTelemetry Collector
      • ParadeDB
      • Parquet
      • Quix Streams
      • Railway
      • Redpanda Console
      • RisingWave
      • Rockset
      • ShadowTraffic
      • SQLite
      • Streambased
      • Streamlit
      • Timeplus
      • Tinybird
      • Upsolver
    • Partitions Auto-Scaler (beta)
    • Serverless Clusters
Powered by GitBook
On this page
  • Overview
  • Data isolation for Bring Your Own Cloud (BYOC) clusters
  • Data isolation for BYOC Schema Registry clusters

Was this helpful?

  1. Reference

Security and Privacy Considerations

PreviousSecrets OverviewNextAPI Reference

Last updated 5 months ago

Was this helpful?

Overview

WarpStream upholds the security, privacy, and compliance standards required to handle mission-critical workloads for our customers.

In the interest of transparency, WarpStream maintains a that includes information about our security and compliance practices, including certification reports and detailed information regarding the controls that we have implemented.

In addition to following the best practices and controls documented on our , WarpStream also supports Kafka ACLs, as well as SASL/PLAIN and SASL/SCRAM-SHA-512 authentication for both Serverless clusters and clusters with Agents running in your environment (BYOC).

Data isolation for Bring Your Own Cloud (BYOC) clusters

is designed to maintain strict security and privacy considerations by ensuring that raw data written to WarpStream clusters never leaves your VPC or object storage buckets.

The only data that ever leaves your VPC is metadata about your Kafka workloads that is required for the correct functioning of your clusters, which includes the following:

  1. Topic names

  2. Topic metadata (partition counts, configuration, etc)

  3. File metadata (object store bucket name, compressed size, uncompressed size, etc)

  4. Record timestamps and offsets (but never record keys or record contents)

  5. Consumer group names, configuration and offsets

  6. Kafka client IDs

  7. Producer IDs, epochs, and sequence numbers

  8. Agent Metadata (stored ephemerally in memory, never persisted to disk)

    1. Number of connections (for load balancing)

    2. Number of vCPUs (for determining how many concurrent jobs it can run) and utilization.

    3. Internal / Private IP addresses. These addresses are not routable from the internet, and are required so that the Agents can cluster with each other within a single availability zone.

    4. Availability zone.

  9. A small sample of the Agent's logs so that we can help diagnose and debug issues remotely. This can be disabled by setting the -disableLogsCollection flag or WARPSTREAM_DISABLE_LOGS_COLLECTION=true environment variable. These logs never contain raw data, and only contain things like error messages or high level statistics.

  10. The Agent's profiling data so that we can investigate performance degradations remotely. This can be disabled with the -disableProfileForwarding flag or the WARPSTREAM_DISABLE_PROFILE_FORWARDING environment variable. These profiles only contain information about program execution.

Data isolation for BYOC Schema Registry clusters

The only data that leaves your VPC is metadata about your schemas that are necessary for the correct functioning of your schema registry clusters, which includes the following:

  1. Schema metadata: schema data format, schema ID

  2. Schema subject names

  3. Schema subject metadata: schema context name, compatibility rule, subject version, schema ID, soft deleted

  4. File metadata: object store bucket name, schema size

  5. Schema reference metadata: subject, subject version

  6. Schema context name

    1. Global configuration: default compatibility rule

  7. Agent Metadata (stored ephemerally in memory, never persisted to disk)

    1. Number of connections (for load balancing)

    2. Number of vCPUs (for determining how many concurrent jobs it can run) and utilization.

    3. Internal / Private IP addresses. These addresses are not routable from the internet, and are required so that the Agents can cluster with each other within a single availability zone.

    4. Availability zone.

  8. A small sample of the Agent's logs so that we can help diagnose and debug issues remotely. This can be disabled by setting the -disableLogsCollection flag or WARPSTREAM_DISABLE_LOGS_COLLECTION=true environment variable. These logs never contain raw data, and only contain things like error messages or high level statistics.

  9. The Agent's profiling data so that we can investigate performance degradations remotely. This can be disabled with the -disableProfileForwarding flag or the WARPSTREAM_DISABLE_PROFILE_FORWARDING environment variable. These profiles only contain information about program execution.

is also designed to maintain strict security and privacy by ensuring that raw schemas registered to the BYOC Schema Registry clusters never leave your VPC or object storage buckets.

compliance portal
compliance portal
WarpStream's "Bring Your Own Cloud" product
WarpStream's BYOC Schema Registry