Compliance security profile
This page describes the compliance security profile, its compliance controls, and supported features. To enable the compliance security profile, see Configure enhanced security and compliance settings.
Compliance security profile overview
The compliance security profile enables additional monitoring, enforced instance types for inter-node encryption, a hardened compute image, and other features and controls on Databricks workspaces.
Enabling the compliance security profile is required if you use Databricks to process data that is regulated under the following compliance standards:
- C5
- CCCS Medium (Protected B)
- DoD IL5
- FedRAMP High
- FedRAMP Moderate
- HIPAA
- Infosec Registered Assessors Program (IRAP)
- Korean Financial Security Institute (K-FSI)
- PCI-DSS
- TISAX
- UK Cyber Essentials Plus
You can also choose to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.
If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.
- You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
- You are solely responsible for ensuring that the compliance security profile and the appropriate compliance standards are configured before processing regulated data.
- If you add HIPAA, it is your responsibility before you process PHI data to have a BAA agreement with Databricks.
- For features that integrate with external systems, you are solely responsible for verifying that your configuration and use of the feature meet applicable compliance requirements.
- You are solely responsible for verifying that sensitive information is never entered in customer-defined input fields, such as workspace names, compute resource names, tags, job names, job run names, network names, credential names, storage account names, and Git repository IDs or URLs. These fields might be stored, processed, or accessed outside the compliance boundary.
Compliance security profile security enhancements
Security enhancements include:
-
A hardened operating system image that includes:
- A CIS Level 1 hardened image
- FIPS 140 validated encryption modules
-
Automatic cluster updates, ensuring clusters have the latest updates by periodically restarting them during configurable maintenance windows. See Automatic cluster update.
-
Enhanced security monitoring, which includes monitoring agents that generate reviewable logs. See Monitoring agents in Databricks compute plane images.
-
Enforced use of AWS Nitro instance types in clusters and Databricks SQL SQL warehouses.
-
All egress communication uses TLS 1.2 or higher, including communication with the metastore.
Classic and serverless compute support by region
The compliance security profile determines which compliance standards are enforced for compute resources in both the classic and serverless compute planes.
Classic compute resources support a wide range of compliance standards across regions. Serverless compute resources (serverless SQL warehouses, serverless compute for notebooks and workflows, and serverless Lakeflow Spark Declarative Pipelines) have more limited support depending on the compliance standard and region.
The table below lists which compliance standards are supported in each compute plane and the corresponding supported regions:
Compliance standard | Classic compute plane support | Serverless compute plane support |
|---|---|---|
None | All regions | All regions with serverless |
C5 | All regions | All regions with serverless |
CCCS Medium (Protected B) |
| None |
DoD IL5 & FedRAMP High (AWS GovCloud DoD) |
|
|
DoD IL5 & FedRAMP High (AWS GovCloud) |
|
|
FedRAMP Moderate |
|
|
HIPAA | All regions | All regions with serverless |
IRAP |
|
|
K-FSI |
| None |
PCI-DSS | All regions |
|
TISAX | All regions | All regions with serverless |
UK Cyber Essentials Plus |
| None |
† Public Preview for serverless compute for notebooks, jobs, and Lakeflow Spark Declarative Pipelines and Beta for serverless SQL warehouses
See Compliance standards with serverless and standard compute availability.
For more information on compute plane architecture, see High-level architecture.
Supported preview features
Only the preview and beta features listed in this section are supported for workspaces with the compliance security profile enabled. All other preview or beta features are not supported.
The following table lists all supported preview and beta features:
- Most features are available for all compliance standards with the compliance security profile enabled.
- Features marked with a specific compliance standard (such as "HIPAA only") are only supported for workspaces configured with that compliance standard.
- Features marked "Serverless" are only avliable on the serverless compute plane. See Classic and serverless compute support by region.
Preview features are not supported on AWS GovCloud unless specifically listed in Feature availability.
Feature | Status | Compute | Notes |
|---|---|---|---|
Public Preview | Standard | Legacy feature. See Account-level and workspace-level SCIM provisioning. | |
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Public Preview | Standard | ||
Data governance hub | Private Preview | Standard | |
Public Preview | Serverless | ||
Public Preview | Serverless | ||
Public Preview | Serverless | ||
Public Preview | Serverless | ||
Beta | Serverless | ||
Serverless forecasting Python SDK | Private Preview | Serverless | |
Public Preview | Standard | HIPAA only | |
Public Preview | Standard | HIPAA only | |
Public Preview | Standard | HIPAA only | |
Beta | Serverless | ||
Beta | Serverless |