Compliance security profile

Preview

This feature is in Public Preview.

This page describes the compliance security profile, its compliance controls, and supported features. To enable the compliance security profile, see Configure enhanced security and compliance settings.

Compliance security profile overview

The compliance security profile enables additional monitoring, a hardened compute image, and other features and controls on Databricks workspaces. The compliance security profile includes controls that help meet the applicable security requirements of some compliance standards. Enabling the compliance security profile is required to use Databricks to process data that is regulated under the following compliance standards:

• C5
• HIPAA
• PCI-DSS
• TISAX

You can also choose to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.

If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.

important

• If your workspace was enabled for HIPAA compliance prior to the release of the compliance security profile, you must enable the compliance security profile for your workspace.

• You are solely responsible for ensuring your own compliance with all applicable laws and regulations.

• You are solely responsible for verifying that sensitive information is never entered in customer-defined input fields, such as workspace names, compute resource names, tags, job names, job run names, network names, credential names, storage account names, and Git repository IDs or URLs. These fields might be stored, processed, or accessed outside the compliance boundary.

Compliance security profile security enhancements

Security enhancements include:

• A hardened operating system image that includes:

  • A CIS Level 1 hardened image
  • FIPS 140 validated encryption modules

• Automatic cluster updates, ensuring clusters have the latest updates by periodically restarting them during configurable maintenance windows. See Automatic cluster update.

• Enhanced security monitoring, which includes monitoring agents that generate reviewable logs. See Monitoring agents in Databricks compute plane images.

• Communications within the cluster and for egress use TLS 1.2 or higher, including communication with the metastore.

Classic and serverless compute support by region

The compliance security profile determines which compliance standards are enforced for compute resources in both the classic and serverless compute planes.

Classic compute resources support a wide range of compliance standards across regions. Serverless compute resources (serverless SQL warehouses, serverless compute for notebooks and workflows, and serverless Lakeflow Spark Declarative Pipelines) have more limited support depending on the compliance standard and region.

The table below lists which compliance standards are supported in each compute plane and the corresponding supported regions:

Compliance standard	Classic compute plane support	Serverless compute plane support
C5	All regions	All regions with serverless
HIPAA	All regions	All regions with serverless
PCI-DSS	All regions	None
TISAX	All regions	All regions with serverless

For more information on compute plane architecture, see High-level architecture.

Supported preview features

Only the preview and beta features listed in this section are supported for workspaces with the compliance security profile enabled. All other preview or beta features are not supported.

The following table lists all supported preview and beta features:

• Most features are available for all compliance standards with the compliance security profile enabled.
• Features marked with a specific compliance standard (such as "HIPAA only") are only supported for workspaces configured with that compliance standard.
• Features marked "Serverless" are only avliable on the serverless compute plane. See Classic and serverless compute support by region.

Feature	Status	Compute	Notes
Workspace-level SCIM provisioning	Public Preview	Standard	Legacy feature. See Account-level and workspace-level SCIM provisioning.
Secret paths in environment variables	Public Preview	Standard
System tables that are in Public Preview	Public Preview	Standard
User-defined functions in Unity Catalog	Public Preview	Standard
Disable access to the Hive metastore	Public Preview	Standard
Dashboards in Git folder	Public Preview	Standard
Compute log delivery to volumes	Public Preview	Standard
Auto Loader support for file events	Public Preview	Standard
User authorization for Databricks Apps	Public Preview	Standard
Access requests in Unity Catalog	Public Preview	Standard
Governed tags	Public Preview	Standard
Bring your own data lineage	Public Preview	Standard
Data classification	Public Preview	Standard
ai_parse_document function	Public Preview	Standard
Unity Catalog attribute-based access control (ABAC)	Public Preview	Standard
Databricks One	Public Preview	Standard
Databricks SQL alerts	Public Preview	Standard
Data governance hub	Private Preview	Standard
High memory for serverless compute notebook tasks	Public Preview	Serverless
Serverless forecasting	Public Preview	Serverless
Serverless workspaces	Public Preview	Serverless
Serverless egress control	Public Preview	Serverless
Anomaly detection	Beta	Serverless
Serverless forecasting Python SDK	Private Preview	Serverless
LLM batch inference with ai_query	Public Preview	Standard	HIPAA only
ai_forecast()	Public Preview	Standard	HIPAA only
Genie Conversation API	Public Preview	Standard	HIPAA only
Databricks managed MCP servers	Beta	Serverless
External MCP servers	Beta	Serverless