Compliance controls available on AWS deployments
This article describes the enhanced security and compliance settings available for SAP Databricks accounts deployed on AWS.
The compliance security profile provides enhanced security and controls for your compliance needs. Enabling the compliance security profile is required to use SAP Databricks to process data that is regulated under the following compliance standards:
Regional support for compliance standards
The compliance security profile is supported in all regions. Specific compliance standards have the following regional support:
Compliance standard | SAP Databricks regional support |
|---|---|
HIPAA | All regions |
PCI-DSS |
|
FedRAMP Moderate |
|
IRAP |
|
Enable compliance features on an existing workspace
Neither the compliance security profile nor individual compliance standards can be removed from a workspace if regulated data was previously processed in that workspace. You can delete the workspace and create a new workspace without the compliance security profile or with a different compliance standard.
Account admins can enable the compliance security profile and add compliance standards on a workspace.
- As an account admin, go to the account console.
- Click Workspaces.
- Click your workspace's name.
- Click Security and compliance.
- Next to Compliance security profile, click Configure.
- Toggle on Enabled, then select any compliance standards you would like to enforce, then click Save.
Set account-level compliance defaults for all new workspaces
Account admins can configure compliance settings to apply to all new workspaces in their account.
- As an account admin, go to the account console.
- In the sidebar, click Security.
- Click the Enhanced security and compliance tab.
- Next to Compliance security profile, click Configure.
- In the dialog box, toggle on Enabled,select one or compliance standards, or select None and click Save.
HIPAA
HIPAA compliance controls are supported for workspaces in all regions.
HIPAA applies to covered entities and business associates that create, receive, maintain, transmit, or access PHI. When a covered entity or business associate engages the services of a cloud service provider (CSP), such as SAP Databricks, the CSP becomes a business associate under HIPAA.
Business Associate Agreement (BAA) requirement for processing PHI
HIPAA and related regulations require organizations that handle protected health information (PHI) to meet specific safeguards. When a covered entity or business associate uses a cloud service provider (CSP) like SAP Databricks, the CSP is also considered a business associate.
As a result, when you enable HIPAA using the compliance security profile, you agree to Databricks' Business Associate Agreement (BAA) in the absence of a separately implemented version. To read the Databricks BAA, see Business Associate Agreement.
PCI DSS v4.0
Workspaces in us-east-1 and ap-southeast-2 can enable PCI DSS v4.0 compliance controls to provide enhancements that help with Payment Card Industry Data Security Standard (PCI DSS) v4.0 compliance for your workspace.
FedRAMP Moderate
Workspaces in us-east-1 can enable FedRAMP Moderate compliance controls to provide enhancements that help you with FedRAMP Moderate compliance for your workspace.
- Databricks is a FedRAMP® Authorized Cloud Service Offering (CSO) at the moderate impact level in the AWS US East-1 regions.
- US Government agencies can access the Databricks on AWS FedRAMP® package on OMB Max by submitting a Package Access Request Form and submitting it to
package-access@fedramp.gov. - Additional information regarding Databricks and FedRAMP® compliance is located on the Databricks Security and Trust Center.
IRAP
Workspaces in ap-southeast-2 can enable IRAP compliance controls to provide enhancements that help you with Infosec Registered Assessors Program (IRAP) compliance for your workspace.
IRAP provides high-quality information and communications technology (ICT) security assessment services to the Australian government. IRAP provides a framework for assessing the implementation and effectiveness of an organization's security controls against the Australian government's security requirements. Databricks is IRAP certified.