Compliance security profile

This page describes the compliance security profile, its compliance controls, and supported features. To enable the compliance security profile, see Configure enhanced security and compliance settings.

Compliance security profile overview

The compliance security profile enables additional monitoring, enforced instance types for inter-node encryption, a hardened compute image, and other features and controls on Databricks workspaces.

Enabling the compliance security profile is required if you use Databricks to process data that is regulated under the following compliance standards:

• CCCS Medium (Protected B)
• DoD IL5
• FedRAMP High
• FedRAMP Moderate
• HIPAA
• Infosec Registered Assessors Program (IRAP)
• Korean Financial Security Institute (K-FSI)
• PCI-DSS
• UK Cyber Essentials Plus

You can also choose to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.

If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.

important

• You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
• You are solely responsible for ensuring that the compliance security profile and the appropriate compliance standards are configured before processing regulated data.
• If you add HIPAA, it is your responsibility before you process PHI data to have a BAA agreement with Databricks.

Compliance security profile security enhancements

Security enhancements include:

• A hardened operating system image based on Ubuntu Advantage, an enterprise-grade package of security and support for open source infrastructure and applications. Ubuntu Advantage includes:

  • A CIS Level 1 hardened image
  • FIPS 140 validated encryption modules

• Automatic cluster updates, ensuring clusters have the latest updates by periodically restarting them during configurable maintenance windows. See Automatic cluster update.

• Enhanced security monitoring, which includes monitoring agents that generate reviewable logs. See Monitoring agents in Databricks compute plane images.

• Enforced use of AWS Nitro instance types in clusters and Databricks SQL SQL warehouses.

• All egress communication uses TLS 1.2 or higher, including communication with the metastore.

Classic and serverless compute support

The compliance security profile determines which compliance standards are enforced for compute resources in both the classic and serverless compute planes.

Classic compute resources support a wide range of compliance standards across regions. Serverless compute resources (serverless SQL warehouses, serverless compute for notebooks and workflows, and serverless DLT pipelines) have more limited support depending on the compliance standard and region.

The table below lists which compliance standards are supported in each compute plane and the corresponding supported regions:

Compliance standard	Classic compute plane support	Serverless compute plane support
None	All regions	All regions with serverless
HIPAA	All regions	All regions with serverless
K-FSI	ap-northeast-2	None
PCI-DSS	All regions	us-east-1, ap-southeast-2, us-west-2
FedRAMP Moderate	us-east-1, us-east-2, us-west-1, us-west-2	us-east-1, us-west-2
FedRAMP High (AWS GovCloud)	us-gov-west-1	None
DoD IL5 (AWS GovCloud DOD)	us-gov-west-1	None
IRAP	ap-southeast-2	ap-southeast-2
CCCS Medium (Protected B)	ca-central-1	None
UK Cyber Essentials Plus	eu-west-2	None

See Compliance standards with serverless compute availability.

For more information on compute plane architecture, see Databricks architecture overview.

Supported preview features

Only the preview features listed in this section are supported for processing data regulated under compliance standards. All other preview features are not supported.

Public Preview features

• Workspace-level SCIM provisioning

  Workspace-level SCIM provisioning is a legacy feature. Databricks recommends using account-level SCIM provisioning instead.

• Secret paths in environment variables

• System tables that are in Public Preview

• User-defined functions in Unity Catalog

• Disable access to the Hive metastore

• Dashboards in Git folder

• Compute log delivery to volumes

• IAM credential passthrough

  Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.

Private Preview features

• Unity Catalog attribute-based access control (ABAC)
• Tag policies
• DBFS disablement
• Document parsing
• Alerts v2

Preview features available only with serverless compute

These features are only supported with compliance standards that support the serverless compute plane. See Classic and serverless compute support.

Serverless Public Preview features

• Mosaic AI Gateway
• ServiceNow LakeFlow Connect connector
• Google Analytics LakeFlow Connect connector
• High memory for serverless compute notebook tasks
• Anomaly detection
• Serverless forecasting

• Serverless egress control

Serverless Private Preview features

• Serverless forecasting Python SDK

• Default Storage
• Private connectivity from the serverless compute to internal customer networks using a network load balancer

Additional preview features supported with HIPAA

HIPAA supports all of the preview features above and also the following additional preview features:

• LLM batch inference with ai_query

• ai_forecast()

• AI judges

• Genie Conversation API

• Delta Sharing cross-platform view sharing

• Lakeflow Connect column-level selection (Private Preview)