“At Couchbase, we believe data is at the heart of the enterprise and robust security is vital to protecting it.”

Matt Cain
CEO, Couchbase

Our security approach

Couchbase demonstrates a commitment to security at all levels of the organization, across top-down policies and direction from management, engineering developing secure products, an information security team responsible for governance and compliance management, and through to shared responsibilities across business units. Security is a team effort of all Couchbase employees.

Couchbase Capella™, our fully managed Database-as-a-Service (DBaaS) architecture is based on industry best practices for security and focused on three important pillars:

Verify Explicitly

Verify explicitly calls for strong identity authentication and explicit verification of access to data.

Least Privilege

Enforcement of least privilege access is applied to all credentials and secrets, ensuring strict access controls to sensitive data and actions.

Platform Monitoring

To prevent potential breaches, Capella implements a managed cloud intrusion detection system that involves 24x7 monitoring.

Critical Components


Couchbase is committed to being transparent about how we collect, use, and protect data received and stored by our products and services. Please see the Couchbase Privacy Policy for more information.


Couchbase’s architecture interweaves many technology elements that are vital to ensuring reliability and disaster tolerance to provide industry-leading high availability, at scale on a global basis.

Shared Responsibility

Although much of the security framework is in place and automated, customers are responsible for some initial configuration and ongoing security administration. See our Shared Responsibility Model to learn more.


The Couchbase information security team has established a robust security program based on Couchbase’s identified risks, industry standards, and best practices (e.g., CIS Critical Security Controls, ISO 27002, NIST SP 800-53, SSAE 18 SOC 2 Trust Principles).


Couchbase Capella successfully completed a SOC 2 Type II audit and received an independent auditor’s report examining Capella's security, availability, and confidentiality controls. A copy of the report can be requested from our team.


Couchbase works closely with European customers, through our products and services, to help enable customers’ GDPR compliance and meet data privacy and regulatory requirements.


Couchbase has successfully completed an independent review of Couchbase Capella for compliance with HIPAA requirements. While customers are responsible for confirming their own HIPAA compliance, Capella is ready for use with our customers' HIPAA compliant applications with an appropriate Business Associate Agreement (BAA) in place. Please contact us to execute a BAA with Couchbase.


The Couchbase security framework encompasses data encryption and many other key elements to secure and protect data, in transit and at rest, within the payment card ecosystem. Couchbase Capella has achieved PCI DSS 4.0 attestation of compliance.


Couchbase Capella has successfully completed a CSA STAR Level 2 certification for attestation of compliance, following an external security audit. The CSA STAR Level 2 certification underscores our dedication to exceeding security benchmarks.

Security responses

Couchbase methodically analyzes security vulnerabilities and scores them according to the CVSS v3.1 standard. Once resolved, we then publish public advisories as standard CVE alerts into NIST’s National Vulnerability Database (NVD) and on our website at:

Ready to create amazing customer experiences?

The easiest and fastest way to begin with Couchbase