Our security approach
Couchbase demonstrates a commitment to security at all levels of the organization, across top-down policies and direction from management, engineering developing secure products, an information security team responsible for governance and compliance management, and through to shared responsibilities across business units. Security is a team effort of all Couchbase employees.
Couchbase Capella™, our fully managed Database-as-a-Service (DBaaS) architecture is based on industry best practices for security and focused on three important pillars:
Verify Explicitly
Verify explicitly calls for strong identity authentication and explicit verification of access to data.
Least Privilege
Enforcement of least privilege access is applied to all credentials and secrets, ensuring strict access controls to sensitive data and actions.
Platform Monitoring
To prevent potential breaches, Capella implements a managed cloud intrusion detection system that involves 24x7 monitoring.
Critical Components
Privacy
Couchbase is committed to being transparent about how we collect, use, and protect data received and stored by our products and services. Please see the Couchbase Privacy Policy for more information.
Reliability
Couchbase’s architecture interweaves many technology elements that are vital to ensuring reliability and disaster tolerance to provide industry-leading high availability, at scale on a global basis.
Shared Responsibility
Although much of the security framework is in place and automated, customers are responsible for some initial configuration and ongoing security administration. See our Shared Responsibility Model to learn more.
Compliance
The Couchbase information security team has established a robust security program based on Couchbase’s identified risks, industry standards, and best practices (e.g., CIS Critical Security Controls, ISO 27002, NIST SP 800-53, SSAE 18 SOC 2 Trust Principles).
SOC 2
Couchbase Capella successfully completed a SOC 2 Type II audit and received an independent auditor’s report examining Capella's security, availability, and confidentiality controls. A copy of the report can be requested from our team.
GDPR
Couchbase works closely with European customers, through our products and services, to help enable customers’ GDPR compliance and meet data privacy and regulatory requirements.
HIPAA
Couchbase has successfully completed an independent review of Couchbase Capella for compliance with HIPAA requirements. While customers are responsible for confirming their own HIPAA compliance, Capella is ready for use with our customers' HIPAA compliant applications with an appropriate Business Associate Agreement (BAA) in place. Please contact us to execute a BAA with Couchbase.
PCI DSS
The Couchbase security framework encompasses data encryption and many other key elements to secure and protect data, in transit and at rest, within the payment card ecosystem. Couchbase Capella has achieved PCI DSS 4.0 attestation of compliance.
CSA STAR
Couchbase Capella has successfully completed a CSA STAR Level 2 certification for attestation of compliance, following an external security audit. The CSA STAR Level 2 certification underscores our dedication to exceeding security benchmarks.
Security whitepapers
Couchbase has a full suite of data security features for authentication, authorization, encryption, and auditing to meet the needs of your most critical and sensitive database workloads. Learn more from our security-focused whitepapers.
Security responses
Couchbase methodically analyzes security vulnerabilities and scores them according to the CVSS v3.1 standard. Once resolved, we then publish public advisories as standard CVE alerts into NIST’s National Vulnerability Database (NVD) and on our website at:
https://www.couchbase.com/alerts
Ready to create amazing customer experiences?
The easiest and fastest way to begin with Couchbase