ClickHouse Information Security Addendum

Last modified on November 20, 2023

Archive versions here

This Addendum sets forth the technical and organizational measures for the protection of Content processed by ClickHouse Cloud (if applicable) or data (if any) provided by Customer to ClickHouse in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”). Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable agreement between Customer and ClickHouse for the delivery of ClickHouse Cloud and/or Support Services (the “Agreement”).

ClickHouse shall maintain an information security program that is designed to protect the security, confidentiality, and integrity of Customer Information (the "ClickHouse Information Security Program"). The ClickHouse Information Security Program will be implemented on an organization-wide basis. The ClickHouse Information Security Program will be designed to ensure ClickHouse’s compliance with data protection laws and regulations applicable to ClickHouse’s performance under the applicable Agreement (including any Data Processing Addendum), and shall include the safeguards set below, which substantially conform to the ISO/IEC 27002 control framework (the “ClickHouse Information Security Controls”).

1. Governancea. Assign to an individual or a group of individuals appropriate roles for developing, coordinating, implementing, and managing ClickHouse’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Information.

b. Use data security personnel that are sufficiently trained, qualified, and experienced to be able to fulfill their information security-related functions.
2. Risk Assessmenta. Conduct periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls.

b. Maintain risk assessment processes designed to evaluate likelihood of risk occurrence and material potential impacts if risks occur.
3. Information Security Policiesa. Create information security policies, approved by management, published and acknowledged by all employees.

b. Review and update policies at planned intervals to maintain their continuing suitability, adequacy, and effectiveness.
4. HR Securitya. Maintain policies requiring reference checks of any new employee who will have access to Customer Information, subject to local law.

b. Require all employees to undergo security awareness training on an annual basis.
5. Asset Managementa. Maintain a data classification standard based on data criticality and sensitivity.

b. Maintain policies establishing data retention and secure destruction requirements.

c. Implement procedures to clearly identify assets and assign ownership of those assets.
6. Access Controlsa. Maintain technical, logical, and administrative controls designed to limit access to Customer Information.

b. Restrict privileged access to the Customer Data to authorized users with a business need.

c. Review personnel access rights on a regular and periodic basis.

d. Maintain policies requiring termination of access to Customer Information after termination of an employee.

e. Implement access controls designed to authenticate users and limit access to Customer Information, including multi-factor authentication.
7. Cryptographya. Implement encryption key management procedures.

b. Encrypt Customer Information in transit and at rest using a minimum of AES-256 bit ciphers.
8. Physical Securitya. For Cloud Services, use Hosting Service Providers that have:

. i. Implemented controls designed to restrict unauthorized physical access to areas containing equipment used to provide the Cloud Services.

. ii. Maintain equipment used to host the Cloud Services in physical locations that are designed to be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and power failures or outages.
9. Operations Securitya. Require internal segmentation to isolate production systems hosting the Cloud Service from non-production networks.

b. Perform periodic network, infrastructure, and application vulnerability testing.

c. Perform periodic network and application penetration testing.

d. Implement procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.
10. Communications Securitya. Require periodic reviews and testing of network controls.

b. Centrally manage workstations via endpoint security solutions for deployment and management of end-point protections.

c. For Cloud Services, customer environments are logically separated.
11. System Acquisition, Development, Maintenancea. Assign responsibility for security, changes and maintenance for all information systems processing Customer Information.

b. For Cloud Services, test, evaluate and authorize major information system components prior to implementation for the Cloud Service.

c. Maintain and follow a secure development lifecycle for the development of the software that is hosted and made available via the Cloud Services.
12. Information Security Incident Managementa. Monitor the access, availability, capacity and performance of the Cloud Service, Support Services and Consulting Services systems, and related system logs and network traffic using various monitoring software and services.

b. Maintain incident response procedures for identifying, reporting, and acting on Security Breaches.

c. Exercise the incident response process on a periodic basis.

d. Implement plans to address gaps discovered during incident response exercises.

e. Establish a cross-disciplinary security incident response team.
13. Business Continuity Managementa. Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

b. Conduct scenario-based testing annually.
14. Compliancea. Establish procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.