ClickHouse Information Security Addendum

Last modified on July 25, 2024

Archive versions here

This Information Security Addendum (the “Addendum”) sets forth the technical and organizational measures for the protection of Content processed by ClickHouse Cloud (if applicable) or data (if any) provided by Customer to ClickHouse in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”). Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable agreement between Customer and ClickHouse for the delivery of ClickHouse Cloud and/or Support Services (the “Agreement”).

ClickHouse shall maintain an information security program that is designed to protect the security, confidentiality, and integrity of Customer Information (the "ClickHouse Information Security Program"). The ClickHouse Information Security Program will be implemented on an organization-wide basis. The ClickHouse Information Security Program will be designed to ensure ClickHouse’s compliance with data protection laws and regulations applicable to ClickHouse’s performance under the applicable Agreement (including any Data Processing Addendum), and shall include the safeguards set below, which substantially conform to the ISO/IEC 27002 control framework (the “ClickHouse Information Security Controls”).

1 AUDITS AND CERTIFICATIONS

1.1 Audits and Certifications. Engage independent third-party auditors to assess the ClickHouse Information Security Program as described in the following audits and certifications on at least an annual basis:

1.1.1 SOC 2 Type II

1.1.2 ISO 27001

2 SHARED RESPONSIBILITY

2.1 Shared Responsibility Model. ClickHouse adheres to a shared responsibility model that varies between ClickHouse Cloud and Bring-Your-Own-Cloud (“BYOC”) offerings. For ClickHouse Cloud, ClickHouse maintains specific security responsibilities, while customers are responsible for managing their data and access. In the BYOC model, customers retain additional responsibilities for cloud infrastructure security and management. Further delineation is described throughout this Addendum, and additional information is available in our Trust Center.

3 CUSTOMER DATA STORAGE LOCATION

3.1 ClickHouse Cloud. Create services for customers to upload data in customer-specified cloud providers and regions that are managed by ClickHouse, Inc. based on cloud provider and region availability.

3.2 Bring-Your-Own-Cloud (“BYOC”). Create services for customers to upload data in customer-provided cloud accounts. Services are managed by ClickHouse, Inc. and cloud accounts are managed by the Customer.

4 ORGANIZATIONAL CONTROLS

4.1 Governance. ClickHouse assigns to an individual or a group of individuals appropriate roles for developing, coordinating, implementing, and managing ClickHouse’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Information.

4.2 Security Personnel. ClickHouse uses data security personnel that are sufficiently trained, qualified, and experienced to be able to fulfill their information security-related functions.

4.3 Risk Assessments. ClickHouse conducts periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls.

4.4 Risk Prioritization. ClickHouse maintains risk assessment processes designed to evaluate likelihood of risk occurrence and material potential impacts if risks occur.

4.5 Information Security Policies. ClickHouse creates information security policies, approved by management, published and acknowledged by all employees.

4.6 Information Security Policy Review. ClickHouse reviews and updates policies at planned intervals to maintain their continuing suitability, adequacy, and effectiveness.

4.7 Data Classification. ClickHouse maintains a data classification standard based on data criticality and sensitivity.

4.8 Data Retention and Destruction. ClickHouse maintains policies establishing data retention and secure destruction requirements.

4.9 Asset Ownership. ClickHouse implements procedures to clearly identify assets and assign ownership of those assets.

4.10 Compliance. ClickHouse establishes procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.

5 PEOPLE CONTROLS

5.1 Information Security Policy Acknowledgement. ClickHouse creates information security policies, approved by management, published and acknowledged by all employees.

5.2 Information Security Awareness Training. ClickHouse requires all employees to undergo security awareness training on an annual basis.

5.3 Personnel Agreements. ClickHouse requires personnel to sign confidentiality agreements and acknowledge ClickHouse’s information security policy, which includes acknowledging responsibilities for reporting security incidents involving Customer Information.

6 PHYSICAL SECURITY

6.1 Cloud Service Providers. For ClickHouse Cloud, ClickHouse uses Hosting Service Providers that have:

6.1.1. Physical Security. Implemented controls designed to restrict unauthorized physical access to areas containing equipment used to provide ClickHouse Cloud.

6.1.2 Environmental Security. Maintain equipment used to host the ClickHouse Cloud in physical locations that are designed to be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and power failures or outages.

7 TECHNOLOGICAL CONTROLS

7.1 Logical Access Control. ClickHouse maintains technical, logical, and administrative controls designed to limit access to Customer Information. Unique usernames and passwords are required for authentication.

7.2 Privileged Access Restriction. ClickHouse restricts privileged access to the Customer Data to authorized users with a business need.

7.3 Access Review. ClickHouse reviews personnel access rights on a regular and periodic basis. Access to production environments is reviewed at least quarterly.

7.4 Access Revocation. ClickHouse maintains policies requiring termination of access to Customer Information within 24 hours of employee termination.

7.5 Multi-Factor Authentication. ClickHouse implements access controls designed to authenticate users and limit access to Customer Information, including multi-factor authentication.

7.6 Cryptographic Key Management. ClickHouse implements encryption key management procedures.

7.7 Encryption in Transit. ClickHouse encrypts Customer Information in transit using a minimum of SSL with SHA 256 or TLS 1.2 with strong ciphers.

7.8 Encryption at Rest. ClickHouse encrypts Customer Information at rest using a minimum of AES-256 with strong ciphers.

7.8.1 Encryption Key Rotation. ClickHouse utilizes Hosting Service Provider managed keys that are rotated at least annually.

7.9 Separation of Environments. ClickHouse requires internal segmentation to isolate production systems hosting the Cloud Service from non-production environments.

7.10 Vulnerability Testing. ClickHouse performs periodic network, infrastructure, and application vulnerability testing.

7.11 Penetration Testing. ClickHouse performs network and application penetration testing at least annually.

7.12 Technical Vulnerability Management. ClickHouse implements procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.

7.13 Network Security Reviews. ClickHouse requires periodic reviews and testing of network controls.

7.14 Workstation Security. ClickHouse centrally manages workstations via endpoint security solutions for deployment and management of end-point protections.

7.15 Local Separation of Customer Environments. For ClickHouse Cloud, customer environments are logically separated.

7.16 Change Management. ClickHouse assigns responsibility for security, changes and maintenance for all information systems processing Customer Information.

7.17 Change Authorization. For ClickHouse Cloud, ClickHouse tests, evaluates and authorizes major information system components prior to implementation for the Cloud Service.

7.18 Secure Development. ClickHouse maintains and follows a secure development lifecycle for the development of the software that is hosted and made available via ClickHouse Cloud.

7.19 System Monitoring. ClickHouse monitors the access, availability, capacity and performance of the Cloud Service, Support Services and Consulting Services systems, and related system logs and network traffic using various monitoring software and services.

7.20 Security Incident Response Procedures. ClickHouse maintains incident response procedures for identifying, reporting, and acting on Security Breaches.

7.21 Security Incident Reporting. If ClickHouse becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Information, ClickHouse shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 48 hours after becoming aware and in accordance with Section 7 of the Data Processing Addendum.

7.22 Security Incident Response Tabletop. ClickHouse exercises the incident response process on a periodic basis.

7.23 Security Incident Response Improvement. ClickHouse implements plans to address gaps discovered during incident response exercises.

7.24 Incident Response Team ClickHouse establishes a cross-disciplinary security incident response team.

7.25 Business Continuity Plans. ClickHouse establishes, documents, implements and maintains processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

7.26 Business Continuity Tests. ClickHouse conducts scenario-based testing annually.

8 BRING YOUR OWN CLOUD CUSTOMER OBLIGATIONS

8.1 BYOC Obligations. Customers deploying ClickHouse services to Customer-provided cloud service accounts are responsible for implementing the following controls in addition to or in place of the controls listed above, as indicated below.

8.1.1 Logical Access: Customers must implement Sections 7.1 Logical Access Control, 7.2 Privileged Access Restriction, 7.3 Access Review, 7.4 Access Revocation, and 7.5 Multi-Factor Authentication for users managed by the Customer. ClickHouse will manage these controls for ClickHouse managed users.

8.1.2 Operations Security: Customers must implement Sections 7.9 Separation of Environments, 7.10 Vulnerability Testing, 7.11 Penetration Testing, 7.12 Technical Vulnerability Management for components deployed by the Customer. ClickHouse will manage these controls for ClickHouse deployed components.

8.1.3 Information Security Incident Management. Customers must implement Sections 7.20 Security Incident Response Procedures, 7.22 Security Incident Response Tabletop, 7.23 Security Incident Response Improvement, 7.24 Incident Response Team for systems managed by the Customer. ClickHouse will manage these controls for ClickHouse deployed components.

8.1.4 Network Security Reviews and Testing. Customers must implement Section 7.13 Network Security Reviews for the BYOC environment. ClickHouse will manage the initial deployment for communications required by the environment.