// Trust & Security Report
Databricks, Inc.
Databricks Data Intelligence Platform (lakehouse, AI/ML, data warehousing, governance) plus Lakebase, Unity Catalog, Agent Bricks, Genie, AI/BI, Mosaic AI / Foundation Model APIs
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on databricks.com“Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II. (SOC 2 Type II report available via the due diligence package)”
Verify on databricks.com“Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II.”
Verify on databricks.com“Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II.”
Verify on databricks.com“The company also offers compliance options for PCI-DSS, HIPAA, and FedRAMP. (PCI DSS available as a deployment/compliance option, not blanket across all tiers)”
Verify on databricks.com“The company also offers compliance options for PCI-DSS, HIPAA, and FedRAMP. (HIPAA compliance offered as a deployment option)”
Verify on databricks.com“FedRAMP is a certification created by the US Government... Databricks offers FedRAMP compliance options. (offered on specific government/regulated deployments)”
Verify on databricks.com“Listed in compliance navigation as available for highly regulated industries, but not confirmed with a standalone certification statement on the pages reviewed; gated behind the due diligence package.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-cloud (AWS, Azure, GCP) with customer-selectable regions; international transfers covered by EU SCCs and EU-U.S./UK/Swiss Data Privacy Framework certification. Controller for EU/UK/Swiss is Databricks, Inc. (US).
Databricks states: 'Databricks does not train generative foundation models with data you submit to these features' and 'Our model partners do not retain data you submit through these features, even for abuse monitoring.' For paid accounts, Databricks commits not to use inputs/outputs submitted to Model Serving to train its models or improve its services. Customer/Authorized User data uploaded to the Platform Services is governed by the customer agreement/DPA, not the website Privacy Notice. Note: marketing/website personal data may be processed with LLMs/AI 'in accordance with applicable law' per the Privacy Notice (separate from customer platform data).
// Security controls
Penetration testing
We perform penetration testing through a combination of our in-house offensive security team, qualified third-party penetration testers and a year-round public bug bounty program (8-10 external and 15-20 internal pen tests annually).
databricks.comBug bounty
Public bug bounty program facilitated by HackerOne; ~260 valid submissions awarded from ~150 researchers over three years.
hackerone.comEncryption
Any data stored within a Databricks workspace is AES-256 bit encrypted; all traffic between Databricks and model partners is encrypted in transit with industry standard TLS encryption. Customer-managed keys supported.
docs.databricks.comData Privacy Framework
Databricks complies with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. DPF as certified to the U.S. Department of Commerce (covers Databricks, Inc. and Neon, LLC).
databricks.comDPA / Subprocessors / SCCs
Data Processing Addendum with standard contractual clauses offered to customers; published subprocessor list and EU SCCs for transfers.
databricks.com// Products & data scope
data: Customer-uploaded data and Usage Data processed on customer's behalf; governed by the master customer agreement + DPA, not the website Privacy Notice. Runs in customer-selected cloud region.
Core enterprise product. SOC 2 Type II, ISO 27001/27017/27018; HIPAA/PCI/FedRAMP available on qualifying deployments.
data: Inputs/outputs not used to train Databricks models or improve services for paid accounts; model partners use zero-retention endpoints.
Distinct AI data-use commitments documented separately; review Foundation Model APIs compliance page for region/model specifics.
data: Databricks does not train generative foundation models on submitted data; model partners do not retain submitted data.
Explicit no-training, no-retention statements on the AI trust doc.
data: Lineage, granular permissions, centralized auditing across data, models, dashboards, agents.
Governance layer used for regulated-industry compliance posture.
data: Managed transactional Postgres integrated with lakehouse; inherits platform compliance scope.
Newer product (built on Neon, also DPF-covered). Confirm cert scope coverage for net-new product if used for regulated data.
data: Content posted in Databricks Community / public forums is publicly viewable; website Privacy Notice applies to website-collected personal data.
Lower assurance than enterprise contracted deployments; not for sensitive data.
// What to watch
- Several certs (HIPAA, PCI DSS, FedRAMP) are deployment/compliance OPTIONS tied to specific tiers or cloud regions, not blanket across every Databricks workspace - buyers must confirm their specific deployment is in scope.
- Full SOC 2 Type II report, ISO certificate, and annual pen-test letter are gated behind a due diligence package / account team, not publicly downloadable.
- Website Privacy Notice allows use of LLMs/AI on website/marketing personal data 'in accordance with applicable law' - distinct from the platform no-training commitment; do not conflate the two.
- Lakebase is a newer product (built on Neon) - confirm certification scope coverage before placing regulated/sensitive data.
// At a glance
Pricing model
Usage-based (DBU consumption) commercial contracts; Free Edition / 14-day trial available. No public flat per-seat SaaS pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Databricks, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
databricks.com