// Trust & Security Report

    Databricks, Inc. logo

    Databricks, Inc.

    Databricks Data Intelligence Platform (lakehouse, AI/ML, data warehousing, governance) plus Lakebase, Unity Catalog, Agent Bricks, Genie, AI/BI, Mosaic AI / Foundation Model APIs

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Databricks is ISO 27001:2022 certified.

    Verify on databricks.com
    SOC 2 Type II
    HELD

    Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II. (SOC 2 Type II report available via the due diligence package)

    Verify on databricks.com
    ISO/IEC 27017
    HELD

    Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II.

    Verify on databricks.com
    ISO/IEC 27018
    HELD

    Databricks holds the following certifications: ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II.

    Verify on databricks.com
    PCI DSS
    HELD

    The company also offers compliance options for PCI-DSS, HIPAA, and FedRAMP. (PCI DSS available as a deployment/compliance option, not blanket across all tiers)

    Verify on databricks.com
    HIPAA
    HELD

    The company also offers compliance options for PCI-DSS, HIPAA, and FedRAMP. (HIPAA compliance offered as a deployment option)

    Verify on databricks.com
    FedRAMP
    HELD

    FedRAMP is a certification created by the US Government... Databricks offers FedRAMP compliance options. (offered on specific government/regulated deployments)

    Verify on databricks.com
    HITRUST / IRAP / ISMAP / GxP
    HELD

    Listed in compliance navigation as available for highly regulated industries, but not confirmed with a standalone certification statement on the pages reviewed; gated behind the due diligence package.

    Verify on databricks.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-cloud (AWS, Azure, GCP) with customer-selectable regions; international transfers covered by EU SCCs and EU-U.S./UK/Swiss Data Privacy Framework certification. Controller for EU/UK/Swiss is Databricks, Inc. (US).

    Databricks states: 'Databricks does not train generative foundation models with data you submit to these features' and 'Our model partners do not retain data you submit through these features, even for abuse monitoring.' For paid accounts, Databricks commits not to use inputs/outputs submitted to Model Serving to train its models or improve its services. Customer/Authorized User data uploaded to the Platform Services is governed by the customer agreement/DPA, not the website Privacy Notice. Note: marketing/website personal data may be processed with LLMs/AI 'in accordance with applicable law' per the Privacy Notice (separate from customer platform data).

    // Security controls

    Penetration testing

    We perform penetration testing through a combination of our in-house offensive security team, qualified third-party penetration testers and a year-round public bug bounty program (8-10 external and 15-20 internal pen tests annually).

    databricks.com

    Bug bounty

    Public bug bounty program facilitated by HackerOne; ~260 valid submissions awarded from ~150 researchers over three years.

    hackerone.com

    Encryption

    Any data stored within a Databricks workspace is AES-256 bit encrypted; all traffic between Databricks and model partners is encrypted in transit with industry standard TLS encryption. Customer-managed keys supported.

    docs.databricks.com

    Data Privacy Framework

    Databricks complies with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. DPF as certified to the U.S. Department of Commerce (covers Databricks, Inc. and Neon, LLC).

    databricks.com

    DPA / Subprocessors / SCCs

    Data Processing Addendum with standard contractual clauses offered to customers; published subprocessor list and EU SCCs for transfers.

    databricks.com

    // Products & data scope

    Databricks Data Intelligence PlatformCloud data + AI/ML lakehouse platform

    data: Customer-uploaded data and Usage Data processed on customer's behalf; governed by the master customer agreement + DPA, not the website Privacy Notice. Runs in customer-selected cloud region.

    Core enterprise product. SOC 2 Type II, ISO 27001/27017/27018; HIPAA/PCI/FedRAMP available on qualifying deployments.

    Mosaic AI Model Serving / Foundation Model APIsLLM inference / generative AI

    data: Inputs/outputs not used to train Databricks models or improve services for paid accounts; model partners use zero-retention endpoints.

    Distinct AI data-use commitments documented separately; review Foundation Model APIs compliance page for region/model specifics.

    Databricks AI assistive features (Assistant, Genie, Agent Bricks)AI copilots / agents

    data: Databricks does not train generative foundation models on submitted data; model partners do not retain submitted data.

    Explicit no-training, no-retention statements on the AI trust doc.

    Unity CatalogData + AI governance

    data: Lineage, granular permissions, centralized auditing across data, models, dashboards, agents.

    Governance layer used for regulated-industry compliance posture.

    LakebaseServerless Postgres database

    data: Managed transactional Postgres integrated with lakehouse; inherits platform compliance scope.

    Newer product (built on Neon, also DPF-covered). Confirm cert scope coverage for net-new product if used for regulated data.

    Free Edition / Community / public forumsFree tier / community

    data: Content posted in Databricks Community / public forums is publicly viewable; website Privacy Notice applies to website-collected personal data.

    Lower assurance than enterprise contracted deployments; not for sensitive data.

    // What to watch

    • Several certs (HIPAA, PCI DSS, FedRAMP) are deployment/compliance OPTIONS tied to specific tiers or cloud regions, not blanket across every Databricks workspace - buyers must confirm their specific deployment is in scope.
    • Full SOC 2 Type II report, ISO certificate, and annual pen-test letter are gated behind a due diligence package / account team, not publicly downloadable.
    • Website Privacy Notice allows use of LLMs/AI on website/marketing personal data 'in accordance with applicable law' - distinct from the platform no-training commitment; do not conflate the two.
    • Lakebase is a newer product (built on Neon) - confirm certification scope coverage before placing regulated/sensitive data.

    // At a glance

    Pricing model

    Usage-based (DBU consumption) commercial contracts; Free Edition / 14-day trial available. No public flat per-seat SaaS pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Databricks, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    databricks.com

    > Browse all vendor trust reports