Security & Compliance

Hosting

All customer data is hosted exclusively in the region you select. Customer data inserted into one region remains in that region, except when requested by the customer via the turbopuffer API. Customer data and usage data is always encrypted in transit with TLS1.2+. Customer data is always encrypted at rest with AES-256 in Google Cloud Storage, and optionally with a customer's key.

SOC2

turbopuffer undergoes System and Organization Controls (SOC) 2 Type 2 audits of the design and operational effectiveness of security and availability controls.

You can request a copy of the latest SOC 2 report and Penetration Test from our Trust Center.

HIPAA

Customers who wish to store protected health information (PHI) in turbopuffer may request a business associate agreement (BAA) with turbopuffer under which turbopuffer commits to HIPAA compliance.

Contact us at info@turbopuffer.com if you require a BAA.

Vulnerability Disclosure

See our Vulnerability Disclosure policy.

Customer managed encryption (CMEK)

turbopuffer offers support for customer managed encryption keys (CMEK), allowing enterprise customers to ensure their data is encrypted using keys from their Key Management System (KMS)/Enterprise Key Manager (EKM). This would also allow customer's customers to use their own KMS to encrypt their data, as the encryption key is defined at the namespace level.

Contact us at info@turbopuffer.com if you require Customer Managed Encryption.

Subprocessors for Customer Data

Subscribe to subprocessor update notifications for when we engage new customer data subprocessors.

Subprocessors for Usage Data

Usage data is collected primarily for billing, analytical, and observability purposes and does not contain customer data.