Security and compliance
Protection against unauthorized access
IBM Cloud® Databases for PostgreSQL use the following methods to protect data in transit or in storage.
- All Databases for PostgreSQL connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2.
- Access to the Account, Management Console UI, and API is secured via Identity and Access Management (IAM).
- Access to the database is secured through the standard access controls provided by the database. These access controls are configured to require valid database-level credentials that are obtainable only through prior access to the database or through our Management Console UI or API.
- All Databases for PostgreSQL storage is provided on storage encrypted with LUKS using AES-256. The default keys are managed by Key Protect. Bring-your-own-key (BYOK) for encryption is also available through Key Protect Integration.
- CBR (Context-based restriction) - Protect your Cloud Databases resource with conext-based restriction (CBR)
- IP allowlisting (deprected) - All deployments support allowlisting IP addresses to restrict access to the service.
- Public and Private Networking - Databases for PostgreSQL is integrated with Service Endpoints. You can select whether to use connections over the public network, the IBM Cloud internal network, or both.
Data resilience
- Backups are included in the service. Databases for PostgreSQL backups reside in IBM Cloud Object Storage and are also encrypted.
- Databases for PostgreSQL deployments are configured with replication. Deployments contain a cluster with two data members. Both members contain a copy of your data by using asynchronous replication, with a distributed consensus mechanism to maintain cluster state and handle failovers.
- If you deploy to an IBM Cloud Single-Zone Region (SZR), each database member resides on a different host in the data center.
- If you deploy to an IBM Cloud Multi-Zone Region (MZR), the members are spread over the region's availability zone locations.
SOC 2 Type 2 certification
IBM provides a Service Organization Controls (SOC) 2 Type 2 report for Databases for PostgreSQL. The reports evaluate IBM's operational controls according to the criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for service providers such as IBM Cloud to safeguard their customers' data and information.
You can request an SOC 2 Type 2 report from the customer portal or contact your sales representative. Alternatively, you can open a support ticket with IBM Cloud support
ISO 27017, ISO 27018
Databases for PostgreSQL conforms to the guidelines for information security controls applicable to the provision and use of cloud services as defined in ISO 27017 and ISO 27018.
General Data Protection Regulation (GDPR)
If you have an account with IBM Cloud, your personal data is held by IBM Cloud. The IBM Data Processing Addendum (DPA) applies to the processing of client's personal data by IBM on behalf of client to provide IBM standard services.
IBM DPA
Databases for PostgreSQL processes limited client Personal Information (PI) in the course of running the service and optimizing the user experience.
Databases for PostgreSQL provides a Data Sheet Addendum (DSA) with its policies as a Data Processor regarding content and data protection.
HIPAA
Databases for PostgreSQL meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA must be requested at the time of provisioning and requires a representative to sign a Business Associate Addendum (BAA) agreement with IBM.
PCI DSS
Databases for PostgreSQL are compliant with the Payment Card Industry Data Security Standard (PCI DSS). IBM Cloud completes annual PCI DSS assessments by using an approved Qualified Security Assessor (QSA), and the resulting Attestations of Compliance (AOCs) and Service Responsibility Matrix (SRM) guides are available upon customer request. Auditors reviewed Databases for PostgreSQL for compliance under PCI DSS version 3.2.1 at Service Provider Level 1.
Customers are responsible for the storing, processing, and transmission of their cardholder data, and can create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using Databases for PostgreSQL. Customers can request and use the IBM Cloud AOCs and SRM guides when they seek their own PCI DSS certifications. It is the responsibility of the customer to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.
It is the customer’s responsibility to familiarize themselves with these processes and to manage data retention and removal from the service according to the customer’s policies.
A full list of PCI DSS-ready IBM Cloud Platform services, and options to request a PCI DSS AOC and SRM guide, can be found at the IBM Cloud compliance page.