Dremio meets the IT control requirements for several compliance frameworks and certifications, as described below.
SOC 2 Type II Report
Dremio maintains compliance with the American Institute of Certified Public Accountants (AICPA) System and Organization Controls - Trust Services Criteria, commonly known as SOC 2.
SOC 2 Type II reports provide an in-depth analysis of cloud service providers regarding the safeguards a company uses to protect customer data and how these controls are performing overall. These reports are issued by independent, third-party auditors and cover the key points of Security, Availability, Confidentiality, and Privacy.
This independent assessment of Dremio Cloud provides a detailed report regarding the environments used to provide security and privacy of customer data overall. The report provide descriptions of these controls, the tests performed to assess their effectiveness, the results of said tests, and then an overall opinion regarding the design and operational effectiveness of the environments.
ISO 27001 Certification
ISO 27001 is an internationally recognized specification for an Information Security Management System (ISMS). ISO 27001 is the only auditable standard that deals with the overall management of information security, rather than just which technical controls to implement.
Obtaining ISO 27001:2013 certification demonstrates that Dremio employs a comprehensive framework of legal, physical, and technical controls for information risk management.
As part of the European Union, specific regulations exist that require companies to maintain compliance with GDPR. This governs the way user data is stored, processed, and utilized on Dremio Cloud. Specifically, this prevents the exploitation of user data and standardizes the data protection laws that services must follow throughout Europe.
Dremio maintains compliance with the California Consumer Privacy Act (CCPA), which regulates the handling of personal data and prevents any unauthorized use or sale. Please see Dremio's Privacy Notice For California Residents for additional information.
Adherence to CCPA by an organization ensures that California residents have the right to opt out of having their data sold to third parties, request disclosure of data collected, and request deletion of said data.
Dremio is compliant with the Health Insurance Portability and Accountability Act (HIPAA), a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the United States. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Adherence to HIPAA ensures that healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.