Skip to main content

Compliance

Estuary is compliant with many data regulations and industry standards and undergoes regular audits to track how we're doing. This document explores a few of the major standards in the regulatory landscape. Compliance reports are available on request.

SOC

System and Organization Controls (SOC) standards define proper data security, incident response, and access controls. SOC audits are performed by independent organizations to assess a company's security practices.

Estuary is SOC 2 Type II certified.

Different SOC audits focus on different areas of security, and tend to be more or less relevant for specific types of companies and their audience. Technology service companies like Estuary generally find SOC 2 to be most relevant for their audience and service. The Type of report relates to duration. Type I tends to have limited scope while Type II audits a company's compliance over an extended period of time.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) in the United States defines protections for healthcare information, stipulating data privacy requirements.

Estuary is HIPAA compliant with no exceptions. This means that Estuary meets the most rigorous HIPAA requirements.

Let us know if you're interested in using Estuary for a healthcare use case. Handling Protected Health Information (PHI) with Estuary requires:

  1. A private or BYOC deployment so data remains in your own private data plane

  2. A Business Associate Agreement (BAA) with Estuary

GDPR

The General Data Protection Regulation (GDPR) in the European Union provides specific data protections to individuals in the EU. This notably includes limiting the transfer of personal data outside the EU.

Estuary is fully GDPR compliant, and helps users achieve their own GDPR requirements: Estuary's regional data planes can process and store data completely within regional boundaries while a separate central control plane allows for consolidated management.

CCPA & CPRA

The California Consumer Privacy Act (CCPA) in the United States governs privacy rights and protections specific to California residents. The California Privacy Rights Act (CPRA) extends CCPA protections.

Estuary is fully CCPA and CPRA compliant and provides tools to help users achieve the same with their own data. Data fields that contain Personally Identifiable Information (PII) can be excluded from materializations or go through derivations that transform the data collection.