Enterprise security reviews follow a predictable rhythm. Before a new vendor gets anywhere near production data, someone pulls out a questionnaire. Which compliance certifications do you hold? Are you HIPAA compliant? SOC 2? What about GDPR?
These are the right questions. But they are often answered in ways that obscure more than they reveal - a logo wall of certification badges with no explanation of scope, or a confident "yes" that does not quite match the detail buried in an annex.
Compliance certifications are a starting point, not a finish line for cloud compliance, database security, and enterprise data security. Understanding what each one actually covers - and, just as importantly, what it leaves to you - is what separates a fast, confident procurement process from one that stalls for months. All of SingleStore's certifications and controls are published openly at the SingleStore Security and Trust Center.
What the Certifications Actually Tell You
ISO/IEC 27001
An independently audited certification confirming that a vendor governs information security systematically. It covers how security is managed as an ongoing program, not just what controls exist at a point in time. The ISO/IEC 27001 standard is widely recognised as the global benchmark for information security management, database security governance, and enterprise data security practices.
SOC 2 Type 2
Particularly important for enterprise buyers. Unlike a Type 1 (a snapshot audit), a Type 2 report - as defined by the AICPA - covers an operating period, typically 6 to 12 months, confirming that security controls worked effectively throughout, not just on audit day. SingleStore holds SOC 2 Type 2.
HIPAA Type 1
Specific to organizations handling Protected Health Information (PHI). Independently assessed alignment with HIPAA requirements means the vendor has controls in place to support HIPAA-aligned workloads. Per HHS HIPAA guidance, compliance also depends on how you configure and use the platform - not just on the vendor holding the certification.
GDPR / CCPA / CPRA
These are regulatory frameworks, not traditional certifications. A vendor claiming GDPR or CCPA readiness is saying their platform and processes are designed to support your obligations under the regulation - including data subject rights, data minimization, and breach notification requirements. This is different from being compliant on your behalf.
PCI DSS
Compliance here involves a clearly defined shared responsibility model. The vendor secures the platform and underlying infrastructure. You, as the customer, are responsible for application design, cardholder data handling, and configuration. Both sides have defined obligations - and both must be fulfilled.
SingleStore Helios holds ISO/IEC 27001, SOC 2 Type 2, and HIPAA Type 1 certifications / attestations, and supports GDPR, CCPA/CPRA, and PCI DSS workloads. The complete controls and policies are published at the SingleStore Security and Trust Center.
Which Certifications Matter for Which Industries
Not every certification carries equal weight in every sector. Here is how the priorities map in practice:
Industry mapping at a glance
Financial services: SOC 2 Type 2 is the baseline. ISO 27001 adds credibility for European regulators. PCI DSS applies to any workload touching payment data.
Healthcare and life sciences: HIPAA is the primary requirement for any workload involving PHI. SOC 2 Type 2 remains important for the operational security layer.
Retail and e-commerce: PCI DSS is typically the first question. GDPR and CCPA/CPRA are increasingly relevant as data privacy regulations continue to expand.
Global enterprises across jurisdictions: ISO 27001 and GDPR readiness are the strongest cross-border signals, alongside clear data residency commitments.
The Shared Responsibility Model - What It Actually Means
This is where a lot of compliance conversations stall.
Every cloud platform operates on a shared responsibility model for enterprise data security. The vendor secures the platform. The customer secures how they use it. In practice, the boundary is often vague - which creates audit risk and extends procurement timelines.
SingleStore Helios is designed to minimize that ambiguity. The platform ships with strong database security defaults, which means customers start from a defensible posture rather than building one from scratch.
Default protections - active from day one
AES-256 encryption at rest using cloud-managed KMS keys (AWS, Azure, or GCP depending on the deployment region)
TLS 1.2 or above for all connections - including internal cluster traffic between leaf nodes and transfers to object storage
Public access removed by default - clusters are not exposed to the open internet without explicit configuration
IP allowlisting enforced at cluster creation - only approved addresses can communicate with your cluster
For PCI DSS specifically, the division of responsibility is clearly documented: SingleStore secures the platform infrastructure, and customers are responsible for application design, cardholder data handling, and environment configuration.
Assurance Is Not a One-Time Event
Certifications describe a moment in time. What matters for ongoing risk management is the process that maintains security between audits. SingleStore's approach aligns with the NIST Cybersecurity Framework and includes:
Annual independent audits and penetration tests at minimum for the Helios offering
Regular risk assessments and formal Secure SDLC practices embedded in the engineering process
Periodic disaster recovery exercises to validate that recovery objectives can actually be met
Security patches and updates applied automatically, with vulnerabilities tracked from identification to resolution within documented timeframes
A formal vulnerability disclosure program that engages the external security research community
A vendor willing to invite external researchers to find flaws - and to act on what they find - is signaling something meaningful about how seriously they take security as a continuous commitment.
A Practical Checklist for Your Next Vendor Security Review
When evaluating any cloud database vendor on compliance, these questions separate thorough answers from reassuring ones:
Which certifications do you hold, and what is the exact scope of each?
Is your SOC 2 a Type 1 or Type 2 report? For what time period?
How is shared responsibility defined in the contract, and where does your obligation as vendor end?
What security controls are active by default, and which require customer configuration?
How often do you conduct penetration tests, and are they performed by independent third parties?
Do you have a public vulnerability disclosure program?
What is your patch management process, and how quickly are critical findings resolved?
A vendor with a mature data security posture will have direct, specific answers to all of them.
Download the Full SingleStore Helios Cloud Security Whitepaper
The SingleStore Helios Cloud Security White Paper covers the complete security architecture in depth - including platform architecture, network security, identity and access management, cryptography, logging and monitoring, SDLC practices, and incident management.
This Article Is Part of a Series
Enterprise Security with SingleStore Helios - 7 articles exploring every layer of cloud database security. Links will be added as each article publishes.
1 | The Compliance Question Enterprises Always Ask First [You are here] |
2 | Enterprise Identity, Your Way |
3 | Zero Trust Isn't a Checkbox |
4 | What Happens When Something Goes Wrong |
5 | The Encryption Control Spectrum |
6 | Why Shared Responsibility Isn't a Risk Transfer |
7 | Security Engineering, Not Just Security Features |
Questions about security on SingleStore Helios? Contact security@SingleStore.com
.png?width=24&disable=upscale&auto=webp)
