VeloDB Cloud 26.x·Apache Doris 4.x (≤ 4.0 supported)·"Since X.Y" tags refer to Doris versionsversion mapping →
Security Overview
VeloDB Cloud is a managed data warehouse built on Apache Doris. Security spans two layers that this section presents together as a single model: the VeloDB Cloud control plane (organizations, accounts, the console, and managed infrastructure) and the warehouse engine (database users, roles, encryption, and the audit log). You control both through the console and through SQL; you do not operate the underlying infrastructure unless you run a BYOC deployment.
VeloDB Cloud holds a SOC 2 Type II report. For reports and current trust materials, see Compliance & Trust and the VeloDB Trust Center.
Shared responsibility
Security is shared across three parties:
- The cloud provider secures the underlying infrastructure in every deployment, including the physical data centers, hardware, and hypervisor.
- VeloDB Cloud secures the warehouse service. In a SaaS deployment, VeloDB Cloud manages the cloud account, the warehouse engine and platform, encryption, and patching. In a BYOC deployment, VeloDB Cloud manages only the warehouse software and its operation inside your cloud account.
- You secure your data, identities, roles and permissions, network exposure, and console access. In a BYOC deployment, you also own the cloud account and all of its resources, and data and compute stay in your VPC.
For the BYOC boundary in detail, see BYOC Security.
Find your topic
| Domain | What it covers | Start here |
|---|---|---|
| Compliance & Trust | VeloDB Cloud holds SOC 2 certification and publishes its security program and trust materials for vendor assessments. | Compliance & Trust |
| Identity & Access | You control who can sign in to the console and what each database user can do inside a warehouse. | Identity and Access |
| Network Security | You choose whether a warehouse is reachable over the public network or only over a private connection, and you restrict where connections can originate. | Network Security |
| Encryption | VeloDB Cloud encrypts your data at rest and lets you add a warehouse-level layer with your own key. How data is protected in transit depends on the connection path and protocol. | Encryption at Rest |
| Auditing | You can review who changed organization settings and who ran SQL, and collect the evidence a security review needs. | Audit Logging |
| BYOC Security | You run the warehouse inside your own cloud account, so this section explains the ownership boundary and how to operate it safely. | BYOC Security |