Security overview
Aiven’s security architecture follows defense-in-depth principles:Data Encryption
- At rest: LUKS full-disk encryption
- In transit: TLS 1.2+ for all connections
- Backups: AES-256 + RSA encryption
- Key rotation: Automatic with upgrades
Network Security
- TLS-only connections, no plaintext
- VPC peering for private connectivity
- IP allowlisting
- Dynamic firewall protection
Access Control
- Role-based access control (RBAC)
- SSO and SAML support
- Two-factor authentication
- Application users for automation
Compliance
- SOC 2 Type II
- ISO 27001
- HIPAA
- PCI DSS
- GDPR compliant
Data encryption
Aiven encrypts data at every stage - at rest, in transit, and in backups.Encryption at rest
All service instances use full-disk encryption:LUKS encryption
- Algorithm: AES-XTS-Plain64 with SHA256
- Key size: 512-bit encryption key
- Mode: LUKS2 default configuration
Ephemeral keys
- Randomly generated per instance and volume
- Never reused across instances
- Destroyed when instance terminates
Automatic key rotation
- Keys rotated during maintenance updates
- Rolling upgrades create new instances with new keys
- Old instances and keys destroyed
Encryption in transit
All connections to and between Aiven services use TLS encryption:- Client connections: TLS 1.2+ required, no plaintext option
- Service-to-service: TLS or IPsec for inter-VM communication
- Strong cipher suites: AES-256-GCM, ChaCha20-Poly1305
- Perfect forward secrecy: ECDHE key exchange
Backup encryption
Service backups are encrypted with multiple layers:File encryption
- Algorithm: AES-256 in CTR mode
- Key size: 256-bit
- Integrity: HMAC-SHA256
- Per-file keys: Random key for each backup segment
Key encryption
- Algorithm: RSA
- Key size: 3072-bit RSA key pair
- Key generation: Random per service
- Key storage: Encrypted in backup header
Storage location
- Same region as service (default)
- Cross-region backup available
- Cloud provider object storage (S3, GCS, Azure Blob)
Bring Your Own Key (BYOK)
For enhanced control, use your own encryption keys:- Customer-managed keys: Use keys from your KMS
- AWS KMS, GCP KMS, Azure Key Vault: Integration available
- Key rotation: You control rotation schedule
- Access audit: Full audit trail in your KMS
Network security
Connection security
All network connections are secured:- Client Connections
- Service-to-Service
- Mandatory TLS: No plaintext connections allowed
- Certificate validation: CA certificates available
- IP filtering: Restrict access by source IP
- VPC peering: Private network connectivity
VPC and network isolation
Enhanced security with private networking:VPC Peering
- No public internet exposure
- Private IP addressing
- Direct cloud provider network connection
- Supported: AWS, GCP, Azure, UpCloud
Dedicated VMs
- One customer per VM
- Data never leaves VM (except backups)
- VMs destroyed after use
- Fresh VMs for upgrades
Firewall protection
Dynamic firewall rules protect each service:Virtual machines and infrastructure
Cloud provider accounts
Aiven services run in Aiven-managed cloud accounts:- Aiven-controlled: Cloud accounts managed by Aiven operations
- Customer isolation: Customers cannot access Aiven cloud accounts
- Multi-cloud: Services across AWS, GCP, Azure, DigitalOcean, UpCloud
- Region selection: Customer chooses deployment regions
Virtual machine security
Dedicated VMs
- One customer per virtual machine
- No multi-tenancy at VM level
- Data isolation guaranteed
Availability zones
- VMs distributed across AZs
- High availability and fault tolerance
- Region-dependent (2-3+ AZs)
VM lifecycle
- VMs never reused
- Destroyed during upgrades
- Full disk wipe on termination
- New VMs for each deployment
Operator access
- Automatic operations: No manual intervention normally required
- Troubleshooting access: Operations team can securely log in
- Audit logging: All operator access logged
- Customer data privacy: Operators never access customer data unless requested
- No customer access: Customers cannot access VM level
Access control
Authentication
Multiple authentication methods with centralized control:- Passwords + 2FA: Email/password with optional/required two-factor
- Social login: Google, Microsoft, GitHub
- SAML SSO: Enterprise identity providers (Okta, Azure AD, etc.)
- Authentication policies: Organization-wide control
- Token authentication: Personal and application tokens
Role-based access control (RBAC)
Granular control over who can do what:- Organization Level
- Project Level
- Service Level
- Super Admin (full access)
- Organization Admin (full except delete org)
- Custom permissions (billing, users, networking)
Managed users
Centralized user management with verified domains:- Centralized lifecycle management
- Cannot create new organizations
- Profile managed by org admins
- Visible to org even before joining
Compliance and certifications
Aiven maintains industry-leading compliance certifications:Certifications
SOC 2 Type II
- Annual audit by independent assessor
- Security, availability, confidentiality
- Reports available to customers
ISO 27001
- Information security management
- International standard
- Regularly audited and certified
HIPAA
- Healthcare data protection
- Business Associate Agreement (BAA) available
- For Advanced and Premium tiers
PCI DSS
- Payment card data security
- Level 1 service provider
- For qualifying deployments
Data privacy regulations
GDPR Compliance
- EU data protection regulation
- Data processing agreement available
- Data residency options
- Right to erasure implemented
CCPA Compliance
- California consumer privacy
- Data transparency and control
- Opt-out mechanisms
Data residency
- Deploy in any supported region
- Data stays in chosen region
- Backup storage in same region (default)
- Cross-region backup optional
Enhanced Compliance Environment
For strict compliance requirements:- Additional controls: Enhanced security measures
- Dedicated infrastructure: Isolated environment
- Stricter policies: Additional restrictions
- Compliance support: Dedicated assistance
- Available for: HIPAA, PCI DSS, and other regulations
Audit and monitoring
Audit logs
Track all actions in your organization:- Organization Logs
- Project Logs
- Service Logs
Security monitoring
Continuous monitoring for security events:- Anomaly detection: Unusual access patterns
- Failed login tracking: Multiple failed authentication attempts
- Token leaks: GitHub secret scanning partnership
- Vulnerability scanning: Regular security assessments
- Penetration testing: Independent third-party testing
Software Bill of Materials (SBOM)
Transparency into software components:Data protection
Customer data privacy
Aiven’s commitment to data privacy:No data access
- Operators never access customer data
- Exception: Explicit customer request for troubleshooting
- All access logged and audited
Data processing agreement
- Available for GDPR compliance
- Defines data processing terms
- Customer remains data controller
Token leak protection
- Partnership with GitHub secret scanning
- Automatic detection of leaked tokens
- Email notification to customers
- Recommendation to rotate tokens
Training and policies
- Mandatory security training for operations team
- Regular policy reviews and updates
- Strict data privacy policies
Data retention and deletion
- Service Data
- Backups
- Logs
- Stored for service lifetime
- Deleted when service terminated
- Backups retained per backup policy
- VMs destroyed and wiped
Security best practices
Enable VPC peering
Use IP allowlists
Verify your domain
Require SAML SSO
Enforce 2FA
Use application users
Rotate tokens regularly
Principle of least privilege
Enable service integrations for logs
Regular security audits
Monitor audit logs
Use termination protection
Incident response
Reporting security issues
If you discover a security vulnerability:Aiven’s incident response
How Aiven handles security incidents:Detection
- Automated monitoring and alerts
- Customer reports
- Vulnerability disclosures
Assessment
- Severity evaluation
- Impact analysis
- Affected services identification
Containment
- Immediate threat mitigation
- Service isolation if needed
- Prevent spread
Remediation
- Fix underlying vulnerability
- Deploy patches
- Verify resolution
Communication
- Customer notification
- Status page updates
- Incident reports for serious issues
Post-incident review
- Root cause analysis
- Process improvements
- Documentation updates
Time synchronization
Accurate time across all services:- NTP servers: Cloud provider trusted NTP
- Backend services: Synchronized time
- Customer services: Synchronized time
- Region-specific: NTP servers in deployment region