Trust Center

OceanBase is committed to making the management and use of massive data easier through technology. Data security has always been OceanBase's top priority. OceanBase has complete security procedures and security technologies, and has established professional security team and SRE reliability team. OceanBase invites authoritative third-party organizations to audit every year, and has obtained comprehensive attestations and certifications.

Security Feature

Identity Authentication

OceanBase supports a comprehensive identity authentication mechanism, with comprehensive password complexity strategies and login failure processing strategies.

Access Control

OceanBase supports complete role management and permission management strategies, and supports network whitelist functions, etc.

Communication Encryption

The communication between OceanBase components and between customer applications and OceanBase databases supports encrypted transmission.

Storage Encryption

OceanBase supports transparent data encryption (TDE), which automatically encrypts data when it is stored on disk and automatically decrypts it when it is read.

Diagnostics and Auditing

OceanBase supports comprehensive SQL diagnostic functions, which can view topsql, slowsql, suspicious sql, and high-risk sql. It also supports SQL auditing functions, which can save SQL execution records for a long time.

Security and Privacy

Cybersecurity

OceanBase has a professional security team responsible for the operation and management of network security, including network boundary management, host protection, vulnerability scanning, penetration testing, and emergency response after security incidents.

Data Security

OceanBase has established a complete process system covering the entire life cycle of data protection, and uses technical mechanism to safeguard the company's physical security, computer security and data security.

Sensitive Data Collection

OceanBase collects and uses users' personal data based on the principle of minimization, and safely stores the collected user data. Users can also contact us at any time to delete their personal data.

Employee Secuirty Training

OceanBase conducts background investigation/chekcs for its employee and requires employees who serve customers to take continuous security training.

Data Processing Addendum

Before purchasing OceanBase Cloud Services, customers need to sign Data Processing Addendum, which divides the responsibilities for processing personal data uploaded by customers to the database. As the controller of data, customers need to ensure that their data processing, data storage and data distribution comply with applicable laws and regulations.

Availability

SLA Commitment

Through the construction of various high-availability capabilities, OceanBase cloud service promises SLA of no less than 99.99%, for more detail information, please refer to Service Level Agreement.

Multi-cloud Deployment

To avoid the failure of a single cloud vendor affecting service availability, OceanBase cloud services support multi-cloud deployment. Currently, it supports mainstream cloud vendors in the industry, such as Alibaba Cloud, Tencent Cloud, Huawei Cloud, AWS Cloud, and GCP Cloud.

Multi-copy Deployment

OceanBase cloud service adopts multi-copy deployment, and the Paxos protocol is used to synchronize log data between multiple copies. When the primary copy is unavailable, the secondary copy supports autonomous election of the primary copy. Multiple copies can be deployed across data centers (availability zones), thus avoiding the impact of failure in a single data center (availability zone).

Active/standby Cluster

OceanBase cloud service supports cross-city (Region) master-slave cluster deployment. When the availability zone of the primary city is unavailable, the cluster in the backup city can be enabled to provide services, thereby achieving remote disaster recovery.

Compliance

Information security management system certification

ISO27001

ISO27001 stipulates the best practices for the establishment and implementation of information security management systems (ISMS).

OceanBase has perfected the management of the company's physical security, network security and data security. OceanBase invited the British Standards Institution (BSI) to review the company's information security management system and obtained the certificate.

Privacy information management certification

ISO27701

ISO27701 is a management system for privacy data protection and a guide for establishing, implementing, maintaining and continuously improving a privacy information management system (PIMS).

As a data controller, OceanBase complies with applicable laws and regulations in the collection, use and storage of personal data. As a data processor, OceanBase provides technical support for customers to process persoanl data. OceanBase provides a series of security capabilities to enhance the security of customer personal data and defines the responsibilities of OceanBase and its customers for data processing through data processing addendum. OceanBase invited the British Standards Institution (BSI) to review the company's privacy information management system and obtained the certificate.

Personal data in the cloud certification

ISO27018

ISO27018 provides best practices for personal data processors to protect personal data in public cloud environments.

OceanBase public cloud services provide database services to many customers. To protect the security of customer personal data, OceanBase has formulated a series of systems and established a dedicated SRE team and security team. OceanBase invited the British Standards Institution (BSI) to review the company's public cloud personal information protection management system and obtained the certificate.

Quality management system certification

ISO9001

ISO9001 certification is a globally recognized quality management system (QMS). ISO9001 provides a complete framework and methodology that can help companies provide customers with continuous high-quality products and services, and can also ensure that the company's daily management complies with legal and regulatory requirements.

OceanBase has implemented a quality management system (QMS) to safeguard the consistency of products and services. OceanBase invited CEPREI to review the company's quality management system and obtained the certificate.

Service management system certification

ISO20000

ISO20000 is an IT service management system (ITSM). ISO20000 manages IT issues through "IT service standardization", develops service plans based on service level agreements (SLAs), and monitors the implementation of service plans.

OceanBase provides an L1-L2-L3 level after-sales service system that can provide customers with 7*24 hours of uninterrupted service. OceanBase conducts customer service satisfaction surveys twice a year and makes continuous improvements based on the survey results. OceanBase invited CEPREI to review the company's service management system and obtained the certificate.

Business continuity management system certification

ISO22301

The ISO22301 management system framework can help enterprises develop an integrated management process, enable enterprises to identify and analyze potential disasters, and provide an effective management mechanism to prevent or offset these threats and reduce the losses caused by disasters to enterprises.

OceanBase completes business continuity risk assessments every year and develops emergency response plans for identified important risks. Oceanbase conducts regular drills based on the emergency response plans. OceanBase invited CEPREI to audit the company's business continuity management system and obtained the certificate.

System and organization controls2

SOC2 Tyep Ⅱ

SOC is formulated by the American Institute of Certified Public Accountants (AICPA) and covers five aspects: security, availability, confidentiality, integrity, and privacy. The purpose is to ensure that service providers can manage data securely and protect the privacy and interests of users.

OceanBase invites Ernst & Young as a third-party to audit corporate governance, security capabilities, operation and maintenance processes every year, and provide OceanBase cloud services with SOC Type II reports on security, availability, and confidentiality.

Payment card industry data security standard

PCI DSS

PCI DSS is an information security standard developed by the PCI Standards Security Council and is applicable to companies that transmit, store, and process cardholder data.

OceanBase invites Atsec as a third-party organization to audit the company's security governance every year. After the audit, it is determined that OceanBase cloud service complies with the PCI DSS standard and becomes a PCI DSS certified service provider. Therefore, if you need to pass the PCI DSS certification, after using the OceanBase cloud database service, you can submit the AOC report of the OceanBase cloud database to the Qualified Security Assessor which can simplify database testing.

Start Now with OceanBase

Get Started

Company

About OceanBase Contact Us

Product

OceanBase Dedicated OceanBase Database Quick Start Download Pricing

Resources

Docs Blog White Paper Trust Center