Dremio Cloud Appendix

With respect to Customer’s purchase and/or use of Dremio Cloud, the following additional terms shall govern Customer’s access to and use of Dremio’s fully managed lakehouse platform (“Dremio Cloud”) on each cloud service where Dremio directly provides customers with access to Dremio Cloud and related technical support, or other professional services. The Dremio Cloud Security Exhibit, attached hereto as Exhibit A, sets forth the administrative, technical and physical safeguards Dremio takes to protect Confidential Information, including Customer Content, in Dremio Cloud. In the event a term relating to Dremio Cloud within the Agreement conflicts with a term within this Cloud Appendix and Cloud Security Exhibit, the terms of this Cloud Appendix and/or Cloud Security Exhibit shall prevail and govern.

ADDITIONAL DEFINITIONS

“Cloud Service Provider” means a cloud service provider on whose platform Dremio directly provides Dremio Cloud, as specified in the Documentation.

“Cloud Support Policy” means, to the extent included with an applicable Order Form, or if Customer otherwise purchases support services for Dremio Cloud, maintain and support services provided by Dremio pursuant to its then-current support policy, available at https://www.dremio.com/support-policy/


“Control Plane” means the multi-tenant, always-on service responsible for service management, that is hosted and monitored by Dremio.

“Customer Metadata” means the meta data such as, but not limited to, names of tables, views, columns, schema, partition columns, sorting, ordering, descriptions, query string literals, file names and other data relating to the provision, use and performance of various aspects of Dremio Cloud (including, without limitation, such data concerning queries entered by Authorized Users; but excluding, for the avoidance of doubt, any Customer Content) that Dremio Cloud collects and analyzes.

“Customer Results” means any output Customer or its Authorized Users generate from their query submissions into their Customer Plane.

“Dremio Consumption Units” or “DCUs” means the measure in units of processing capability per hour (or the most granular counting unit available).

“DCU Credit” means a credit for usage of Dremio Cloud equal to the Fees paid by Customer.

“Dremio Cloud Environment” means the cloud environment used by Dremio to provide the Control Plane and certain other functionalities of Dremio Cloud, as described in the Documentation.

“Customer Plane” means the elements of Dremio Cloud consisting of compute resources that are responsible for query execution and are automatically provisioned as needed by the Control Plane.

“Previews” means a preview, beta or pre-release feature or service offered by Dremio, in its sole discretion, prior to its general commercial release for the purpose of evaluating performance, identifying defects and obtaining feedback.


“Third Party Service” means any software or service powered by or support by Dremio Cloud that is provided under contract with a third party.

  1. USE OF DREMIO CLOUD
    1. To access and use Dremio Cloud, Customer must sign up for an account and provide Dremio with the information requested in the registration process. Dremio may also allow Customer to create its Dremio Cloud account and log into the account using Customer’s account credentials of a third-party service (e.g., Google, GitHub, etc.) and/or to authenticate through an identity provider (IdP). By connecting to Dremio Cloud with a third-party service, Customer may be required to provide Dremio with Customer’s log-in credentials for such third-party service, and Customer gives Dremio permission to access and use Customer’s information from that service as permitted by that service, and to store Customer’s log-in credentials for that service. Customer may be asked to provide certain credentials for each individual Authorized User. Customer is solely responsible for providing accurate, complete and updated registration information and for maintaining the confidentiality of its (and its Authorized Users’) account access credentials.
    2. Customer acknowledges that Dremio Cloud is implemented in a manner that divides the platform between its two main components—the Control Plane that resides in a Dremio Cloud Environment and the Customer Plane that resides in the Customer Cloud Environment (except in certain offerings of Dremio Cloud where the Customer Plane may reside in Dremio’s environment), and that accordingly each party must undertake certain technical and organizational measures in order to protect the security of Dremio Cloud and Customer Content.  Without limiting the foregoing, Customer acknowledges and agrees that (a) in order to utilize Dremio Cloud, Customer must have an account with the Cloud Service Provider; (b) Dremio does not host the Customer Cloud Environment into which certain parts of Dremio Cloud are deployed or the Systems in which Customer Data may be stored (e.g., an AWS S3 bucket or other cloud storage by Cloud Service Providers); (c) while certain Customer Data may occasionally be present within Dremio Cloud (e.g., within the Customer Results), Dremio Cloud is not designed to archive or permanently retain Customer Data, but merely to provide an environment to facilitate Customer’s queries and other data management services in relation to Customer Data within the Customer Cloud Environment; (d) Dremio Cloud does not provide backup services or disaster recovery to enable recovery of Customer Data. Accordingly, and without limiting the foregoing, Dremio is not responsible for any loss, destruction, alteration, or corruption of Customer Content; and (e) that it will abide by the Dremio Cloud Shared Responsibility Model available at https://trust.dremio.com/.
    3. Customer acknowledges and agrees that Customer is responsible for: (i) protecting the security of all Customer credentials used to access Dremio Cloud; (ii) securing the Customer Cloud Environment and any Customer-controlled System (with such steps to include, without limitation, industry standard steps to preclude unauthorized access); (iii) backing up and securing Customer Data under Customer’s control within the Customer Cloud Environment or other Customer-controlled Systems and (iv) managing and paying the charges associated with Customer’s usage of the Customer Cloud Environment (e.g., compute, storage and network fees); and Customer expressly assumes the risks associated with the foregoing responsibilities set forth in this paragraph.
    4. Dremio acknowledges and agrees that, except to the extent caused by the action or intentional or negligent inaction of Customer or its Authorized Users, including, without limitation, any customizations or configurations of Dremio Cloud by Customer or anything specified to be Customer’s responsibility above, Dremio is responsible for: (i) the operation of the Dremio Cloud Environment (including the user interface of Dremio Cloud and the portion of Dremio Cloud within the Control Plane) and the Dremio software that operates the computing resources in the Customer Plane; and (ii) implementing reasonable technical and organizational measures designed in accordance with ISO 27001 or equivalent/greater standard to protect the security of the foregoing.
    5. Dremio may, in its sole discretion, offer preview, alpha, beta, experimental, pre-release or similarly named features or services, prior to their general commercial release (collectively, “Previews”). All Previews shall be subject to the Beta Terms of Service available at https://www.dremio.com/legal/beta-terms-of-service/.
    6. Customer will be responsible for obtaining and maintaining all Systems and any other equipment and ancillary services needed to connect to, access or otherwise use Dremio Cloud.  Dremio will not be liable for any Systems and/or ancillary services needed to connect to, access or otherwise use Dremio Cloud.
    7. Customer will be solely responsible for ensuring that its use of Dremio Cloud, including, without limitation, Customer’s provision of Customer Data through Dremio Cloud complies with all applicable laws (including, all privacy law), rules, and regulations.  Further, Customer is solely responsible for all activity occurring in and through Dremio Cloud by Customer and its Authorized Users and for each of the Authorized User’s compliance with all terms and conditions of this Agreement.  At Dremio’s written request, Customer will furnish Dremio with a certification signed by an officer of Customer verifying that Dremio Cloud is being used in accordance with the terms of this Agreement and the applicable Orders. In the event Dremio believes that Customer is in violation of any of the obligations or restrictions set forth in this Section 3, Dremio may immediately suspend Customer’s access to Dremio Cloud and Customer will not be entitled to any refund of any fees due to such suspension.
    8. Dremio may, from time to time, at its sole discretion, update and/or change any part of Dremio Cloud, including its features, functions, layout and design.  Dremio will provide Customer with reasonable prior notice (including by email) of any material changes to Dremio Cloud. In the event that such changes to Dremio Cloud remove (without a substitute) or otherwise materially adversely affect any of the material features or functionality of Dremio Cloud, then Customer may notify Dremio in writing that it intends to terminate its Dremio Cloud account, provided that such notice is given to Dremio within thirty (30) days after Customer receives notice of such changes.  If upon receiving Customer’s notice Dremio fails to remove such adverse changes and restore the applicable features and functionality to Dremio Cloud within ninety (90) days of receiving Customer’s notice then Customer may as its sole remedy, terminate this Agreement for convenience upon written notice to Dremio (in which case Customer will be entitled to receive a refund of any prepaid, unused fees remaining as of the date the changes were implemented).
    9. If Customer uses the free version of Dremio Cloud, Customer acknowledges and agrees that Dremio may, at any time and in its sole discretion, (a) remove or change any part of the free version of Dremio Cloud, including its features, functions, layout and design, (b) begin to charge for the use of any part of the free version of Dremio Cloud, including any of its features or functions, and (c) cease offering or making available the free version of Dremio Cloud.
    10. Customer acknowledges and agrees that Dremio Cloud may operate with or using other services or application programming interfaces (APIs) operated or provided by third parties. Further, as a data infrastructure processing tool, Dremio Cloud may allow customers to add or use third party services in connection with or on top of Dremio Cloud.  Customer acknowledges and agrees that Dremio will have no liability for any Third-Party Service.  Dremio does not make any representations or warranties with respect to any such Third-Party Service or any third-party providers.  Any exchange of data or other interaction between Customer and a third-party provider is solely between Customer and such third-party provider and is governed by such third party’s terms and conditions.  For the avoidance of doubt, this Agreement does not provide for or govern the acquisition or use of any Third-Party Service and does not amend any term of the third-party provider’s contract for the Third-Party Service.
    11. Each party has obligations with respect to the security of Dremio Cloud and Customer Content. Dremio will implement and maintain appropriate technical and organizational security measures. The current technical and organizational security measures are described at https://dremio.com/platform/security. Customer is responsible for properly configuring and using Dremio Cloud and taking its own steps to maintain appropriate security, protection and backup of Customer Content. Customer will not disclose its user credentials to any unauthorized persons. Customer is responsible for all activities in Customer’s account, regardless of whether undertaken by Customer, Authorized Users or a third party. Dremio is not responsible for unauthorized access to Customer’s account unless caused by Dremio’s breach of this Agreement. Customer must contact us immediately if it believes unauthorized activity has occurred in Customer’s account or if Customer’s account information is lost or stolen.
  2. CONSIDERATION AND TAXES
    1. In consideration for the right to use Dremio Cloud, the Support Services and Professional Services, as applicable, Customer will pay Dremio (or its authorized reseller) the following fees (collectively, the “Fees”): (i) for pre-paid DCU Credit, the amounts specified in the applicable Order, and (ii) for excess consumption or Pay-As-You-Go, the fees set forth in the fee schedule at https://www.dremio.com/pricing (unless otherwise set forth in an applicable Order).  All Fees are nonrefundable, except as otherwise provided in this Agreement or the applicable Order.
    2. Customer will receive a DCU Credit equal to the Fees paid by Customer.  Dremio DCU pricing schedule is available at https://www.dremio.com/dcus. Consumption of the DCU Credit will be measured in DCUs.  The total DCU consumption by Customer is the sum of the DCU consumption of all Instances. Unless otherwise set forth in the Order, any unused DCU Credit paid for under the Order will expire twelve (12) months from the date of purchase. If all DCU Credit corresponding to the Fees set forth in the Order is consumed by Customer prior to the end of Customer’s Subscription Term, and prior to Customer’s purchase of additional DCU Credit, any additional usage of Dremio Cloud will be charged, and Customer shall pay, the on-demand price set forth on https://www.dremio.com/pricing, or the applicable on-demand price schedule of the respective Cloud Service Provider’s marketplace, unless Customer purchases additional DCU Credit in advance from Dremio. Dremio and the Cloud Service Provider may track Customer’s usage of Dremio Cloud and consumption of DCU Credit. In the event Customer opts not to purchase additional DCU Credit prior to the end of their Subscription Term, Customer’s Subscription Term, including Support Services, shall be deemed to have terminated as of the date of full exhaustion of Customer’s DCU Credits. Customer’s consumption of DCUs (or DCU balance) will be available to Customer through its Dremio Cloud account.
    3. Unless otherwise set forth in the applicable Order, (a) all Fees owed to Dremio will be paid in US Dollars; (b) Fees for pre-paid DCU Credit will be invoiced in full upon execution of the applicable Order, and will be due and payable within 30 days after the applicable invoice date unless otherwise set forth in the Order; (c) all excess consumption or Pay-As-You-Go consumption will be billed at the on-demand price set forth on https://www.dremio.com/pricing or the applicable on-demand price schedule of the respective Cloud Service Provider’s marketplace, in arrears as determined by Dremio (or the respective Cloud Service Provider), though not more than monthly; and (d) any Fees due for Support Services and Professional Services will be invoiced monthly in advance.
    4. Dremio reserves the right to change the Fees or applicable charges and to institute new charges and Fees, upon ninety (90) days prior notice to Customer (which may be sent by email) or in accordance with the applicable marketplace rules of the Cloud Service Provider.
    5. If Customer does not timely pay an invoice for DCU Credit, Dremio reserves the right to charge Customer the Pay-As-You-Go price for the DCUs consumed by Customer until such time Customer pays the invoice in full.  Further, in addition to any other rights granted to Dremio under this Agreement, Dremio reserves the right to suspend or terminate this Agreement, any related Orders, and Customer’s access to Dremio Cloud, with prior written notice to Customer, if Customer does not provide payment on time and such failure remains uncured for a period of thirty (30) days. Delinquent invoices are subject to interest of 5% per month on any outstanding balance, or the maximum permitted by law, whichever is less, from the date due, plus all expenses of collection. Customer will continue to be charged for Fees during any period of suspension due to Customer’s delinquency.
  3. GENERATIVE AI FEATURES
    1. Dremio Cloud contains optional generative artificial intelligence features that Customer may choose to enable through a feature toggle in the Preferences section of Customer’s Sonar Project (each, a “GenAI Feature”).  A GenAI Feature is designed to generate content (e.g., SQL syntax) (“Output”) in response to an Authorized User’s input (e.g., a command using natural language) (“User Prompt”), based on patterns and examples from the GenAI Feature’s training data.
    2. User Prompts and Outputs will constitute Customer Content under this Agreement. However, due to the nature of machine learning, Customer understands that Outputs may not be unique across users and the GenAI Features may generate the same or similar Outputs for other users.  Outputs requested by and generated for other users are not considered Customer Content. Dremio may use, reproduce, store and process the User Prompts and Outputs in any manner reasonably necessary to operate the GenAI Features for Customer. Customer may not (i) use the GenAI Features or input any User Prompts in a way that infringes, misappropriates or violates any person’s rights; or (ii) represent that Output from the GenAI Features was human generated when it is not.
    3. While the GenAI Features have been trained on a vast amount of information and while Dremio is constantly working to improve them, given the probabilistic nature of machine learning and that the GenAI Features do not have the ability to comprehend the context of User Prompts, evaluate the accuracy of the data it uses or consider ethical implications, the GenAI Features may not always produce accurate or reliable results and may inadvertently produce biased, offensive or inappropriate content.  Accordingly, Customer acknowledges and agrees that it is essential for its respective Authorized Users to critically evaluate and verify any Output generated by the GenAI Features (including by using human review of the Output) as appropriate for the Authorized User’s use case before relying on it for any purpose.  The use of the GenAI Features is at Customer’s and the Authorized Users’ own discretion and risk. By using GenAI Features, Customer acknowledges and accepts the inherent limitations and potential risks associated with their usage. Dremio shall not be held liable for any consequences, or any direct or indirect damages or losses, arising from the use of the GenAI Features, including, without limitation, with respect to any errors, inaccuracies or content generated by the GenAI Features.

Exhibit A
Dremio Cloud Security Exhibit

This Cloud Security Exhibit is designed to outline how Dremio Cloud protects the confidentiality, integrity and availability of Confidential Information, including Customer Content, against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Service.

Security Compliance, Certifications, and Third-party Attestations

Dremio works with accredited third parties to perform audits and to attest to various compliance standards and certifications annually for:

  • SOC 2 Type II
  • ISO 27001 Certification
  • HIPAA: after a Business Associate Agreement (“BAA”) has been executed with Dremio, Dremio can support Message Content that is regulated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Payment Card Industry Data Security Standards (“PCI-DSS”) – Dremio can support PCI data as long as it is message-level encrypted by Customer. (Dremio is not PCI-DSS Certified)

Dremio’s Trust and Security page (https://trust.dremio.com) provides more information about Dremio’s compliance certifications and a portal for requesting supporting documentation.

Notification of Security Breach

  • Dremio will notify the Customer via electronic communication using the registered support account of the Customer within seventy-two (72) hours of the confirmed unauthorized access to the Customer’s data.
  • The breach notification will contain: (i) a summary of the known details of the security breach; (ii) the status of Dremio’s investigation; and (iii) Dremio’s response to the security breach event and investigation. 

Physical access

Dremio is a cloud first company. Dremio inherits all physical access security controls from public cloud providers such as GCP, AWS and Microsoft Azure.

Dremio’s offices do not have any physical or logical trust relationships with any other segments of Dremio resources.

Dremio reviews annually the applicable security and compliance reports of the public cloud providers it uses to ensure appropriate physical security controls, including:

  • Visitor management
  • Monitor and alarm response procedures
  • Use of CCTV cameras at facilities
  • Environmental and power management controls
  • Removal and destruction of physical media including drives.

Logical access

Access to cloud service providers that the Dremio Cloud depends on always follows the least access privilege methodology based on job functions and access requirements.

Access to sensitive data is exclusively limited to Dremio employees with a legitimate need to have access to that data.

Dremio office Wi-Fi networks require authentication. The access to the Dremio office Wi-Fi networks does not give access to any other Dremio networks, including networks in Dremio’s public cloud providers. Dremio requires authentication with multi-factor authentication when connecting to other internal Dremio networks. 

Dremio does not store Customer Data on local desktops, laptops, mobile devices, shared drives, removable media, nor on public facing systems.

Dremio performs quarterly reviews of access to validate the access requirements for individuals due to departures and role changes.

Dremio ensures remote access to any Dremio system requires the use of multi-factor authentication.

Secrets Management

Customer Secrets

Dremio stores customer secrets, such as Azure application client secrets, AWS access key secrets, and data source login secrets encrypted at rest in the Dremio Control Plane.

Dremio Internal Secrets

Dremio stores Dremio Control Plane infrastructure secrets in a secrets manager vault, which is also encrypted at rest.

Data Protection

All Dremio Cloud data stored in Dremio Cloud’s databases and Dremio Cloud’s engines running on customer premises are always encrypted at rest.

Customer Content

Dremio Cloud never caches nor stores Customer Content in Dremio Cloud Control Plane premises.

Customer Metadata

Dremio Cloud stores Customer Metadata such as names of tables, views, columns, schema, partition columns, sorting, ordering, descriptions, query string literals, file names for product functionality, performance and service reasons.

Storage Layer

Dremio Cloud stores Meta Data in two different locations: 

  1. In a Customer Cloud Storage or in a Dremio Cloud Executor running in the Customer’s Cloud. 
  2. In Dremio Cloud Control Plane for product functionality purposes. (Names of tables, views, columns, schema, partition columns, ordering, comments/descriptions, SQL Query literals, name of the files containing data, etc.)

All Metadata stored by Dremio to provide data services is always encrypted at rest regardless of the storage location. 

Transit Layer

Customer Content will pass through a series of “encrypted in transit tunnels” from the Customer Plane to the client (i.e., a browser, python code, etc.) that requests it. This data is transient and never stored or cached anywhere in the Dremio Control Plane and/or outside of the Customer Plane. 

Customer Metadata transferred to the Dremio Control Plane is always encrypted in transit end-to-end.

Infrastructure Layer

All production environments that are hosting the Dremio Control Plane are built using infrastructure as code. There are no Dremio employee accounts inside the production environments. 

Dremio maintains an up-to-date diagram indicating how sensitive data reaches its systems and where it ends up being stored. This document can be requested by Customers by going to https://trust.dremio.com after entering into a non-disclosure agreement with Dremio.

Vulnerability Management

Dremio publishes a point of contact for reporting security issues on its website at https://www.dremio.com/platform/security/

Dremio has a responsible disclosure program and committed to respond to reported security findings within a reasonable time frame.

Dremio enables customers or their delegates to test the security of its application upon request. Dremio also conducts annual penetration tests using a reputable third-party. The results of the tests, along with Dremio’s actions are documented and can be shared with customers and prospects by requesting it at https://trust.dremio.com.

Dremio ensures that non-production environments do not contain production data - including, but not limited to Customer Data.

For each vulnerability, Dremio assigns a priority depending on the criticality, impact and likelihood of exploitability and assigns a service level based on the priority. 

Product Security

Access to Dremio Cloud Control Plane leverages multilayer security providing defense in-depth.

Role Based Access Control

Identity and Access Control features of the product provide protection for each organization within Dremio Cloud by preventing unauthorized access. 

Identity and Access Control and the authorization features of Dremio Cloud enable customers to customize access to their resources within Dremio Cloud to meet their own access requirements to the data sources.

Dremio Cloud supports SCIM protocol to replicate user and group membership from the customer’s Identity Provider in order to facilitate the access control requirements of the customer.

Security Standards and Programs

Dremio aligns to industry-standard frameworks and leverages additional security validation, as appropriate, including such things as:

  • CVSS, CWE and OWASP Top 10 for vulnerability tracking
  • Secure software development lifecycle

Application Security

Dremio follows Secure Software Development Lifecycle and there are several security toolings integrated to the build pipeline to detect Vulnerabilities in the Dremio product we develop.
Some of our toolings include but not limited to:

  • SAST (Static Analysis and Security Tooling) to detect any anti patterns in the code that Dremio writes
  • OSS (Open source software) Scanning to detect security issues in the 3rd party libraries and third party base images that Dremio depends on. 
  • AMI Scanning to detect any CIS compliance issues or vulnerabilities in the AMI Images in the Dremio Cloud platform

Dremio implements HTTPS first using redirects from insecure ports to encrypted ports and/or using HTTP Strict-Transport-Security header on all Dremio Cloud production pages with the includeSubdomains directive 

Dremio sets a reasonable Content Security Policy to be secure by default and limits the ability to iframe sensitive application content where appropriate.

Dremio only uses frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs.

Infrastructure Security

Dremio Cloud Control Plane leverages GCP Cloud Armour to provide DDoS protection and WAF.  

The complete infrastructure is built and managed using Infrastructure as code. The cloud production infrastructure is regularly monitored for compliance violations and security anti patterns using Cloud Infrastructure Security Posture Management (CISPM) tool.

Access to the systems and infrastructure that support the Cloud Service is restricted to individuals who require such access as part of their job responsibilities.

Access privileges of terminated Dremio personnel are disabled automatically wherever possible. Dremio also does quarterly access reviews in order to maintain lean access posture.

All Dremio firewall-equivalent controls have deny-all default policies and only enable appropriate network protocols for egress and ingress network traffic.

Logging

Dremio provides audit logs for organizations that are using Dremio Cloud. These logs are stored securely in the Customer Plane and accessed via querying system tables.

Dremio stores and maintains audit logs for its systems in a robust log storage system and keeps records live for 30 days.

Dremio uses and monitors logs for security signals and takes action accordingly. Dremio also uses logs for forensics purposes.

Encryption

All data for the Dremio Control Plane is encrypted at rest with the AES-256 algorithm.

All traffic to and from the Dremio Control Plane is encrypted in transit using TLS 1.2+ (1.3 wherever possible) with insecure ciphers disabled and forward secrecy enabled. For the latest SSL settings you can always visit SSL Labs by Qualys for our production domains. 

Dremio Cloud supports customer keys for accessing data sources and encrypting project Customer Metadata stores on Customer premises.

get started

Get Started Free

No time limit - totally free - just the way you like it.

Sign Up Now
demo on demand

See Dremio in Action

Not ready to get started today? See the platform in action.

Watch Demo
talk expert

Talk to an Expert

Not sure where to start? Get your questions answered fast.

Contact Us

Ready to Get Started?

Enable the business to create and consume data products powered by Apache Iceberg, accelerating AI and analytics initiatives and dramatically reducing costs.