Dremio Cloud Appendix

With respect to Customer’s purchase and/or use of Dremio Cloud, the following additional terms shall govern Customer’s access to and use of Dremio’s fully managed lakehouse platform (“Dremio Cloud”) on each cloud service where Dremio directly provides customers with access to Dremio Cloud and related technical support, or other professional services. The Dremio Cloud Security Exhibit, attached hereto as Exhibit A, sets forth the administrative, technical and physical safeguards Dremio takes to protect confidential Information, including Customer Content, in Dremio Cloud. In the event a term relating to Dremio Cloud within the Agreement conflicts with a term within this Cloud Appendix and Dremio Cloud Security Exhibit, the terms of this Cloud Appendix and/or Dremio Cloud Security Exhibit shall prevail and govern.

ADDITIONAL DEFINITIONS

“Cloud Service Provider” means a cloud service provider on whose platform Dremio directly provides Dremio Cloud, as specified in the Documentation.

“Cloud Support Policy” means, to the extent included with an applicable Order Form, or if Customer otherwise purchases support services for Dremio Cloud, maintain and support services provided by Dremio pursuant to its then-current support policy, available at https://www.dremio.com/support-policy/. 

“Control Plane” means the multi-tenant, always-on service responsible for service management, that is hosted and monitored by Dremio.

“Customer Data Plane” means the storage and data-access layer of Dremio Cloud that manages Customer Data and operates within the Customer’s cloud environment, as configured and maintained by the Customer, who is responsible for its operation, configuration, and security.

“Customer Metadata” means the metadata such as, but not limited to, names of tables, views, columns, schema, partition columns, sorting, ordering, descriptions, query string literals, file names and other data relating to the provision, use and performance of various aspects of Dremio Cloud (including, without limitation, such data concerning queries entered by Authorized Users; but excluding, for the avoidance of doubt, any Customer Content) that Dremio Cloud collects and analyzes.

“Customer Results” means any output Customer or its Authorized Users generate from their query submissions into the Execution Plane.

“Dremio AI Units” or “DAUs” means the unified billing metric that captures all charges, excluding the actual token costs which are billed separately, related to artificial intelligence (“AI”) workload orchestration, coordination, and token processing (for both the Dremio-integrated and bring-you-own-model AI models).

“Dremio Compute Units” or “DCUs” means the measure in units of total compute processing capability used per hour (or the most granular metering available) for various data processing tasks.

“Dremio Data Plane” means the storage and data-access layer of Dremio Cloud responsible for managing Customer Data, hosted and monitored by Dremio.

“Dremio Managed Cloud Environment” means the managed cloud infrastructure and services operated by Dremio to provide the Control Plane, Dremio Data Plane, and related shared functionality for Dremio Cloud, as described in the Documentation.

“Execution Plane” means the elements of Dremio Cloud consisting of compute resources that are responsible for query execution and are automatically provisioned as needed by the Control Plane.  This is also hosted and monitored by Dremio with appropriate customer isolation mechanisms.

“Large Language Model Provider” or “LLM Provider” means any third-party that develops, operates, or makes available large-scale machine learning models trained on extensive datasets for the purpose of generating, understanding, or processing natural language or other data inputs. A LLM Provider may include, without limitation, providers of foundation models, generative AI systems, or similar artificial intelligence technologies that are integrated with, or used in connection with, Dremio Cloud.

“Networking” means the data transfer charges associated with Dremio Cloud operations, including network data egress (whether to the public internet, across regions, or within a region), that is billed on a per-gigabyte basis.

“Previews” means a preview, beta or pre-release feature or service offered by Dremio, in its sole discretion, prior to its general commercial release for the purpose of evaluating performance, identifying defects and obtaining feedback.

“Storage” means the Dremio-hosted data storage used by the Customer, including project and catalog storage, that is measured in terabytes per month (TB/m).

"Third Party Service” means any software or service powered by or support by Dremio Cloud that is provided under contract with a third party.

“Total Services Commit” means the aggregate amount of money the Customer agrees to spend under an Order Form during a Subscription Term, to be applied towards all Dremio Cloud services (including DCUs, DAUs, Storage and Networking) and Support over the course of that Subscription Term.

1. USE OF DREMIO CLOUD
   
   1. To access and use Dremio Cloud, Customer must sign up for an account and provide Dremio with the information requested in the registration process. Dremio may also allow Customer to create its Dremio Cloud account and log into the account using Customer’s account credentials of a third-party service (e.g., Google, GitHub, etc.) and/or to authenticate through an identity provider (IdP). By connecting to Dremio Cloud with a third-party service, Customer may be required to provide Dremio with Customer’s log-in credentials for such third-party service, and Customer gives Dremio permission to access and use Customer’s information from that service as permitted by that service, and to store Customer’s log-in credentials for that service. Customer may be asked to provide certain credentials for each individual Authorized User. Customer is solely responsible for providing accurate, complete and updated registration information and for maintaining the confidentiality of its (and its Authorized Users’) account access credentials.
      
   2. The Customer acknowledges that Dremio Cloud is implemented and fully operational within the Dremio Managed Cloud Environment, which is hosted and managed by Dremio. In certain configurations, components of the service may be deployed within the Customer’s own Cloud Environment. The Customer further acknowledges that, accordingly, each party must implement and maintain appropriate technical and organizational measures consistent with its respective responsibilities under the Dremio Cloud Shared Responsibility Model (available at https://trust.dremio.com/) to protect the security of Dremio Cloud and Customer Content. Without limiting the foregoing, Customer acknowledges and agrees that:
      1. Dremio hosts and manages the Dremio Managed Cloud Environment, including the hosted storage in which Customer Data may reside. In cases where Customer elects to use their own cloud storage (for example, a Customer-owned AWS S3 bucket), the Customer is responsible for managing access to and operation of that storage within the Customer Data Plane.
      2. While Customer Data resides within the Dremio Managed Cloud Environment (either in Dremio-managed storage or in Customer-provided cloud storage managed by Dremio), Dremio Cloud is not designed to serve as an archival, backup, or long-term data retention service. It provides an environment solely to facilitate the Customer’s queries, data processing, and other data management operations in relation to Customer Data; and
      3. Dremio Cloud does not provide backup or disaster-recovery services to enable recovery of Customer Data. Accordingly, and without limiting the foregoing, Dremio is not responsible for any loss, destruction, alteration, or corruption of Customer Content.  It is recommended to maintain a copy in appropriate back-up or other disaster-recovery level storage.
   3. Customer acknowledges and agrees that Customer is responsible for: (i) protecting the security of all Customer credentials used to access Dremio Cloud; (ii) securing the Customer cloud environment and any Customer-controlled System (with such steps to include, without limitation, industry standard steps to preclude unauthorized access); (iii) backing up and securing Customer Data under Customer’s control within the Customer cloud environment or other Customer-controlled Systems and (iv) managing and paying the charges associated with Customer’s usage of the Customer cloud environment (e.g., storage and network fees); and Customer expressly assumes the risks associated with the foregoing responsibilities set forth in this paragraph.
      
   4. Dremio acknowledges and agrees that, except to the extent caused by the action or intentional or negligent inaction of Customer or its Authorized Users, including, without limitation, any customizations or configurations of Dremio Cloud by Customer or anything specified to be Customer’s responsibility above, Dremio is responsible for: (i) the operation of the Dremio Managed Cloud Environment; and (ii) implementing reasonable technical and organizational measures designed in accordance with ISO 27001 or equivalent/greater standard to protect the security of the foregoing.
      
   5. Dremio may, in its sole discretion, offer preview, alpha, beta, experimental, pre-release or similarly named features or services, prior to their general commercial release (collectively, “Previews”). All Previews shall be subject to the Beta Terms of Service available at https://www.dremio.com/legal/beta-terms-of-service/.
   6. Customer will be responsible for obtaining and maintaining all Systems and any other equipment and ancillary services needed to connect to, access or otherwise use Dremio Cloud.  Dremio will not be liable for any Systems and/or ancillary services needed to connect to, access or otherwise use Dremio Cloud.
      
   7. Customer will be solely responsible for ensuring that its use of Dremio Cloud, including, without limitation, Customer’s provision of Customer Data through Dremio Cloud complies with all applicable laws (including, all privacy law), rules, and regulations.  Further, Customer is solely responsible for all activity occurring in and through Dremio Cloud by Customer and its Authorized Users and for each of the Authorized User’s compliance with all terms and conditions of this Agreement.  At Dremio’s written request, Customer will furnish Dremio with a certification signed by an officer of Customer verifying that Dremio Cloud is being used in accordance with the terms of this Agreement and the applicable Orders. In the event Dremio believes that Customer is in violation of any of the obligations or restrictions set forth in this Section 3, Dremio may immediately suspend Customer’s access to Dremio Cloud and Customer will not be entitled to any refund of any fees due to such suspension.
      
   8. Dremio may, from time to time, at its sole discretion, update and/or change any part of Dremio Cloud, including its features, functions, layout and design.  Dremio will provide Customer with reasonable prior notice (including by email) of any material changes to Dremio Cloud. In the event that such changes to Dremio Cloud remove (without a substitute) or otherwise materially adversely effect any of the material features or functionality of Dremio Cloud, then Customer may notify Dremio in writing that it intends to terminate its Dremio Cloud account, provided that such notice is given to Dremio within thirty (30) days after Customer receives notice of such changes.  If upon receiving Customer’s notice Dremio fails to remove such adverse changes and restore the applicable features and functionality to Dremio Cloud within ninety (90) days of receiving Customer’s notice then Customer may as its sole remedy, terminate this Agreement for convenience upon written notice to Dremio (in which case Customer will be entitled to receive a refund of any prepaid, unused fees remaining as of the date the changes were implemented).
      
   9. If Customer uses the trial version of Dremio Cloud, Customer acknowledges and agrees that Dremio may, at any time and in its sole discretion, (a) remove or change any part of the trial version of Dremio Cloud, including its features, functions, layout and design, (b) begin to charge for the use of any part of the trial version of Dremio Cloud, including any of its features or functions, and (c) cease offering or making available the trial version of Dremio Cloud.
      
   10. Customer acknowledges and agrees that Dremio Cloud may operate with or using other services or application programming interfaces (APIs) operated or provided by third parties. Further, as a data infrastructure processing tool, Dremio Cloud may allow customers to add or use third party services in connection with or on top of Dremio Cloud.  Customer acknowledges and agrees that Dremio will have no liability for any Third-Party Service.  Dremio does not make any representations or warranties with respect to any such Third-Party Service or any third-party providers.  Any exchange of data or other interaction between Customer and a third-party provider is solely between Customer and such third-party provider and is governed by such third party’s terms and conditions.  For the avoidance of doubt, this Agreement does not provide for or govern the acquisition or use of any Third-Party Service and does not amend any term of the third-party provider’s contract for the Third-Party Service.
       
   11. Each party has obligations with respect to the security of Dremio Cloud and Customer Content. Dremio will implement and maintain appropriate technical and organizational security measures. The current technical and organizational security measures are described at https://dremio.com/platform/security. Customer is responsible for properly configuring and using Dremio Cloud and taking its own steps to maintain appropriate security, protection and backup of Customer Content. Customer will not disclose its user credentials to any unauthorized persons. Customer is responsible for all activities in Customer’s account, regardless of whether undertaken by Customer, Authorized Users or a third party. Dremio is not responsible for unauthorized access to Customer’s account unless caused by Dremio’s breach of this Agreement. Customer must contact us immediately if it believes unauthorized activity has occurred in Customer’s account or if Customer’s account information is lost or stolen.
       
   12. During any free, evaluation, or trial period (“Trial”), Customer acknowledges and agrees that Dremio provides the Cloud Service on an “as-is” and “as-available” basis, and that no technical support, service level commitments, or maintenance obligations apply to the Trial. Customer’s sole source of assistance during the Trial will be Dremio’s publicly available self-service resources, including documentation and community forums. Dremio shall have no obligation to provide direct or individualized support (including but not limited to email, chat, or phone support) for any Trial use of the Cloud Service.
2. CONSIDERATION AND TAXES
   
   1. Fees and Billing Overview. In consideration for the right to use Dremio Cloud and the Support Services, as applicable, Customer shall pay Dremio (or its authorized reseller) the following fees (collectively, the “Fees”): (i) for prepaid Total Services Commit, the amounts specified in the applicable Order Form; and (ii) for excess consumption or Pay-As-You-Go (PAYG) usage, the fees set forth in the current fee schedule at https://www.dremio.com/pricing (unless otherwise specified in an applicable Order Form).
      
   2. Total Services Commit and Usage Measurement. Under the Dremio Cloud pricing model, Customer’s Fees correspond to a Total Services Commit that may be consumed across all Dremio Cloud services, including DCUs, DAUs and tokens, Storage, Networking, and Support. Each service category is measured according to its applicable metric (e.g., DCUs for data processing, DAUs for orchestration, tokens for AI model usage, terabytes for storage, gigabytes for networking). All consumption is converted to a monetary value and applied against the Customer's Total Services Commit. Dremio will provide visibility into Customer’s consumption and remaining balance through the Dremio Cloud billing dashboard. Unless otherwise specified in the Order Form: (a) any expansion of the Total Services Commit will be co-termed with the remaining Subscription Term; and (b) any unused portion of the Total Services Commit will expire at the end of each annual period of the Subscription Term. If Customer consumes its Total Services Commit prior to the end of the Subscription Term and before purchasing additional commit capacity, subsequent usage will be billed at on-demand PAYG pricing as set forth on https://www.dremio.com/pricing, or the applicable price schedule of the respective Cloud Service Provider’s marketplace. Dremio and/or the applicable Cloud Service Provider may track and report usage for purposes of billing and consumption visibility. If Customer does not replenish its commit or prepay for additional capacity, Dremio may suspend access to Dremio Cloud and associated Support Services upon full consumption of the committed amount.
      
   3. Payments and Invoicing. Unless otherwise set forth in the applicable Order Form: 
      1. all Fees shall be paid in the currency specified on an Order Form; 
      2. Fees for prepaid Total Services Commit shall be invoiced in full upon execution of the Order Form and shall be due and payable within thirty (30) days of the invoice date; 
      3. Fees for PAYG or excess usage shall be billed in arrears at the then-current on-demand prices listed at https://www.dremio.com/pricing or via the applicable Cloud Service Provider marketplace; and 
      4. Fees for any Professional Services shall be invoiced as specified in the applicable Order Form. 
      5. Dremio reserves the right to modify its Fees or introduce new charges upon ninety (90) days’ prior notice to Customer (which may be provided by email) or in accordance with the rules of the relevant Cloud Service Provider marketplace.
   4. Late Payments and Suspension Rights. If Customer fails to timely pay any invoice for prepaid or postpaid usage, Dremio may, at its discretion, charge Customer PAYG rates for all ongoing usage until full payment is received. If payment remains outstanding , Dremio may suspend or terminate this Agreement, any related Orders, and Customer’s access to Dremio Cloud. Delinquent amounts shall accrue interest at five percent (5%) per month, or the maximum rate permitted by law, whichever is less, from the payment due date until paid in full. Customer will be responsible for all reasonable expenses incurred by Dremio in connection with collection activities. Customers will continue to be charged for Fees during any period of suspension due to nonpayment.
      
   5. Pay-As-You-Go Credit Card Billing. If Customer has elected to utilize PAYG, Customer must maintain a valid credit card on file. Charges will be processed monthly for the prior month’s usage. If any credit card transaction is rejected or subject to chargeback, Dremio may immediately lock Customer’s account until the payment issue is resolved. Customer shall have seven (7) calendar days from the date of the rejected transaction to correct the issue or provide an alternate payment method. If the payment issue remains unresolved after seven (7) calendar days, Dremio may suspend the account. If the account remains unpaid for thirty (30) days, Dremio reserves the right to delete the account and all associated data.
      
   6. Visibility and Reporting. Customer consumption across all services — including, but not limited to Compute (DCUs), AI (DAUs and tokens), Storage, and Networking — will be available to Customer via the Dremio Cloud billing dashboard. Usage will be tracked in real time, with charges automatically applied to Customer’s Total Services Commit or billed under PAYG, as applicable.
3. III.AI FUNCTIONALITY
   
   1. Dremio Cloud contains optional generative artificial intelligence features that Customer may choose to disable through a feature toggle in the Preferences section of Customer’s Project (each, a “GenAI Feature”).  A GenAI Feature is designed to generate content (e.g., SQL syntax) (“Output”) in response to an Authorized User’s input (e.g., a command using natural language) (“User Prompt”), based on patterns and examples from the GenAI Feature’s training data. Unless Customer configures its own AI model, all GenAI Feature functionality will utilize Dremio’s default model which is based on an OpenAI model hosted by Dremio (“Default Provider”). Customer may, in Customer’s sole discretion, elect to override the default model and connect to Customer’s own supported AI provider account (each a “Supported Provider”). A list of Supported Providers, as updated from time-to-time in Dremio’s sole discretion, can be found in the Documentation. If Customer elects to connect to Customer’s own Supported Provider, Customer expressly agrees that: (i) any requests made within the GenAI Feature will be routed directly to Customer’s chosen Supported Provider; (ii) data processing and retention will be subject to the terms of Customer’s agreement with the Supported Provider; (iii) Customer shall be responsible for all costs and usage associated with its utilized Supported Provider account; and (iv) your results may vary as compared to Dremio’s LLM Model Provider.
      
   2. When utilizing the Default Provider, all User Prompts may be processed by a Dremio LLM Model Provider under such LLM Model Provider’s’s terms. User Prompts and Outputs will constitute Customer Content under this Agreement. However, due to the nature of machine learning, Customer understands that Outputs may not be unique across users and the GenAI Features may generate the same or similar Outputs for other users.  Outputs requested by and generated for other users are not considered Customer Content. Dremio may use, reproduce, store and process the User Prompts and Outputs in any manner reasonably necessary to operate the GenAI Features for Customer. Customer may not: (i) use the GenAI Features or input any User Prompts in a way that infringes, misappropriates or violates any person’s rights; or (ii) represent that Output from the GenAI Features was human generated when it is not.
      
   3. While the GenAI Features have been trained on a vast amount of information and while Dremio is constantly working to improve them, given the probabilistic nature of machine learning and that the GenAI Features do not have the ability to comprehend the context of User Prompts, evaluate the accuracy of the data it uses or consider ethical implications, the GenAI Features may not always produce accurate or reliable results and may inadvertently produce biased, offensive or inappropriate content.  Accordingly, Customer acknowledges and agrees that it is essential for its respective Authorized Users to critically evaluate and verify any Output generated by the GenAI Features (including by using human review of the Output) as appropriate for the Authorized User’s use case before relying on it for any purpose.  The use of the GenAI Features is at Customer’s and the Authorized Users’ own discretion and risk. By using GenAI Features, Customer acknowledges and accepts the inherent limitations and potential risks associated with their usage. Dremio shall not be held liable for any consequences, or any direct or indirect damages or losses, arising from the use of the GenAI Features, including, without limitation, with respect to any errors, inaccuracies or content generated by the GenAI Features.
      
   4. Dremio shall have no indemnification obligation, nor liability of any type with respect to (i) Customer’s Supported Provider, and (ii) Output generated or actions conducted by GenAI Features powered by Customer’s Supported Provider, unless such exclusion of liability is not enforceable under applicable law, in which case Dremio’s liability will not exceed one thousand dollars ($1,000 USD).

Exhibit A
Dremio Cloud Security Exhibit

This Dremio Cloud Security Exhibit to the Dremio Subscription Agreement and Dremio Cloud Appendix (both available at https://www.dremio.com/legal/) sets forth the administrative, technical, and physical safeguards Dremio Corporation takes to protect Confidential Information, including Customer Content, in the Dremio Cloud. 

This Cloud Security Exhibit is designed to protect the confidentiality, integrity, and availability of Confidential Information, including Customer Content, against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction, or damage in accordance with laws applicable to the provision of the Service. 

Definitions

Unless otherwise defined herein, all definitions shall be the same as defined in the Dremio Subscription Agreement and Dremio Cloud Appendix (both available at https://www.dremio.com/legal/). 

Customer Metadata: Dremio Cloud collects and analyzes metadata such as names of tables, views, columns, schema, partition columns, sorting, ordering, descriptions, query string literals, file names and other data relating to the provision, use and performance of various aspects of Dremio Cloud (including, without limitation, such data concerning queries entered by Authorized Users; but excluding, for the avoidance of doubt, any Customer Content) (“Metadata”).

Security Compliance, Certifications, and Third-Party Attestations 

Dremio works with accredited third parties to perform audits and to attest to various compliance standards and certifications annually for: 

• SOC 2 Type II 
• ISO 27001 Certification 
• HIPAA: after a Business Associate Agreement (“BAA”) has been executed with Dremio, Dremio can support Message Content that is regulated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Payment Card Industry Data Security Standards (“PCI-DSS”) – Dremio can support PCI data as long as it is message-level encrypted by the Customer. (Dremio is not PCI-DSS Certified) 

Dremio’s Trust and Security page (https://trust.dremio.com) provides more information about Dremio’s compliance certifications and a portal for requesting supporting documentation. 

Notification of Security Breach 

• Dremio will notify the Customer via electronic communication using the registered support account of the Customer within seventy-two (72) hours of any confirmed unauthorized access to the Customer Data. 
• The breach notification will contain a summary of the known details of the Security Breach and the status of Dremio’s investigation and response. 

Physical Access 

Dremio Corporation is a cloud-first company. Dremio inherits all physical access security controls from public cloud providers, including GCP, AWS, and Microsoft Azure. Dremio’s offices do not have any physical or logical trust relationships with any other segments of Dremio resources. 

Dremio annually reviews the applicable security and compliance reports of the public cloud providers it uses to ensure appropriate physical security controls, including: 

• Visitor management 
• Monitor and alarm response procedures 
• Use of CCTV cameras at facilities 
• Environmental and power management controls 
• Removal and destruction of physical media, including drives. 

Logical Access 

Access to Cloud Service providers that Dremio depends on always follows the least access privilege methodology based on job functions and access requirements. 

Sensitive data access is exclusively limited to Dremio employees with a legitimate need. 

Dremio office Wi-Fi networks require authentication. Access to the Dremio office Wi-Fi network does not grant access to any other networks within Dremio, including those in Dremio’s public Cloud Providers. Dremio requires authentication with MFA when connecting to other internal Dremio networks.

Dremio does not store Customer Data on local desktops, laptops, mobile devices, shared drives, removable media, or public-facing systems. 

Dremio conducts quarterly access reviews to validate access requirements and identify any necessary changes resulting from employee departures, role changes, or other workforce updates. 

Dremio ensures that remote access to any Dremio system requires the use of MFA. 

Secrets Management 

Customer Secrets 

Dremio stores customer secrets, such as Azure application client secrets, AWS access key secrets, data source login secrets, etc, encrypted at rest using KMS for managing keys individualized for each Customer

Dremio Internal Secrets 

Dremio stores infrastructure secrets in a secrets manager vault, encrypted at rest. 

Data Protection 

All data stored in Dremio’s databases, engines, including transient data, is always encrypted at rest. 

Customer Content 

Dremio stores Customer Data in the project store and in project ephemeral resources. All permanently stored data resides in the project store—a dedicated storage location unique to each customer that can be either customer-provided or Dremio-provided. Dremio temporarily caches customer data in project ephemeral resources to enhance performance and usability. These caches terminate with the executor or are retained for 30 days or less.

Customer Metadata 

Dremio Cloud stores Customer Metadata, including the names of tables, views, columns, schema, partition columns, sorting, ordering, descriptions, query string literals, file names, and AI results for product functionality, performance, and service reasons. 

Transit Layer 

Customer Content passes through encrypted channels from Dremio to the client that requests it. This data is transient and is never stored or cached in the Dremio platform.

Metadata transferred to Dremio is always encrypted in transit end-to-end. 

Infrastructure Layer 

All production environments that are hosting Dremio are built using infrastructure as code. There are no Dremio employee accounts inside the production environments. 

Dremio maintains an up-to-date diagram indicating how sensitive data reaches its systems and where it is ultimately stored. Our customers can request this document. 

Vulnerability Management 

Dremio publishes a point of contact for reporting security issues on its website https://www.dremio.com/platform/security/ 

Dremio has a responsible disclosure program and is committed to responding to reported security findings within a reasonable time frame. 

Dremio enables customers or their delegates to test the security of its application upon request. Dremio also conducts annual penetration tests using a reputable third party. The results of the tests, along with Dremio’s actions, are documented and can be shared with customers and prospects upon request. 

Dremio maintains strict separation between production and non-production environments. Non-production environments do not contain any production data, including Customer Data.

For each vulnerability, Dremio assigns a priority based on the criticality, impact, and likelihood of exploitability, and then assigns an SLA accordingly.

Product Security 

Dremio implements multi-layer security controls to provide a defense-in-depth approach.

Role-Based Access Control 

Identity and Access Control features of the product protect each organization within Dremio by preventing unauthorized access. 

Identity and access control, along with the authorization features of Dremio, enable customers to customize access to their resources within Dremio, meeting their own access requirements for the data sources. 

Dremio supports the SCIM protocol to replicate user and group membership from the Customer’s identity provider, facilitating the Customer's access control requirements. 

Security Standards and Programs 

Dremio aligns with industry-standard frameworks and leverages additional security validation, as appropriate, including such things as: 

• CVSS, CWE, and OWASP Top 10 for vulnerability tracking 
• Secure software development lifecycle 

Application Security 

Dremio follows a secure software development lifecycle, and several security toolings are integrated into the build pipeline to detect vulnerabilities in the Dremio product we develop. Some of our toolings include, but are not limited to: 

• SAST (Static Analysis and Security Tooling) to detect any anti-patterns in the code that Dremio writes 
• OSS (Open source software) Scanning to detect security issues in the 3rd party libraries and third-party base images that Dremio depends on. 

Dremio implements HTTPS first using redirects from insecure ports to encrypted ports and/or using the HTTP Strict-Transport-Security header on all Dremio production pages with the includeSubdomains directive.

Dremio sets a reasonable Content Security Policy to be secure by default and limits the ability to iframe sensitive application content where appropriate. 

Dremio only uses frameworks, template languages, or libraries that systematically address implementation weaknesses by escaping outputs and sanitizing inputs. 

Infrastructure Security 

Dremio leverages GCP Cloud Armor to provide DDoS protection and WAF. 

The complete infrastructure is built and managed using Infrastructure as code. The cloud production infrastructure is regularly monitored for compliance violations and security anti-patterns using the Cloud Infrastructure Security Posture Management (CISPM) tool. 

Access to the systems and infrastructure that support the Cloud Service is restricted to individuals who require such access as part of their job responsibilities. 

Access privileges of terminated Dremio personnel are disabled automatically wherever possible. Dremio also conducts quarterly access reviews to maintain a lean access posture. 

All Dremio firewall-equivalent controls have deny-all default policies where appropriate and only enable appropriate network protocols for egress and ingress network traffic. 

Logging 

Dremio provides audit logs for organizations using Dremio. These logs are available through system tables and stored securely in the customer's project storage (whether customer-provided or Dremio-managed).

Dremio stores and maintains audit logs for its systems in a robust log storage system, keeping records live for 30 days. 

Dremio uses and monitors logs for security signals, taking action accordingly. Dremio also uses logs for forensics purposes. 

Encryption 

All data is encrypted at rest with the AES-256 algorithm. 

All traffic to and from the Dremio platform and between Dremio services is encrypted in transit using TLS 1.2 or higher, with insecure ciphers disabled and forward secrecy enabled. Current SSL configurations for production domains can be verified through SSL Labs by Qualys.