Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page describes the compliance security profile, its compliance controls, and supported features. To enable the compliance security profile, see Configure enhanced security and compliance settings.
Compliance security profile overview
The compliance security profile enables additional monitoring, a hardened compute image, and other features and controls on Azure Databricks workspaces. The compliance security profile includes controls that help meet the applicable security requirements of some compliance standards. Enabling the compliance security profile is required to use Azure Databricks to process data that is regulated under the following compliance standards:
Databricks strongly recommends enabling the compliance security profile to process data under HIPAA, but it is not required.
You can also choose to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.
Important
- You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
- For compliances other than HIPAA, you are solely responsible for ensuring that the compliance security profile and the appropriate compliance standards are configured before processing regulated data. For processing PHI data, Databricks strongly recommends use of the compliance security profile and selecting the HIPAA compliance standard.
If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.
Compliance security profile security enhancements
Security enhancements include:
A CIS Level 1 hardened image.
Automatic cluster updates, ensuring clusters have the latest updates by periodically restarting them during configurable maintenance windows. See Automatic cluster update.
Enhanced security monitoring, which includes monitoring agents that generate reviewable logs. See Monitoring agents in Azure Databricks compute plane images.
Communications within the cluster and for egress use TLS 1.2 or higher, including communication with the metastore.
Classic and serverless compute support
The compliance security profile determines which compliance standards are enforced for compute resources in both the classic and serverless compute planes.
Classic compute resources support a wide range of compliance standards across regions. Serverless compute resources (serverless SQL warehouses, serverless compute for notebooks and workflows, and serverless Lakeflow Declarative Pipelines) have more limited support depending on the compliance standard and region.
The table below lists which compliance standards are supported in each compute plane and the corresponding supported regions:
| Compliance standard | Classic compute plane support | Serverless compute plane support |
|---|---|---|
| CCCS Medium (Protected B) | canadacentral, canadaeast |
None |
| HIPAA | All regions | All regions with serverless |
| HITRUST | All regions | None |
| IRAP | australiacentral, australiacentral2, australiaeast, australiasoutheast |
None |
| PCI-DSS | All regions | None |
| UK Cyber Essentials Plus | ukwest, uksouth |
None |
For more information on compute plane architecture, see Azure Databricks architecture overview.
Supported preview features
Only the preview features listed in this section are supported for processing data regulated under compliance standards. All other preview features are not supported.
Public Preview features
Workspace-level SCIM provisioning
Workspace-level SCIM provisioning is a legacy feature. Databricks recommends using account-level SCIM provisioning instead.
Private Preview features
- Unity Catalog attribute-based access control (ABAC)
- Tag policies
- DBFS disablement
- Document parsing
- Alerts v2
Preview features available only with serverless compute
These features are only supported with compliance standards that support the serverless compute plane. See Classic and serverless compute support.
Serverless Public Preview features
- ServiceNow LakeFlow Connect connector
- Google Analytics LakeFlow Connect connector
- High memory for serverless compute notebook tasks
- Anomaly detection
- Serverless forecasting
Serverless Private Preview features
- Serverless forecasting Python SDK
Additional preview features supported with HIPAA
HIPAA supports all of the preview features above and also the following additional preview features:
Lakeflow Connect column-level selection (Private Preview)