dbt Labs

dbt Labs

Search the Trust Center...
Ctrl +K

dbt Labs | Trust Center

Everything you need to complete your security review is here. Browse documents, certifications, and compliance details with confidence. Our Trust Center is regularly updated to reflect the latest audit results, and subprocessor disclosures.


Announcements

Security Advisory Update: React / Next.js Vulnerability - NO IMPACT

A recently disclosed critical vulnerability affecting React Server Components (RSC) and certain versions of Next.js has received industry-wide attention. After a thorough review, we have confirmed that dbt Labs is not vulnerable to the server-side component of this issue. None of our production systems use the affected React server packages.
As an additional precaution, we are reviewing and updating all React components across our codebase to the latest safe versions.
We will continue to monitor for any follow-on issues, but at this time, no customer-facing systems were impacted.


Salesloft/Drift Notice: No Impact

We’re aware of the recent SalesLoft breach. We do not use SalesLoft.

As a precautionary measure, we will be reviewing our Salesforce instance and related integrations to determine any potential proactive changes.

Thank you,
dbtLabs Security Team


"IngressNightmare" Notice

We are aware of the recently disclosed "IngressNightmare" vulnerabilities. Our team has taken prompt action, and patching has been completed across the company to ensure our systems remain secure. We continue to monitor for any related developments.


TJ-Actions (Github Actions) Notice

We were aware of the recent incident involving a compromised third-party GitHub Action (tj-actions) and took immediate action to evaluate and contain the risk. Upon discovery, we disabled affected workflows, rotated exposed tokens as a precaution, and confirmed that no persistent credentials were at risk. We have no reason to believe there is any ongoing threat or any indication of compromised credentials at dbt Labs.


Crowdstrike Outage - No Impact

dbt Labs is aware of the ongoing Crowdstrike outage. dbt Labs does NOT utilize Crowdstrike in its environment at this time. dbt Cloud is not impacted. We will continue to monitor the situation.

For more information on the Crowdstrike outage, please see below;

https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
https://www.washingtonpost.com/technology/2024/07/19/microsoft-windows-outage-blue-screen-bsod/


OpenSSH Notice

dbt Labs is aware of the OpenSSH vulnerability, “regreSSHion”. We have taken immediate steps to investigate and remediate this issue. As a result, we have removed all known SSH public access from the dbt Labs environment. We have no reason to believe there is any impact to our organization or infrastructure.

For more information on this vulnerability, please see below;
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server


INFORMATIONAL: Snowflake Notice

On May 31, 2024, Snowflake posted a notice regarding cyber threat activities.

“Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts.”

We encourage all customers utilizing Snowflake to read the notice and take any recommended action(s) accordingly.

https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information


Sisense Notice

dbt Labs is aware of the recent CISA alert regarding the compromise of Sisense Customer Data. dbt Labs does NOT utilize Sisense services. If you utilize Sisense services, we recommend reviewing the following articles for the latest information & recommendations;

  • https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data

  • https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/


xz/liblzma supply chain compromise (CVE-2024-3094)

dbt Labs’ Security Team has assessed the supply chain compromise of xz and its impact to liblzma (CVE-2024-3094). Based on current analysis, this compromise does not impact or affect the dbt Cloud platform.

Additionally, dbt Cloud’s primary infra provider, Amazon Web Services (AWS), has confirmed that its infrastructure is not impacted.

We will continue to evaluate the risk as more information is made available and update customers accordingly, as needed.


HTTP/2 Rapid Reset (CVE-2023-44487)

dbt Labs is aware of the HTTP/2 Rapid Reset (CVE-2023-44487) vulnerability. At this time, we do not have any reason to believe there is any impact on dbt Cloud. We are continuing to monitor and assess the situation as details emerge.


MOVEit Transfer Vulnerability - No Impact

dbt Labs is aware of MOVEit Transfer vulnerability. At this time, dbt Labs does NOT utilize the MOVEit Transfer application and therefore is not impacted by the vulnerability.

Thank you,
dbt Lab Security Team



Badges

iso-27001-2022
ISO 27001:2022
iso-27017
ISO 27017
iso-27018
ISO 27018
gdpr
GDPR
ccpa
CCPA

What we offer

dbt Platform

dbt is a hosted subscription service that empowers data analysts and engineers to govern and productionize dbt deployments. Users are provided observability and productivity tools with turnkey support for orchestrating jobs, utilizing CI/CD, generating code, tests and documentation, monitoring & alerting, enabling CLI, in addition to providing an Integrated Developer Environment (IDE).

dbt helps you structure data for AI infrastructure as well as providing top of class transformation assistance. We are the T in ELT (extract, load, transform) software, enabling your users to quickly and safely use the most modern means to find game-changing answers in your data warehouse. dbt allows analysts to build reliable, fresh pipelines of data using engineering best practices.

We take our security obligations seriously:

  • We maintain these certifications: SOC 2 Type 2, GDPR, CCPA, ISO 27701, ISO 27001:2022, ISO 42001.
  • We align with OWASP, NIST, and HIPAA Security standards.
  • We encrypt data in transit and at rest.

Certifications: SOC 2 Type 2, GDPR, CCPA, ISO 27701, ISO 27001:2022, ISO 27017, ISO 27018:2019, ISO 42001


Quick Summary

Has a formal mobile device management (MDM) program

Annual third-party penetration testing

Has a disaster recovery plan

Subprocessors list available

Has cyber insurance

Deletes customer data on request

Has an API available

Uses a centralized IAM solution (SSO) to manage employee access


Documents & Knowledge Base FAQs


Featured Documents


Subprocessors
3

Subprocessor
Location of Processing
Usage Details
AWS

AWS

United States, Germany, Australia, Japan
Infrastructure Hosting Note: Subprocessor location is dependent on your specific deployment selection.
Google Cloud

Google Cloud

United States, United Kingdom
Infrastructure Hosting Note: Subprocessor location is dependent on your specific deployment selection.
Microsoft Azure

Microsoft Azure

Ireland, United States
Infrastructure Hosting Note: Subprocessor location is dependent on your specific deployment selection.
Last updated . .
View as:

Trusted by

Nasdaq
HubSpot
JetBlue
SafetyCulture
McDonald's
Siemens
Powered by Conveyor, the first end-to-end customer trust platform.
Learn more