Secure data movement is critical. Airbyte has you covered, no matter the data type.

Navigating regulation around data movement is complex. Airbyte stays up-to-date on data laws globally, so no matter where your data is hosted, you can remain compliant with applicable security and privacy requirements.
cube of destinations with shield icon on the side of cube
Data movement, not data storage
We don’t persist any data that passes through our system.
Data is encrypted in-transit and at rest.
User access management
We’ll soon support role-based access controls to ensure each user gets the right level of access.
View logs related to sync jobs.
Monitor your integrations to ensure error-free data movement.
We’ll soon support providers like Okta for configuring SSO/SAML single sign-on.


Airbyte has procedures and testing in place to ensure our service is accessible and operational when you need it. This includes network monitoring, business continuity and recovery procedures, incident response management and reliability SLAs.


We expect – as you do – that our services fulfill their purpose with completeness, accuracy, authorization and timeliness. Our quality assurance procedures, logging and alerting mechanisms, and change management controls help securely manage access and updates to our application.

Data confidentiality

Data is the most valuable business asset and must be carefully protected. Our processing is entirely automated and doesn’t require us to store or retain your data. We use industry-standard encryption protocols for data in transit and at rest, have employee access and user authentication controls, and employ network safeguards for the processing environment.

Data protection benefits of having the data plane hosted in your own VPC

Your data environment,
your controls

Your data is already protected with all the security controls you designed to secure it; you can keep it there.

Regulatory compliance

Using your own data infrastructure triggers fewer compliance requirements than traditional ELT software.

Secure software

Airbyte’s operations adhere to industry security standards and are compliant with SOC2 and ISO 27001 – just like our fully hosted Airbyte Cloud solution.

Frequently Asked Questions

How does Airbyte Cloud comply with the GDPR?

Airbyte Cloud is designed to separate the processing of data from the use and storage of account information. This means that data processing can occur entirely in-region so that European consumer data never has to leave Europe.

Airbyte Cloud also adheres to the data protection principles embedded in the GDPR, including but not limited to data privacy reviews, data minimization, data subject rights, and industry standard security practices. 

Has Airbyte completed the self-certification process for Privacy Shield?

Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union before Airbyte began operations. A new framework is forthcoming, and Airbyte will comply with and certify as appropriate once it goes into effect. 

Is Airbyte compliant with HIPAA?

Airbyte has determined with the support of its outside counsel that it qualifies as an information conduit for the purpose of HIPAA. This designation, however, is not a formal process and there is no third-party opinion or legal document for Airbyte to share. 

The conduit exception is a HIPAA exclusion from the Omnibus Final Rule that applies to service providers that cannot be considered Business Associates because they do not have any way of accessing or storing electronic Protected Health Information (ePHI) during the performance of their service. Because a conduit is not a Business Associate, a Business Associate Agreement (BAA) is not required in order for a HIPAA-covered entity to use the conduit’s services. 

The Department of Health and Human Services states in its guidance on Business Associates that “the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.”

Is an ISO 27001 certification or SOC2 Type II report available?

Yes, these documents are available through our Trust Report. You can request access to our Trust Report here.

Can Airbyte’s software anonymize data during processing?

Airbyte is currently developing a data-masking feature to be released early this year. Until then, we offer custom code to support data hashing prior to using some Airbyte connectors to move data. To learn more about this custom code, visit our blog post here. We also offer the ability to select certain fields within a dataset for removal or suppression prior to moving data; this can be done within the Airbyte Cloud dashboard. 

Industry Memberships

Airbyte is an active member of industry organizations for data privacy, open source communities, and open source security standards.