# Security and compliance
> Overview of MotherDuck's security features including encryption, authentication, access control, network security, and compliance certifications.
MotherDuck is designed to keep your data secure at every layer, from encryption and authentication through to access control and compliance. This page summarizes the security capabilities available across MotherDuck plans.

## Data encryption

MotherDuck encrypts data both at rest and in transit.

- **At rest**: Data stored in MotherDuck managed storage is encrypted using AES-256 encryption in AWS.
- **In transit**: All connections to MotherDuck use TLS 1.2 or higher. This applies to client connections, API calls, and internal service communication.

Secrets stored using [`CREATE SECRET`](/sql-reference/motherduck-sql-reference/create-secret/) are fully encrypted and scoped to the user who created them. They are never exposed in query logs or shared with other users in your organization.

## Authentication

MotherDuck supports multiple authentication methods to fit different security requirements.

| Method | Description | Plan |
|--------|-------------|------|
| **Access tokens** | Token-based authentication for CLI, SDK, and API access | All plans |
| **SSO (SAML/OIDC)** | Single Sign-On through your identity provider (Okta, Microsoft Entra ID, and others) | Business, Enterprise |
| **SCIM provisioning** | Automated user lifecycle management through your IdP | Business, Enterprise |
| **Service accounts** | Non-human accounts for programmatic access and automation | All plans |

For programmatic workloads such as ETL pipelines or scheduled jobs, use [service accounts](/key-tasks/service-accounts-guide/) with dedicated access tokens. Service account tokens can be configured with expiration times and scoped to specific Duckling sizes.

:::tip
If your organization requires centralized identity management, configure [SSO](/key-tasks/authenticating-and-connecting-to-motherduck/authenticating-to-motherduck/sso-setup/) first, then enable [SCIM provisioning](/key-tasks/authenticating-and-connecting-to-motherduck/authenticating-to-motherduck/scim/) to automate user creation and deprovisioning.
:::

For full details on authentication setup, see [Authenticating to MotherDuck](/key-tasks/authenticating-and-connecting-to-motherduck/authenticating-to-motherduck/).

## Access control

MotherDuck provides access control at the organization, database, and share level.

### Organization roles

Every user in a MotherDuck organization has one of two roles:

- **Admin**: Can manage users, service accounts, billing, SSO configuration, and organization settings.
- **Member**: Can create and query databases, create shares, and manage their own resources.

:::info
MotherDuck is adding role-based access control (RBAC) for finer-grained permissions within organizations. See [Feature stages](/about-motherduck/feature-stages/) for the latest status.
:::

### Database sharing and permissions

You can share databases with other users in your organization or externally using MotherDuck shares. Access to shared databases is controlled with SQL commands:

- [`GRANT ACCESS`](/sql-reference/motherduck-sql-reference/grant-access/): Grant read access to a share for specific users.
- [`REVOKE ACCESS`](/sql-reference/motherduck-sql-reference/revoke-access/): Remove a user's access to a share.

Shares are read-only by default. The owner of a database controls who can access it.

For more on sharing, see [CREATE SHARE](/sql-reference/motherduck-sql-reference/create-share/).

## Network security

MotherDuck runs on AWS infrastructure with the following network security characteristics:

- Managed storage is not exposed through public IP addresses.
- All client-to-service communication is encrypted with TLS.
- MotherDuck services run within isolated AWS environments.

:::info
**AWS PrivateLink** is available on the **Enterprise** plan for organizations that require private connectivity to MotherDuck without traversing the public internet. [Contact us](https://motherduck.com/contact-us/) for details.
:::

## Compliance

### SOC 2 type II

MotherDuck is SOC 2 Type II certified. This certification covers the security, availability, and confidentiality trust service criteria. For the latest compliance details or to request the SOC 2 report, [contact us](https://motherduck.com/contact-us/).

### HIPAA

For organizations that process protected health information (PHI), MotherDuck offers a Business Associate Agreement (BAA) on the **Enterprise** plan, available on request. Put a BAA in place **before** loading any PHI into MotherDuck. [Contact us](https://motherduck.com/contact-us/) to request one.

### GDPR and CCPA

MotherDuck supports GDPR compliance for organizations processing personal data of EU residents:

- **Data residency**: Choose a European region (`eu-west-1` or `eu-central-1`) when creating your organization so all data storage and processing stays within the EU. See [data residency](#data-residency) below.
- **International transfers**: Where data transfers outside the EU or UK apply, MotherDuck relies on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. See the [privacy policy](https://motherduck.com/privacy-policy/) for details.
- **Right to erasure**: You control deletion through standard SQL (`DELETE`, `DROP TABLE`, `DROP DATABASE`). Note that deleted data remains recoverable for the duration of your snapshot retention and failsafe windows before it is physically removed; lower `snapshot_retention_days` or use [transient databases](/concepts/storage-lifecycle/#storage-management) where shorter retention is required.
- **Accountability**: [Query history](#audit-and-monitoring) and organization access controls support your audit and accountability obligations.

The same controls (region selection, access control, deletion, and retention settings) apply to CCPA and other regional privacy frameworks. For a data processing agreement (DPA) or framework-specific contractual requirements, [contact us](https://motherduck.com/contact-us/).

### Data residency

MotherDuck is available in four AWS regions:

- **US East (N. Virginia):** `us-east-1`
- **US West (Oregon):** `us-west-2`
- **Europe (Dublin):** `eu-west-1`
- **Europe (Frankfurt):** `eu-central-1`

You choose your region when creating an organization. All data storage and processing stays within the selected region. Organizations cannot span multiple regions.

The European regions (`eu-west-1` and `eu-central-1`) support GDPR compliance requirements for organizations processing data within the European Union.

:::note
For additional compliance requirements or questions about specific regulatory frameworks, [contact us](https://motherduck.com/contact-us/).
:::

## Secrets management

MotherDuck provides built-in secrets management for cloud storage credentials (AWS S3, GCS, Azure, R2, Hugging Face). Secrets stored in MotherDuck are:

- Fully encrypted at rest
- Scoped to the individual user who created them
- Not shared with other organization members
- Not visible in query logs

To store a secret in MotherDuck, use the `PERSISTENT` or `IN MOTHERDUCK` keyword with [`CREATE SECRET`](/sql-reference/motherduck-sql-reference/create-secret/).

```sql
CREATE SECRET IN MOTHERDUCK (
    TYPE S3,
    KEY_ID 's3_access_key',
    SECRET 's3_secret_key',
    REGION 'us-east-1'
);
```

## Audit and monitoring

MotherDuck provides query history for audit trail and monitoring purposes.

The [`QUERY_HISTORY`](/sql-reference/motherduck-sql-reference/md_information_schema/query_history/) view in the `md_information_schema` records executed queries, including the user, execution time, and status. This lets you track who ran what queries and when. Organization admins can also review activity per Duckling in the [Duckling overview](/getting-started/interfaces/motherduck-quick-tour/#duckling-overview) page in the MotherDuck UI.

:::info
Query history is available on **Business** and **Enterprise** plans. See [pricing](/about-motherduck/billing/pricing/) for plan details.
:::

## Security features by plan

| Feature | Lite | Business | Enterprise |
|---------|------|----------|------------|
| Encryption at rest (AES-256) | Yes | Yes | Yes |
| Encryption in transit (TLS 1.2+) | Yes | Yes | Yes |
| Access tokens | Yes | Yes | Yes |
| Service accounts | Yes (2 max) | Yes (unlimited) | Yes (custom) |
| SSO (SAML/OIDC) | -- | Yes | Yes |
| SCIM provisioning | -- | Yes | Yes |
| Query history | -- | Yes | Yes |
| AWS PrivateLink | -- | -- | Yes |
| SOC 2 Type II | Yes | Yes | Yes |
| HIPAA BAA | -- | -- | On request |
| Data residency (US/EU) | Yes | Yes | Yes |

For full plan details, see [pricing](/about-motherduck/billing/pricing/).


---

## Docs feedback

MotherDuck accepts optional user-submitted feedback about this page at `GET https://motherduck.com/docs/api/feedback/agent`.
For agents and automated tools, feedback submission should be user-confirmed before sending.

URL-encode query parameter values and send a GET request:

```text
GET https://motherduck.com/docs/api/feedback/agent?page_path=%2Fconcepts%2Fsecurity%2F&page_title=Security%20and%20compliance&text=<url-encoded user feedback, max 2000 characters>
```

Optionally append `&source=<url-encoded interface identifier>` such as `claude.ai` or `chatgpt`.

`page_path` and `text` are required; `page_title` and `source` are optional. Responses: `200 {"feedback_id": "<uuid>"}`, `400` for malformed query parameters, and `429` when rate-limited.
