Security and Compliance
Last updated
Was this helpful?
Last updated
Was this helpful?
Yes. As part of its SOC 2 Type II certification, CARTO undergoes annual auditing of its system and organization controls, performed by an independent, third-party certified auditor.
CARTO’s latest SOC 2 Type II report is available upon request for customers and prospects. Please note that prospects must have signed an NDA (Non-disclosure agreement) with CARTO before receiving the SOC 2 Type II report.
Visit to request the latest report.
Yes. CARTO complies with GDPR, CCPA and other data privacy laws where applicable. You can read more about it in our
There are three ways for users to access their CARTO accounts:
Single Sign-On (SSO): In this case, your organization will define the password requirements and will leverage all security policies such as rotation, MFA, etc.
Sign in with Google: The password requirements and policies are defined in your Google account preferences, which may be managed by your organization.
Username/Password: CARTO uses Auth0 to securely process the data and enforces sufficient length and complexity standards.
CARTO is cloud-native by design, and we have no need to replicate your data — never. Maps, Workflows, and Applications built with CARTO will launch queries against live data in your own data warehouse (BigQuery, Snowflake, Redshift, Databricks, PostgreSQL, etc) and the result of these queries is not stored for further uses, with the exception of a temporal cache layer for performance and cost optimization, that is encrypted and distributed securely. This applies to all kinds of deployments.
To understand how CARTO processes your data we first need to describe the three categories of data that CARTO processes:
Connected Data: This is the data in your data warehouse (BigQuery, Snowflake, Redshift, Databricks, PostgreSQL, etc) that you'll be using in CARTO. As seen above, CARTO does not make any copies of your data. This data is encrypted in transit, and the credentials are never exposed in the frontend.
User-generated Content: These are the map details, workflows, credentials and configurations created by the users in a CARTO organization. User-generated Content is managed by CARTO. We carry out daily backups and encryption, except for self-hosted deployments. It is encrypted at rest and in transit.
Personal Data: This is the additional data needed by the platform to identify and provide service to the user such as settings, contact information, name, etc; User Data is managed by CARTO. We carry out daily backups and encryption, except for self-hosted deployments. It is encrypted at rest and in transit.
Connected Data: Stored in your connected cloud data warehouse, including the result of all analysis done in CARTO.
CARTO provides several controls to make sure viewers and editors don't gain unauthorized access to the underlying data of a map, workflow or application.
Editors can create connections to their data by providing credentials that are stored, encrypted, and never exposed in the browser in any case. These connections can then be shared with all editors in the organization (or with specific groups).
Maps, workflows and applications relying on a connection will stop working as soon as the credentials used are revoked.
Maps, workflows, and applications can be shared with all users within an organization (including viewers), or with specific groups, but this does not grant them access to the connection.
If you're looking for password rotation, expiration or history controls we recommend you integrate , so that you can set up and leverage your existing company policies.
No, CARTO does not make any copies of the data available through your .
If you are using the , then it will be stored in the .
User-generated Content: This data is stored in the for SaaS deployments. For Self-Hosted deployments this is stored in your Self-Hosted resources.
Personal Data: Personal user data is stored securely in a server in the United States, on the Google Cloud Platform. You can read more about it in our
Editors can also for added security.
Published maps for additional security.