Security and Compliance

Is the CARTO Platform SOC 2 Type II-certified?

Yes. As part of its SOC 2 Type II certification, CARTO undergoes annual auditing of its system and organization controls, performed by an independent, third-party certified auditor.

CARTO’s latest SOC 2 Type II report is available upon request for customers and prospects. Please note that prospects must have signed an NDA (Non-disclosure agreement) with CARTO before receiving the SOC 2 Type II report.

Visit to request the latest report.

Does it comply with GDPR, CCPA and other data privacy laws?

Yes. CARTO complies with GDPR, CCPA and other data privacy laws where applicable. You can read more about it in our

What are the password and login management controls in CARTO?

There are three ways for users to access their CARTO accounts:

• Single Sign-On (SSO): In this case, your organization will define the password requirements and will leverage all security policies such as rotation, MFA, etc.

• Sign in with Google: The password requirements and policies are defined in your Google account preferences, which may be managed by your organization.

• Username/Password: CARTO uses Auth0 to securely process the data and enforces sufficient length and complexity standards.

When we create a connection to CARTO, does it make any copies of our data?

CARTO is cloud-native by design, and we have no need to replicate your data — never. Maps, Workflows, and Applications built with CARTO will launch queries against live data in your own data warehouse (BigQuery, Snowflake, Redshift, Databricks, PostgreSQL, etc) and the result of these queries is not stored for further uses, with the exception of a temporal cache layer for performance and cost optimization, that is encrypted and distributed securely. This applies to all kinds of deployments.

How does CARTO manage our data?

To understand how CARTO processes your data we first need to describe the three categories of data that CARTO processes:

• Connected Data: This is the data in your data warehouse (BigQuery, Snowflake, Redshift, Databricks, PostgreSQL, etc) that you'll be using in CARTO. As seen above, CARTO does not make any copies of your data. This data is encrypted in transit, and the credentials are never exposed in the frontend.

• User-generated Content: These are the map details, workflows, credentials and configurations created by the users in a CARTO organization. User-generated Content is managed by CARTO. We carry out daily backups and encryption, except for self-hosted deployments. It is encrypted at rest and in transit.

• Personal Data: This is the additional data needed by the platform to identify and provide service to the user such as settings, contact information, name, etc; User Data is managed by CARTO. We carry out daily backups and encryption, except for self-hosted deployments. It is encrypted at rest and in transit.

Where is my data stored?

• Connected Data: Stored in your connected cloud data warehouse, including the result of all analysis done in CARTO.

How does CARTO manage security when a map, workflow or an application are shared?

CARTO provides several controls to make sure viewers and editors don't gain unauthorized access to the underlying data of a map, workflow or application.

• Editors can create connections to their data by providing credentials that are stored, encrypted, and never exposed in the browser in any case. These connections can then be shared with all editors in the organization (or with specific groups).
• Maps, workflows and applications relying on a connection will stop working as soon as the credentials used are revoked.

• Maps, workflows, and applications can be shared with all users within an organization (including viewers), or with specific groups, but this does not grant them access to the connection.