Secure by Design: How TiDB Cloud Protects Your Data and Simplifies Compliance

When security controls fail, the consequences aren’t just technical—they’re financial, legal, and reputational. A single database misconfiguration cost one company $10 million in fines. TiDB Cloud prevents these risks, offering enterprise-grade security without unnecessary complexity.

In this post, we’ll explore how TiDB Cloud protects your data, compare the security features of its Serverless and Dedicated tiers, and explain when a self-managed TiDB deployment might be the best fit.

How TiDB Cloud Keeps Your Data Safe Without Extra Complexity

Five core principles define security in TiDB Cloud:

• Strict Access Control – Limits database access to only authorized users, reducing security risks from excessive permissions.
• Network Security – Blocks unauthorized connections and isolates workloads to prevent external threats.
• Data Encryption – Ensures sensitive data is always encrypted, both at rest and in transit, making it unreadable to unauthorized users.
• Auditing & Monitoring – Tracks all access attempts, changes, and unusual activity, allowing quick detection of potential security issues.
• Industry Compliance – Meets regulatory standards like SOC 2, ISO 27001, GDPR, and HIPAA, simplifying audits and legal compliance.

Let’s break it down.

TiDB Cloud’s Security Model: Keeping Customer Data Private and Protected

At PingCAP, protecting customer data is fundamental. TiDB Cloud is designed so that PingCAP does not access customer data, except when explicitly authorized by the customer for troubleshooting under a support request. Our security framework ensures that customers retain full control over their environments while meeting industry security and compliance standards:

• Access Governance & Auditing – All administrative actions on TiDB Cloud infrastructure are logged, monitored, and reviewed to ensure compliance with security policies. Audit logs can also be forwarded to Security Information and Event Management (SIEM) tools like Splunk or Datadog for real-time monitoring.
• Regulatory Compliance – TiDB Cloud meets SOC 2 Type II, ISO 27001, GDPR, and HIPAA standards, ensuring alignment with global data protection requirements.
• Encryption & Data Isolation – Customer data is encrypted in transit and at rest. TiDB Cloud Dedicated also supports Customer-Managed Encryption Keys (CMEK), allowing organizations to maintain full control over their encryption keys via AWS KMS.
• Role-Based Access Control (RBAC) & Network Security – Customers define Identity and Access Management (IAM) roles, access policies, and network configurations, ensuring that only authorized users and systems can access their data. TiDB Cloud also supports VPC Peering, Private Endpoints, and IP Access Lists to isolate database traffic from the public internet.
• Data Retention & Incident Response – TiDB Cloud enforces strict data retention policies and follows an established security incident response process to quickly identify, contain, and mitigate potential threats.

By combining strong encryption, regulatory compliance, network security, and transparent access controls, TiDB Cloud ensures that customer data remains private, secure, and under customer control at all times.

Who Gets In? Locking Down Access with IAM and Database Security

Too many people with too much access is one of the most common security risks. TiDB Cloud minimizes this risk by following role-based access control (RBAC), ensuring users have only the permissions they need.

How TiDB Cloud Manages Access

• Single Sign-On (SSO) – Simplifies authentication by allowing employees to log in using Google, GitHub, or Microsoft credentials.
• Granular Role-Based Access Control (RBAC) – Assigns users the minimum necessary permissions to prevent unauthorized actions.
• Hierarchical IAM Roles – TiDB Cloud structures access at two levels:
  • Organization-Level Access – Owners and admins can manage global settings, billing, and project creation.
  • Project-Level Access – Users can be assigned project-specific roles, restricting them to certain clusters without exposing the entire environment.

Database-Level Security: Authentication and Authorization

Beyond IAM, each TiDB cluster has its own internal security controls, ensuring that even if someone gains access to the TiDB Cloud Console, they still need valid database credentials to interact with the data.

• User Authentication – TiDB uses MySQL-compatible authentication, allowing businesses to:
  • Create database users with strong password policies.
  • Enable TLS-based authentication for additional security.
  • Support external authentication mechanisms like LDAP.
• Fine-Grained Authorization Controls – TiDB supports role-based privilege management within each database:
  • Restrict access to specific tables, schemas, or query types.
  • Assign read-only, write, or administrative privileges to users based on job roles.
• Database Auditing – In TiDB Cloud Dedicated, businesses can track user logins, queries, and schema modifications for compliance.
  • Audit logs capture who accessed what data and when, helping prevent unauthorized data exfiltration.
  • Logs can be forwarded to SIEM tools for real-time security alerting.

Why This Matters

A financial services company using TiDB Cloud Dedicated strengthens database security by:

• Enforcing strong password policies for database users.
• Limiting developer access to only specific datasets instead of full database privileges.
• Configuring database audit logging to monitor every query accessing customer credit card data.
• Using SIEM integration to detect unusual access patterns and potential insider threats.

By implementing IAM-based access control at the cloud level and fine-grained security inside the database, TiDB Cloud ensures that even privileged users cannot access sensitive data unless explicitly permitted.

Stopping Cyber Threats Before They Reach Your Database

A database exposed to the Internet is an open invitation for cyberattacks. TiDB Cloud provides multiple layers of protection to ensure only authorized connections can reach your database.

How TiDB Cloud Blocks Unauthorized Access

• End-to-End Encryption – All data in transit is protected using TLS 1.2/1.3, preventing eavesdropping or data interception.
• Private Endpoints – Ensures that database traffic never leaves your cloud provider’s internal network, using AWS PrivateLink or Google Cloud Private Service Connect.
• IP Access Lists – Restricts database connections only to approved IP addresses, preventing unauthorized access attempts.
• VPC Peering (Dedicated Only) – Directly connects your database to your private cloud, eliminating public internet exposure.

How This Works in Practice

A healthcare startup managing patient records needs to comply with HIPAA regulations.

• They configure private endpoints, ensuring only their internal application servers can communicate with the database.
• This setup blocks external threats while simplifying regulatory compliance.

Encryption: Your Last Line of Defense

Even the strongest access controls can be bypassed if data isn’t encrypted. TiDB Cloud ensures that even if attackers gain access to raw storage, they won’t be able to read your data.

How TiDB Cloud Locks Down Your Data

• Encryption at Rest – All stored data is automatically encrypted, ensuring that physical or virtual disk access doesn’t expose sensitive information.
• Encryption in Transit – Every database connection is secured using TLS 1.2/1.3, preventing eavesdropping or tampering.
• Bring Your Own Keys (CMEK) – Dedicated Only – Some industries require full control over encryption keys. TiDB Cloud Dedicated allows customers to manage their own keys using AWS KMS or Google Cloud KMS, ensuring that only authorized users can decrypt data.

Why This Matters

A global e-commerce company operating across multiple countries uses CMEK to manage encryption keys internally.

• This ensures that if a legal issue requires access revocation, their cloud provider cannot decrypt the data on their behalf.
• It also meets regulatory requirements in regions with strict data sovereignty laws.

Catching Security Risks Before They Become Disasters

Security isn’t just about blocking attacks—it’s also about spotting unusual activity before it escalates. TiDB Cloud provides detailed audit logging, allowing organizations to track changes and detect anomalies in real time.

How TiDB Cloud Monitors Activity

• Cloud Console Logs – Tracks cluster changes, user role updates, and API actions, providing visibility into who is making changes to your environment.
• Database Audit Logs (Dedicated Only) – Captures queries, logins, and schema modifications for deeper security monitoring at the database level.
• Log Redaction – To prevent accidental leakage of sensitive information, TiDB Cloud supports log redaction. This ensures that personally identifiable information (PII) and sensitive data are not written to system logs, preserving customer data privacy during monitoring and debugging.
• Integration with SIEM Tools – Audit logs are delivered to a customer-managed S3 bucket by default. From there, organizations can integrate with their preferred SIEM or log analysis tools, such as Datadog or Splunk, using standard data ingestion pipelines.

Why This Matters

A financial services firm handling sensitive credit card data configures audit logs to:

• Log every query accessing sensitive financial records.
• Trigger alerts if an unusual query pattern or unexpected login attempt occurs.
• Investigate potential fraud attempts in real time before damage occurs.

By using detailed audit logs, organizations can identify suspicious activity early and act before a breach happens.

Compliance Made Easy: Meeting SOC 2, GDPR, HIPAA, and More

Security is critical, but compliance is often a legal requirement. TiDB Cloud meets major industry standards, helping businesses achieve regulatory compliance without additional overhead.

Compliance Standard	What It Ensures	Who Needs It
SOC 2 Type II	Protects against unauthorized access and ensures operational security	SaaS companies handling customer data
ISO 27001 / 27701	Provides a framework for security and privacy management	Global businesses needing a certified security program
GDPR & CCPA	Ensures personal data privacy and user control over information	Any company handling European (GDPR) or California (CCPA) user data
HIPAA	Secures healthcare data to protect patient privacy	Healthcare providers, insurers, and vendors handling medical records
PCI-DSS	Safeguards payment card information and transactions	E-commerce companies, payment processors, and financial services

Why This Matters

A B2B SaaS platform handling European user data needs to comply with GDPR regulations.

• Instead of building compliance from scratch, they leverage TiDB Cloud’s ISO 27701 certification as proof of secure data handling.
• This saves time and resources, ensuring compliance without additional security infrastructure.

By choosing a database that meets these standards, companies reduce compliance risk and simplify audits.

Serverless vs. Dedicated: Which TiDB Cloud Option is More Secure?

TiDB Cloud offers two deployment options, each with different security features. The right choice depends on your workload, compliance requirements, and security needs.

Feature	Serverless	Dedicated	Why It Matters
Tenant Isolation	Shared infrastructure	Single-tenant	Dedicated provides stronger isolation, reducing risk in multi-tenant environments.
Private Endpoints	Supported	Supported	Both options prevent data from traversing the public internet.
IP Access Lists	Supported	Supported	Both options allow businesses to restrict database access to specific IPs, adding an extra layer of security.
VPC Peering	Not available	Supported	Dedicated clusters can connect directly to a private cloud, eliminating public exposure.
Database Audit Logging	Not available	Supported	Audit logs help track unauthorized access attempts and changes.
Encryption at Rest	Supported	Supported	Ensures data is unreadable if physical storage is compromised.
Custom Encryption Keys for Encryption at Rest	Not available	Supported	Organizations that require full control over encryption keys need a Dedicated cluster.
RBAC and IAM	Supported	Supported	Enforces least-privilege access across the organization and within projects.

Which TiDB Cloud Option is Right for You?

Choose TiDB Cloud Serverless if you need a flexible, low-maintenance database for:

• Development, prototyping, or testing environments.
• Non-sensitive workloads that don’t require advanced compliance or custom security controls.
• Teams looking for automatic scaling with strong default security (encryption in transit/at rest, IAM, RBAC, IP allowlists).

Choose TiDB Cloud Dedicated when your application requires:

• Stronger workload and network isolation through single-tenancy and VPC peering.
• Advanced security features like audit logging and bring-your-own-encryption keys (CMEK).
• Compliance with regulatory frameworks like HIPAA, ISO 27001, or GDPR.
• Granular security observability and integration with SIEM tools.
• Full control over user access, roles, and infrastructure-level identity management.

These options aren’t mutually exclusive—many teams start with Serverless and migrate to Dedicated as their security, compliance, and customer needs grow.

Real-World Example

A tech startup developing a new SaaS product chooses Serverless for rapid prototyping and testing.

• They benefit from automatic scaling and minimal operational overhead while building out their application.

As they expand to enterprise customers, they migrate to Dedicated, allowing them to:

• Enforce strict network security with VPC Peering and IP Access Lists.
• Enable database audit logging to track access and comply with security requirements.
• Use custom encryption keys (CMEK) to maintain full control over sensitive customer data.

This transition ensures compliance and enhanced security without disrupting their growth.

When Self-Managed TiDB is Your Best Bet

For some businesses, even a secure cloud environment isn’t enough. Running TiDB on-premises or in a self-managed cloud is necessary when organizations require full control over security, compliance, and infrastructure.

Why Companies Choose Self-Managed TiDB

• Regulatory Compliance – Some industries, such as government agencies and financial institutions, have strict policies that prohibit storing data on any public cloud, regardless of encryption or certifications.
• Custom Security Integrations – Businesses that require custom authentication methods (e.g., LDAP, Kerberos) or hardware security modules (HSMs) often need direct control over their database environment.
• On-Premises Data Sovereignty – Organizations conducting classified research or working with highly sensitive intellectual property need to store and process data within specific geographic regions.

Real-World Example

A defense contractor working with classified information chooses to deploy self-managed TiDB in a private data center.

• This setup ensures that data never leaves their controlled environment, meeting strict government regulations.
• It allows them to integrate with specialized security infrastructure, such as air-gapped networks and government-certified encryption modules.

By running TiDB on dedicated, private infrastructure, organizations can maintain complete control over security, compliance, and data governance.

Choosing the Right Security Strategy for Your Database

TiDB Cloud delivers enterprise-grade security without unnecessary complexity. The right deployment model depends on your security, compliance, and operational needs:

• TiDB Cloud Serverless – Ideal for development, testing, and non-sensitive workloads, offering automatic scaling with minimal configuration.
• TiDB Cloud Dedicated – The best choice for compliance-driven industries, providing advanced security features, private networking, and encryption control.
• TiDB Self-Managed – Required when complete infrastructure control is necessary, such as for government agencies, highly regulated industries, or air-gapped environments.

What’s Next?

• Looking for a detailed security assessment? Contact our team for a security consultation tailored to your compliance needs.
• Want to see TiDB Cloud’s compliance certifications? Request our latest SOC 2, ISO 27001, or HIPAA compliance reports today.
• Ready to test TiDB Cloud’s security features? Sign up for a free trial and start building with confidence.

By making security a priority from day one, organizations can protect their data, simplify compliance, and reduce risk without compromising performance.