This page describes Pinecone’s security protocols, practices, and features.

Access management

API keys

Each Pinecone project has one or more API keys. In order to make calls to the Pinecone API, a user must provide a valid API key for the relevant Pinecone project.

You can manage API key permissions in the Pinecone console. The available permission roles are as follows:

The ability to set API key permissions is in public preview.

General permissions

RolePermissions
AllPermissions to read and write all project data.

Control plane permissions

RolePermissions
ReadWritePermissions to list, describe, create, delete, and configure indexes, backups, collections, and assistants.
ReadOnlyPermissions to list and describe indexes, backups, collections, and assistants.
NoneNo control plane permissions.

Data plane permissions

For pod-based indexes, the data plane is limited to ReadWrite.

RolePermissions
ReadWrite
  • Indexes: Permissions to query, import, fetch, add, update, and delete index data.
  • Pinecone Assistant: Permissions to add, list, view, and delete files; chat with an assistant, and evaluate responses.
  • Pinecone Inference: Permissions to generate embeddings and rerank documents.
ReadOnly
  • Indexes: Permissions to query, fetch, list ID, and view stats.
  • Pinecone Assistant: Permissions to list and view files, chat with an assistant, and evaluate responses.
NoneNo data plane permissions.

Organization single sign-on (SSO)

SSO allows organizations to manage their teams’ access to Pinecone through their identity management solution. Once your integration is configured, you can require that users from your domain sign in through SSO, and you can specify a default role for teammates when they sign up. Only organizations in the Enterprise dedicated tier can set up SSO.

For more information, see configure single sign on.

Role-based access controls (RBAC)

Each Pinecone organization can assign users roles with respect to the organization and projects within the organization. These roles determine what permissions users have to make changes to the organization’s billing, projects, and other users.

For more information, see organization roles.

Compliance

To learn more about data privacy and compliance at Pinecone, visit the Pinecone Trust and Security Center.

Data protection

Encryption at rest

Pinecone encrypts stored data using the 256-bit Advanced Encryption Standard (AES-256) encryption algorithm.

Encryption in transit

Pinecone uses standard protocols to encrypt user data in transit. Clients open HTTPS or gRPC connections to the Pinecone API; the Pinecone API gateway uses gRPC connections to user deployments in the cloud. These HTTPS and gRPC connections use the TLS 1.2 protocol with 256-bit Advanced Encryption Standard (AES-256) encryption.

Traffic is also encrypted in transit between the Pinecone backend and cloud infrastructure services, such as S3 and GCS. For more information, see Google Cloud Platform and AWS security documentation.

Network security

Proxies

The following Pinecone SDKs support the use of proxies:

Was this page helpful?

Set up billing through GCP MarketplaceConfigure SSO with Okta