This page describes Pinecone’s security protocols, practices, and features.

Access management

API keys

Each Pinecone project has one or more API keys. In order to make calls to the Pinecone API, a user must provide a valid API key for the relevant Pinecone project. You can manage API key permissions in the Pinecone console. The available permission roles are as follows:

General permissions

RolePermissions
AllPermissions to read and write all project data.

Control plane permissions

RolePermissions
ReadWritePermissions to list, describe, create, delete, and configure indexes, backups, collections, and assistants.
ReadOnlyPermissions to list and describe indexes, backups, collections, and assistants.
NoneNo control plane permissions.

Data plane permissions

For pod-based indexes, the data plane is limited to ReadWrite.
RolePermissions
ReadWrite
  • Indexes: Permissions to query, import, fetch, add, update, and delete index data.
  • Pinecone Assistant: Permissions to add, list, view, and delete files; chat with an assistant, and evaluate responses.
  • Pinecone Inference: Permissions to generate embeddings and rerank documents.
ReadOnly
  • Indexes: Permissions to query, fetch, list ID, and view stats.
  • Pinecone Assistant: Permissions to list and view files, chat with an assistant, and evaluate responses.
NoneNo data plane permissions.

Organization single sign-on (SSO)

SSO allows organizations to manage their teams’ access to Pinecone through their identity management solution. Once your integration is configured, you can require that users from your domain sign in through SSO, and you can specify a default role for teammates when they sign up. Only organizations in the Enterprise dedicated tier can set up SSO. For more information, see configure single sign on.

Role-based access controls (RBAC)

Pinecone uses role-based access controls (RBAC) to manage access to resources. Service accounts, API keys, and users are all principals. A principal’s access is determined by the roles assigned to it. Roles are assigned to a principal for a resource, either a project or an organization. The roles available to be assigned depend on the type of principal and resource.

Service account roles

A service account can be assigned roles for the organization it belongs to, and any projects within that organization. For more information, see Organization roles and Project roles.

API key roles

An API key can only be assigned permissions for the projects it belongs to. For more information, see API keys.

User roles

A user can be assigned roles for each organization they belong to, and any projects within that organization. For more information, see Organization roles and Project roles.

Compliance

To learn more about data privacy and compliance at Pinecone, visit the Pinecone Trust and Security Center.

Audit logs

To enable and manage audit logs, you must be an organization owner. This feature is available only on Enterprise plans.
Audit logs provide a detailed record of user and API actions that occur within Pinecone. Events are captured every 30 minutes and each log batch will be saved into its own file as a JSON blob, keyed by the time of the log to be written. Only logs since the integration was created and enabled will be saved. Audit log events adhere to a standard JSON schema and include the following fields:
JSON
{
    "id": "00000000-0000-0000-0000-000000000000",
    "organization_id": "AA1bbbbCCdd2EEEe3FF",
    "organization_name": "example-org",
    "client": {
        "userAgent": "rawUserAgent"
    },
    "actor": {
        "principal_id": "00000000-0000-0000-0000-000000000000",
        "principal_name": "example@pinecone.io",
        "principal_type": "user", // user, api_key, service_account
        "display_name": "Example Person" // Only in case of user
    },
	"event": {
        "time": "2024-10-21T20:51:53.697Z",
        "action": "create",
        "resource_type": "index",
        "resource_id": "uuid",
        "resource_name": "docs-example",
        "outcome": {
            "result": "success",
            "reason": "", // Only displays for "result": "failure"
            "error_code": "", // Only displays for "result": "failure"
        },
        "parameters": { // Varies based on event
        }
	}
}
The following events are captured in the audit logs:

Organization events

ActionQuery parameters
Rename orgevent.action: update, event.resource_type: organization, event.resource_id: NEW_ORG_NAME
Delete orgevent.action: delete, event.resource_type: organization, event.resource_id: DELETED_ORG_NAME
Create org memberevent.action: create, event.resource_type: user, event.resource_id: [ARRAY_OF_USER_EMAILS]
Update org memberevent.action: update, event.resource_type: user, event.resource_id: { user: USER_EMAIL, role: NEW_ROLE }
Delete org memberevent.action: delete, event.resource_type: user, event.resource_id: USER_EMAIL

Project events

ActionQuery parameters
Create projectevent.action: create, event.resource_type: project, event.resouce_id: PROJ_NAME
Update projectevent.action: update, event.resource_type: project, event.resource_id: PROJECT_NAME
Delete projectevent.action: delete, event.resource_type: project, event.resource_id: PROJECT_NAME
Invite project memberevent.action: create, event.resource_type: user, event.resource_id: [ARRAY_OF_USER_EMAILS]
Update project member roleevent.action: update, event.resource_type: user, event.resource_id: { user: USER_EMAIL, role: NEW_ROLE }
Delete project memberevent.action: delete, event.resource_type: user, event.resource_id: { user: USER_EMAIL, project: PROJ_NAME }

Index events

ActionQuery parameters
Create indexevent.action: create, event.resource_type: index, event.resouce_id: INDEX_NAME
Update indexevent.action: update, event.resource_type: index, event.resource_id: INDEX_NAME
Delete indexevent.action: delete, event.resource_type: index, event.resource_id: INDEX_NAME
Create backupevent.action: create, event.resource_type: backup, event.resource_id: BACKUP_NAME
Delete backupevent.action: delete, event.resource_type: backup, event.resource_id: BACKUP_NAME

User and API key events

ActionQuery parameters
User loginevent.action: login, event.resource_type: user, event.resouce_id: USERNAME
Create API keyevent.action: create, event.resource_type: api-key, event.resource_id: API_KEY_ID
Delete API keyevent.action: delete, event.resource_type: api-key, event.resource_id: API_KEY_ID

Security and governance events

ActionQuery parameters
Create Private Endpointevent.action: create, event.resource_type: private-endpoints, event.resource_id: PRIVATE_ENDPOINT_ID
Delete Private Endpointevent.action: delete, event.resource_type: private-endpoints, event.resource_id: PRIVATE_ENDPOINT_ID

Data protection

Customer-managed encryption keys (CMEK)

This feature is in public preview.
Data within a Pinecone project can be encrypted using customer-managed encryption keys (CMEK). This allows you to encrypt your data using keys that you manage in your cloud provider’s key management system (KMS). Pinecone supports CMEK using Amazon Web Services (AWS) KMS.

Backup and recovery

This feature is in public preview and available only on Standard and Enterprise plans.
A backup or collection is a static copy of your index that only consumes storage. It is a non-queryable representation of a set of records. You can create a backup or collection of an index, and you can create a new index from a backup or collection. This allows you to restore the index with the same or different configurations. For more information, see Understanding backups and Understanding collections.

Encryption at rest

Pinecone encrypts stored data using the 256-bit Advanced Encryption Standard (AES-256) encryption algorithm.

Encryption in transit

Pinecone uses standard protocols to encrypt user data in transit. Clients open HTTPS or gRPC connections to the Pinecone API; the Pinecone API gateway uses gRPC connections to user deployments in the cloud. These HTTPS and gRPC connections use the TLS 1.2 protocol with 256-bit Advanced Encryption Standard (AES-256) encryption. Diagram showing encryption protocols for user data in transit Traffic is also encrypted in transit between the Pinecone backend and cloud infrastructure services, such as S3 and GCS. For more information, see Google Cloud Platform and AWS security documentation.

Network security

Use Private Endpoints to connect to Amazon Web Services (AWS) PrivateLink. This establishes private connectivity between your Pinecone serverless indexes and supported AWS services while keeping your VPC private from the public internet. PrivateLink diagram Private Endpoints are additive to other Pinecone security features: data is also encrypted in transit, encrypted at rest, and an API key is required to authenticate.

Proxies

The following Pinecone SDKs support the use of proxies: