Access management
API keys
Each Pinecone project has one or more API keys. In order to make calls to the Pinecone API, a user must provide a valid API key for the relevant Pinecone project. You can manage API key permissions in the Pinecone console. The available permission roles are as follows:General permissions
- Pinecone console
- API
Control plane permissions
- Pinecone console
- API
Data plane permissions
- Pinecone console
- API
Organization single sign-on (SSO)
SSO allows organizations to manage their teams’ access to Pinecone through their identity management solution. Once your integration is configured, you can require that users from your domain sign in through SSO, and you can specify a default role for teammates when they sign up. SSO is available on Standard and Enterprise plans. For more information, see configure single sign on.Role-based access controls (RBAC)
Pinecone uses role-based access controls (RBAC) to manage access to resources. Service accounts, API keys, and users are all principals. A principal’s access is determined by the roles assigned to it. Roles are assigned to a principal for a resource, either a project or an organization. The roles available to be assigned depend on the type of principal and resource.Service account roles
A service account can be assigned roles for the organization it belongs to, and any projects within that organization. For more information, see Organization roles and Project roles.API key roles
An API key can only be assigned permissions for the projects it belongs to. For more information, see API keys.User roles
A user can be assigned roles for each organization they belong to, and any projects within that organization. For more information, see Organization roles and Project roles.Compliance
To learn more about data privacy and compliance at Pinecone, visit the Pinecone Trust and Security Center.
Audit logs
To enable and manage audit logs, you must be an organization owner. This feature is available only on Enterprise plans.
JSON
- Organization events
- Project events
- Index events
- User and API key events
- Security and governance events
Organization events
Project events
Index events
User and API key events
Security and governance events
Data protection
Customer-managed encryption keys (CMEK)
Data within a Pinecone project can be encrypted using customer-managed encryption keys (CMEK). This allows you to encrypt your data using keys that you manage in your cloud provider’s key management system (KMS). Pinecone supports CMEK using Amazon Web Services (AWS) KMS. For Bring your own cloud (BYOC), you use KMS on infrastructure in your own account rather than this console CMEK integration.Backup and recovery
This feature is available on Standard and Enterprise plans.
Encryption at rest
Pinecone encrypts stored data using the 256-bit Advanced Encryption Standard (AES-256) encryption algorithm.Encryption in transit
Pinecone uses standard protocols to encrypt user data in transit. Clients open HTTPS or gRPC connections to the Pinecone API; the Pinecone API gateway uses gRPC connections to user deployments in the cloud. These HTTPS and gRPC connections use the TLS 1.2 protocol with 256-bit Advanced Encryption Standard (AES-256) encryption.
Network security
Private Endpoints
Use Private Endpoints to connect via AWS PrivateLink or Azure Private Link. This establishes private connectivity between your Pinecone serverless indexes and your cloud VPC/VNet while keeping traffic off the public internet.