Understanding security
This page describes Pinecone’s security protocols, practices, and features.
Access management
API keys
Each Pinecone project has one or more API keys. In order to make calls to the Pinecone API, a user must provide a valid API key for the relevant Pinecone project.
You can manage API key permissions in the Pinecone console. The available permission roles are as follows:
The ability to set API key permissions is in public preview.
General permissions
Role | Permissions |
---|---|
All | Permissions to read and write all project data. |
Control plane permissions
Role | Permissions |
---|---|
ReadWrite | Permissions to list, describe, create, delete, and configure indexes, backups, collections, and assistants. |
ReadOnly | Permissions to list and describe indexes, backups, collections, and assistants. |
None | No control plane permissions. |
Data plane permissions
For pod-based indexes, the data plane is limited to ReadWrite.
Role | Permissions |
---|---|
ReadWrite |
|
ReadOnly |
|
None | No data plane permissions. |
Organization single sign-on (SSO)
SSO allows organizations to manage their teams’ access to Pinecone through their identity management solution. Once your integration is configured, you can require that users from your domain sign in through SSO, and you can specify a default role for teammates when they sign up. Only organizations in the Enterprise dedicated tier can set up SSO.
For more information, see configure single sign on.
Role-based access controls (RBAC)
Each Pinecone organization can assign users roles with respect to the organization and projects within the organization. These roles determine what permissions users have to make changes to the organization’s billing, projects, and other users.
For more information, see organization roles.
Compliance
To learn more about data privacy and compliance at Pinecone, visit the Pinecone Trust and Security Center.
Audit logs
This feature is in early access. To request access, contact Support.
Audit logs provide a detailed record of user and API actions that occur within the Pinecone platform. Audit log events adhere to a standard JSON schema and include the following fields:
Events are captured within two hours of occurrance and are retained for 90 days. Audit logs are delivered on demand. The following events are captured in the audit logs:
- Organization events
- Project events
- Index events
- User and API key events
- Security and governance events
Organization events
Action | Query parameters |
---|---|
Rename org | event.action: update , event.resource_type: organization , event.resource_id: NEW_ORG_NAME |
Delete org | event.action: delete , event.resource_type: organization , event.resource_id: DELETED_ORG_NAME |
Create org member | event.action: create , event.resource_type: user , event.resource_id: [ARRAY_OF_USER_EMAILS] |
Update org member | event.action: update , event.resource_type: user , event.resource_id: { user: USER_EMAIL, role: NEW_ROLE } |
Delete org member | event.action: delete , event.resource_type: user , event.resource_id: USER_EMAIL |
Project events
Action | Query parameters |
---|---|
Create project | event.action: create , event.resource_type: project , event.resouce_id: PROJ_NAME |
Update project | event.action: update , event.resource_type: project , event.resource_id: PROJECT_NAME |
Delete project | event.action: delete , event.resource_type: project , event.resource_id: PROJECT_NAME |
Invite project member | event.action: create , event.resource_type: user , event.resource_id: [ARRAY_OF_USER_EMAILS] |
Update project member role | event.action: update , event.resource_type: user , event.resource_id: { user: USER_EMAIL, role: NEW_ROLE } |
Delete project member | event.action: delete , event.resource_type: user , event.resource_id: { user: USER_EMAIL, project: PROJ_NAME } |
Index events
Action | Query parameters |
---|---|
Create index | event.action: create , event.resource_type: index , event.resouce_id: INDEX_NAME |
Update index | event.action: update , event.resource_type: index , event.resource_id: INDEX_NAME |
Delete index | event.action: delete , event.resource_type: index , event.resource_id: INDEX_NAME |
Create backup | event.action: create , event.resource_type: backup , event.resource_id: BACKUP_NAME |
Delete backup | event.action: delete , event.resource_type: backup , event.resource_id: BACKUP_NAME |
User and API key events
Action | Query parameters |
---|---|
User login | event.action: login , event.resource_type: user , event.resouce_id: USERNAME |
Create API key | event.action: create , event.resource_type: api-key , event.resource_id: API_KEY_ID |
Delete API key | event.action: delete , event.resource_type: api-key , event.resource_id: API_KEY_ID |
Security and governance events
Action | Query parameters |
---|---|
Create Private Endpoint | event.action: create , event.resource_type: private-endpoints , event.resource_id: PRIVATE_ENDPOINT_ID |
Delete Private Endpoint | event.action: delete , event.resource_type: private-endpoints , event.resource_id: PRIVATE_ENDPOINT_ID |
Data protection
Customer-managed encryption keys (CMEK)
This feature is in public preview.
Data within a Pinecone project can be encrypted using customer-managed encryption keys (CMEK). This allows you to encrypt your data using keys that you manage in your cloud provider’s key management system (KMS). Pinecone supports CMEK using Amazon Web Services (AWS) KMS.
Backup and recovery
Serverless index backups are in public preview and available only on Standard and Enterprise plans.
A backup or collection is a static copy of your index that only consumes storage. It is a non-queryable representation of a set of records. You can create a backup or collection of an index, and you can create a new index from a backup or collection. This allows you to restore the index with the same or different configurations.
For more information, see Understanding backups and collections.
Encryption at rest
Pinecone encrypts stored data using the 256-bit Advanced Encryption Standard (AES-256) encryption algorithm.
Encryption in transit
Pinecone uses standard protocols to encrypt user data in transit. Clients open HTTPS or gRPC connections to the Pinecone API; the Pinecone API gateway uses gRPC connections to user deployments in the cloud. These HTTPS and gRPC connections use the TLS 1.2 protocol with 256-bit Advanced Encryption Standard (AES-256) encryption.
Traffic is also encrypted in transit between the Pinecone backend and cloud infrastructure services, such as S3 and GCS. For more information, see Google Cloud Platform and AWS security documentation.
Network security
Private Endpoints for AWS PrivateLink
Use Private Endpoints to connect to Amazon Web Services (AWS) PrivateLink. This establishes private connectivity between your Pinecone serverless indexes and supported AWS services while keeping your VPC private from the public internet.
Private Endpoints are additive to other Pinecone security features: data is also encrypted in transit, encrypted at rest, and an API key is required to authenticate.
Proxies
The following Pinecone SDKs support the use of proxies:
Was this page helpful?