Skip to main content

Enhanced compliance environments (ECE)

Aiven collects, manages, and operates on sensitive data that is protected by privacy and compliance rules and regulations. Aiven meets the needs of its customers by providing specialized enhanced compliance environments (ECE) that comply with many of the most common compliance requirements. The vendors that assist with this collection, management and operation are subject to the same rules and regulations.

An enhanced compliance environment will run on Aiven managed infrastructure with the additional compliance requirement that no ECE VPC is shared and the managed environment is logically separated from the standard Aiven deployment environment. This decreases the blast radius of the environment to prevent inadvertent data sharing. Furthermore, users of an ECE must encrypt all data prior to reaching an Aiven service. As part of the increased compliance of the environment, enhanced logging is enabled for - stderr, stout, and stdin.

Who is eligible?

Enhanced compliance environments, although similar to standard environments, involve added setup and maintenance complexity. The following are requirements to utilize an ECE:

  • A BAA signed with Aiven
  • Plan to operate in one or more of Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure
  • Total monthly spend is greater than $5,000
  • An active Enterprise Support Contract

Cost of ECE

The cost of an enhanced compliance environment, beyond the initial eligibility requirements, is exactly the same as a standard Aiven deployment. All service costs are the same and all egress networking charges are still covered in an ECE. Customers can still take advantage of any applicable marketplaces and spend down their commitment accordingly.

Similarities to a standard environment

In many ways, an ECE is the same as a standard Aiven deployment. Aiven's tooling, such as CLI and Terraform, interact with ECEs seamlessly, you will still be able to take advantage of Aiven's service integrations, and access to the environment can be achieved through VPC peering or Privatelink (on AWS or Azure).

However, there are some key differences from standard environments as well:

  • No internet access. Internet access cannot even be allow-listed as would be the case in standard private VPCs
  • VPCs cannot be automatically provisioned and must be manually configured by our networking team.
  • VPC peering or Privatelink connections must be manually approved on the Aiven end

With these differences in mind, Aiven requires the following to provision an Enhanced Compliance Environment:

  • A CIDR block for all region/environment combinations. For example, if you have a development, QA and production environment and operate in 3 regions in each of those, we will need 9 CIDR blocks.

The necessary peering information to enable the peer from our end. This differs between clouds:

AWS:

  • AWS account ID
  • VPC ID

GCP:

  • GCP Project ID
  • VPC Network Name

Azure:

  • Azure Tenant ID
  • Azure App ID
  • Azure VNet ID

Compliances

Although not exhaustive, Aiven is capable of supporting both the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) compliances.

If you require compliance beyond these compliances, contact the sales team so we can better understand your specific needs.

Additionally, we offer an alternative deployment option. See Bring Your Own Cloud (BYOC).

Migrate to an ECE

Migrations to Aiven are a standard procedure, but migrating to an ECE can add complexity.

To migrate a new service to an ECE, contact the sales team to request help.

To migrate an existing Aiven service to an ECE, the Aiven network team creates a VPN tunnel between your non-compliant VPC and your ECE VPC to enable a one-click migration. The migration is then performed in an automated and zero-downtime fashion. Once the migration is complete, the VPN tunnel is removed.