Trust Center

We're pleased to add a new white paper to the Confluent Trust Center: Continuous Monitoring of Confluent: A Self-Service Guide for Vendor Risk Teams, authored by the Office of the CISO.

Traditional vendor due diligence relies on point-in-time questionnaires and audits that can leave Third-Party Risk Management (TPRM), security, and compliance teams looking backward. This white paper introduces a repeatable, self-service approach for continuously monitoring Confluent's security, availability, and compliance posture, so your teams can quickly answer the question, "Has anything changed that might affect our risk?"

The guide is organized around four practical monitoring dimensions, each grounded in customer-visible signals you can subscribe to and act on today:

• Dimension 1 — Service Health and Security Advisories: the Confluent Cloud Status Page and Support Portal security advisories.
• Dimension 2 — Vendor and Technology Stack: the Subprocessor List and SOC 2 report to understand Confluent's third-party footprint.
• Dimension 3 — Trust and Compliance Evidence: Trust Center attestations (SOC 2, ISO, PCI), security white papers, and security announcements.
• Dimension 4 — Direct Vendor Engagement: a structured, last-resort path for the rare questions that self-service signals don't fully resolve.

The paper also includes a one-page continuous-monitoring checklist your TPRM program can adopt immediately, and the same model can be reused across your broader vendor portfolio.

Read the white paper now in the Confluent Trust Center.

Click Subscribe to be notified automatically of new reports, attestations, and security announcements.

At Confluent, your trust is the foundation of everything we build. We are proud to share a series of compliance milestones — spanning globally recognized security and privacy standards — that reaffirm that commitment and the rigor behind it.

ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certifications renewed

Confluent has successfully completed its annual surveillance audit and renewed our ISO/IEC 27001:2022 certification. This renewal demonstrates our continuous dedication to maintaining the highest standards for our Information Security Management System (ISMS), which protects the confidentiality, integrity, and availability of your data.

Our certification scope extends beyond the foundational ISO 27001 standard. It also includes the following:

• ISO 27017 — Provides assurance for the security controls of cloud services, confirming best practices for cloud environment operation and protection.
• ISO 27018 — Verifies controls for protecting Personally Identifiable Information (PII) processed by Confluent as a public cloud Controller and Processor.
• ISO/IEC 27701:2019 — Privacy Management (PIMS) — A key privacy extension verifying our role as a PII Processor and Controller, and helping customers align with global privacy frameworks like GDPR and CCPA.

New SOC 1 Type 2 and SOC 2 Type 2 reports now available

We are also pleased to announce that our latest SOC 1 Type 2 and SOC 2 Type 2 reports are now available for both Confluent Cloud and Confluent Platform, covering the audit period of October 1, 2025 to March 31, 2026. These independent reports provide assurance over our controls relevant to financial reporting (SOC 1) and to security, availability, processing integrity, and confidentiality (SOC 2). If you require a bridge letter, you can generate one directly within the Trust Center.

These renewals and reports provide you with independent assurance that we are consistently managing and mitigating security and privacy risks to protect your data.

You can find our latest ISO certificates, our SOC 1 and SOC 2 Type 2 reports, and other compliance documents in the Confluent Trust Center

Thank you for your continued partnership.

Confluent has officially completed its 2026 KY3P® (formerly TruSight) IT Security Assessment. An S&P Global Market Intelligence offering (formerly IHS Markit), the KY3P framework was developed by a founding consortium of leading global financial institutions to standardize and simplify third-party risk management.

Purchasing this shared assessment allows your risk and compliance teams to expedite their security audit of Confluent by leveraging externally validated results and supporting control evidence. The assessment thoroughly evaluates the control environments for both Confluent Cloud and Confluent Platform across critical domains, including information security, cyber resilience, and data governance covering 2026 vendor review cycles.

Why Leverage Confluent's KY3P Report?

- Reduced Audit Burden: Eliminates the administrative overhead of drafting, sending, and reviewing bespoke vendor risk assessments.
- Consortium-Backed Trust: Rely on an industry-standard framework developed by the world's leading financial institutions.
- Comprehensive Evidence Package: Includes key supporting policies, procedural documentation, and verified control validations.

How to Acquire the Report?

The 2026 KY3P Assessment Report and evidence package are available for purchase directly through S&P Global's KY3P program. To request access, contact the KY3P team at: ky3psales@ihsmarkit.com.

Looking for standard documentation? Access core security certifications, self-attestations, and standard reports (such as SOC 2 or ISO), directly via the Confluent Trust Center.

For regulated enterprises, digital sovereignty is no longer a compliance checkbox — it is a procurement gate, an audit finding, and in some cases a condition of license. At Confluent, we believe sovereignty must be intentional and engineered into every layer of the technology stack — backed by architectural guarantees you can verify, audit, and rely upon.

We are excited to announce the publication of our latest white paper: Streaming Sovereignty | Digital Sovereignty Imperative for the Real-Time Enterprise.

This paper articulates Confluent's position that sovereignty is not a product feature or a contractual clause — it is an architectural outcome. It is designed to support Boards, C-suites, CISOs, and infrastructure architects navigating the convergence of an increasingly complex regulatory landscape and business needs based on national and regional sentiments and requirements.

Inside, you will find:

• A Board-Level Risk Register mapping streaming-layer exposures to Confluent's architectural mitigations
• The Confluent Sovereignty Spectrum — how Confluent Cloud, WarpStream BYOC, Confluent Private Cloud, and Confluent Platform each meet a distinct sovereignty profile
• A Deployment Architecture Decision Guide and Industry Architecture Guide for financial services, healthcare, government, critical infrastructure, and telecommunications
• A consolidated view of evidence artifacts available for regulatory audit and reporting

The white paper is now available on the Confluent Trust Center. We encourage you to share it with your security, compliance, risk, and architecture teams — and to use it as a reference in your conversations with regulators, auditors, and your Board as you plan and scale your critical workloads on Confluent.

Thank you for your continued partnership. We look forward to enabling you to achieve your desired outcomes related to real-time streaming sovereignty— with the transparency, architectural guarantees, and evidence artifacts you need to lead with confidence.

At Confluent, we understand that moving mission-critical data in real-time requires more than just speed—it requires unwavering trust. As global regulatory landscapes become increasingly complex, we are committed to providing the transparency you need to scale with confidence.

We are excited to announce the publication of three new white papers on the Confluent Trust Center. These resources offer a deep dive into how Confluent Cloud is engineered to meet the stringent security, risk, and compliance obligations of highly regulated sectors.

New Resources Available for Download

• Enabling Operational Resilience for Financial Institutions - Tailored for banks and other financial services players, this paper explains how Confluent Cloud supports resilience across global regulations. It covers key topics such as incident reporting, continuous resilience testing, risk management, and governance.
• ePHI in Motion: Trust, Controls, and Compliance for Healthcare - Focused on HIPAA-aligned use cases, this resource details the technical and administrative architecture used to safeguard Electronic Protected Health Information (ePHI) while enabling real-time data flows.
• Enabling Trust with Confluent Cloud in Australia - This guide addresses the unique Australian regulatory landscape, explaining how Confluent Cloud aligns with frameworks such as APRA and IRAP to maintain compliance for sensitive workloads.

Why This Matters for Your Team

These papers are designed to serve as strategic tools for your organization by:

• Providing consolidated evidence of our security capabilities for regulated workloads.
• Reducing manual reviews for your risk and audit teams, helping them assess our controls more efficiently.
• Removing compliance roadblocks to accelerate your cloud and data streaming adoption.

Where to Access

All three white papers are now available in the White Papers section of the Confluent Trust Center.
We encourage you to share these resources with your security, compliance, and risk stakeholders as you plan and scale your critical workloads on Confluent Cloud.