Compliance security profile

This page describes the compliance security profile, its compliance controls, and supported features. To enable the compliance security profile, see Configure enhanced security and compliance settings.

Compliance security profile overview

The compliance security profile enables additional monitoring, a hardened compute image, and other features and controls on Azure Databricks workspaces. The compliance security profile includes controls that help meet the applicable security requirements of some compliance standards.

The compliance security profile is required to use Azure Databricks to process data regulated under:

Important

The compliance security profile will be required to process data protected under HIPAA, HITRUST, and IRAP starting on September 1, 2026.

You can also select to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.

Important

  • You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
  • For compliances other than HIPAA, you are solely responsible for ensuring that the compliance security profile and the appropriate compliance standards are configured before processing regulated data. For processing PHI data, Azure Databricks strongly recommends enabling the compliance security profile and selecting the HIPAA compliance standard.
  • You are solely responsible for verifying that sensitive information is never entered in customer-defined input fields, such as workspace names, compute resource names, tags, job names, job run names, network names, credential names, storage account names, and Git repository IDs or URLs. These fields might be stored, processed, or accessed outside the compliance boundary.

If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.

Note

Account-level Genie One does not aggregate data from workspaces that have the compliance security profile enabled. See Use Genie One.

Compliance security profile security enhancements

Security enhancements include:

  • A CIS Level 1 hardened image.

  • Automatic cluster updates, ensuring clusters have the latest updates by periodically restarting them during configurable maintenance windows. See Automatic cluster update.

  • Enhanced security monitoring, which includes monitoring agents that generate reviewable logs. See Monitoring agents in Azure Databricks compute plane images.

  • Communications within the cluster and for egress use TLS 1.2 or higher, including communication with the metastore.

Supported preview features

Only the Public Preview, Private Preview, and Beta features listed in this section are supported for workspaces with the compliance security profile enabled. The compliance security profile does not support any other Public Preview, Private Preview, or Beta features.

The following table lists all supported Public Preview, Private Preview, and Beta features:

  • Most features are available for all compliance standards with the compliance security profile enabled.
  • Features marked with a specific compliance standard (such as "HIPAA only") are supported only for workspaces configured with that compliance standard.
  • Features marked "Serverless" are only available on the serverless compute plane. For serverless availability by region and compliance standard, see the Regional support for features table on each compliance standard page.

Note

Databricks Apps is generally available. However, to use Databricks Apps with the compliance security profile, a workspace admin must enable it in the Previews page. See Databricks Apps and Manage workspace-level previews.

Feature Status Compute Notes
Custom Agents: On-behalf-of-user authorization Public Preview Standard and serverless HIPAA only
Agent Mode in Genie Spaces Public Preview Standard and serverless
ai_forecast() Public Preview Standard and serverless HIPAA only
Anomaly detection Public Preview Serverless only
Auto Loader support for file events Public Preview Standard and serverless
External lineage Public Preview Standard and serverless
Compute log delivery to volumes Public Preview Standard and serverless
Custom classifiers Beta Serverless only
Dashboards in Git folder Public Preview Standard and serverless
Data governance hub Private Preview Standard and serverless
Azure Databricks Add-in for Excel Public Preview Standard and serverless
Databricks managed MCP servers Public Preview Serverless only
Databricks SQL alerts Public Preview Standard and serverless
Embed Genie Space as an iframe Beta Standard and serverless
Exclusive access Private Preview Standard and serverless
External MCP servers Public Preview Serverless only
Genie app for Slack Public Preview Standard and serverless
Genie app in Microsoft Teams Beta Standard and serverless
Google Drive connector (standard) Beta Standard and serverless
High memory for serverless compute notebook tasks Public Preview Serverless only
Lakeflow Connect SQL Server Public Preview Standard and serverless
LLM batch inference with ai_query Public Preview Standard and serverless HIPAA only
Read Excel files Beta Standard and serverless
Secret paths in environment variables Public Preview Standard and serverless
Serverless forecasting Public Preview Serverless only
Serverless forecasting Python SDK Private Preview Serverless only
Serverless workspaces Public Preview Serverless only
Service Direct PrivateLink Public Preview Standard and serverless
SharePoint connector (managed) Beta Standard and serverless
SharePoint connector (standard) Beta Standard and serverless
System tables that are in Public Preview Public Preview Standard and serverless
Unity Catalog access requests Public Preview Standard and serverless
User authorization for Databricks Apps Public Preview Standard and serverless
User-defined functions in Unity Catalog Public Preview Standard and serverless
Workspace-level SCIM provisioning Public Preview Standard and serverless Legacy feature. See Account-level and workspace-level SCIM provisioning.