NetApp Instaclustr Security Overview
Product and customer data security is of utmost importance at NetApp. NetApp Instaclustr follows security best practices throughout the service lifecycle to ensure customer information and data is secured in the best possible way.
For detailed control evidence, refer to the SOC 2 Type II report, available via the NetApp Trust Center.
Shared Responsibility
NetApp operates under a shared responsibility model with three parties:
- Cloud providers secure the underlying infrastructure — physical data centres, hypervisors, and network fabric.
- NetApp secures the platform — hardened nodes, patching, monitoring, backups, and incident response.
- You secure your data and access — firewall rules, encryption, and user management.
Security is a partnership. NetApp can harden the platform, but open firewall rules or disabled encryption create gaps only you can close.
Customer responsibilities, including firewall configuration, encryption enablement, and capacity planning are documented in the Instaclustr Service Specific Terms.
NetApp reviews each supported cloud provider’s SOC 2 and PCI reports at least annually — customers should also review their chosen provider’s SOC 2 and PCI report to verify it meets their requirements.
The NetApp SOC 2 report includes Complementary User Entity Controls (CUECs) for a full view of shared obligations, available via the NetApp Trust Center.
Compliance
NetApp performs independent third-party audits and validations from external licensed CPA firms of its security, processes, and services.
| Certification | What It Covers |
|---|---|
| SOC 2 Type II | Security, availability, and confidentiality controls — evaluated over a sustained period |
| PCI DSS | Payment card data protection standards for PCI-enabled clusters |
| ISO 27001 and ISO 27018 | Information Security Management System and cloud privacy and protection of personal data |
NetApp conducts an annual risk assessment covering security, availability, and confidentiality threats. Independent penetration testing is performed twice annually. SOC reports for cloud subservice providers are reviewed annually. Where gaps are identified, NetApp remediates and is re-assessed.
Reports are available via the NetApp Trust Center.
Subservice Organizations
NetApp relies on trusted subservice providers and evaluates their security posture regularly.
Clusters run on AWS, Azure, or GCP. Cloud providers are responsible for physical security, hypervisor isolation, and environmental controls. NetApp applies consistent security configurations on top and reviews provider SOC 2 reports annually. Cloud provider regions are verified for compliance coverage before being added to services.
Operational suppliers are assessed under the NetApp Supplier Risk Management program. For on-premises or customer-owned infrastructure, customers are responsible for physical security and environmental controls.
For the full list of subservice organisations, refer to the SOC 2 report.
NetApp Security Advisories
You can view available security advisories here.
Want More Detail?
| Resource | Location |
|---|---|
| SOC 2 Type II Report | NetApp Trust Center |
| Support Documentation | support.instaclustr.com |
| Security & Compliance Questions | [email protected] |
| Service Status | status.instaclustr.com |
