What kind of security does Temporal Cloud provide?

The security model of Temporal Cloud encompasses applications, data, and the Temporal Cloud platform itself.

What is the security model for applications and data in Temporal Cloud?

Code execution boundaries

Temporal Cloud provides the capabilities of Temporal Server as a managed service; it does not manage your applications or Workers 🔗

x

Link preview

What is a Worker?

In day-to-day conversations, the term Worker is used to denote both a Worker Program and a Worker Process. Temporal documentation aims to be explicit and differentiate between them.

term explanation

. Applications and services written using Temporal SDKs 🔗

x

Link preview

What is a Temporal SDK?

A Temporal SDK is a language-specific library that offers APIs to construct and use a Temporal Client to communicate with a Temporal Cluster, develop Workflow Definitions, and develop Worker Programs.

term explanation

run in your computing environment, such as containers (Docker, Kubernetes) or virtual machines (in any hosting environment). You have full control over how you secure your applications and services.

Data Converter: Client-side encryption

The optional Data Converter 🔗

x

Link preview

What is a Data Converter?

A Data Converter is a Temporal SDK component that serializes and encodes data entering and exiting a Temporal Cluster.

term explanation

capability of the Temporal Platform lets you transparently encrypt data before it's sent to Temporal Cloud and decrypt it when it comes out. Temporal Cloud does not need decrypted data to operate.

The Data Converter runs on your Temporal Workers and Clients 🔗

x

Link preview

What is a Temporal Client?

A Temporal Client, provided by a Temporal SDK, provides a set of APIs to communicate with a Temporal Cluster.

term explanation

; Temporal Cloud cannot see or decrypt your data. If you use this feature, data stored in Temporal Cloud remains encrypted even if the service itself is compromised.

The Data Converter also lets you securely decrypt data in the Temporal Web UI 🔗

x

Link preview

What is the Temporal Web UI?

The Temporal Web UI provides users with Workflow Execution state and metadata for debugging purposes.

term web-ui

without sharing encryption keys with Temporal.

What the security model for the Temporal Cloud platform?

Namespace isolation

The base unit of isolation in a Temporal environment is a Namespace 🔗

x

Link preview

What is a Namespace?

A Namespace is a unit of isolation within the Temporal Platform

term explanation

. Each Temporal Cloud account can have multiple Namespaces. A Namespace (regardless of account) cannot interact with other Namespaces. Each Namespace is available through a secure gRPC (mTLS) endpoint and an HTTPS (TLS) endpoint. You can make these endpoints more secure by routing all communication through AWS PrivateLink.

Temporal Cloud is a multi-tenant service. Namespaces in the same environment are logically segregated. Namespaces do not share data processing or data storage across regional boundaries.

Encryption

Communication into and out of Namespaces is over TLS. All communication within our production environments is over TLS 1.3. Data is stored in two separate locations: an Elasticsearch instance (used when filtering Workflows in SDK clients, the CLI, or the Web UI) and the core Temporal Cloud persistence layer. Both are encrypted at rest with AES-256-GCM.

For more information, see Requirements for CA certificates in Temporal Cloud 🔗

x

Link preview

Requirements for CA certificates in Temporal Cloud

Certificates provided to Temporal for your Namespaces must meet certain requirements.

explanation temporal cloud certificates

.

Identity

Authentication to gRPC endpoints is provided by mTLS per Namespace.

For more information, see How to manage SAML authentication with Temporal Cloud.

Access

Authorization is managed at the account and Namespace level. Users and systems are assigned one or more preconfigured roles. Users hold account-level Roles 🔗

x

Link preview

What are the account-level Roles for users in Temporal Cloud?

Account-level Roles are Global Admin, Developer, and Read-Only.

temporal cloud temporal cloud account users explanation

of administrators, developers, and read-only users. Systems and applications processes hold their own distinct roles.

Monitoring

In addition to extensive system monitoring for operational and availability requirements, we collect and monitor audit logs from the AWS environment and all calls to the gRPC API (which is used by the SDKs, CLI, and Web UI). These audit logs can be made available for ingestion into your security monitoring system.

Testing

We contract with a third party to perform a full-scope pentest (with the exception of social engineering) annually. Additionally, we perform targeted third-party and internal testing on an as-needed basis, such as when a significant feature is being released.

Internal Temporal access

We restrict access to production systems to the small team of employees who maintain our production infrastructure. We log all access to production systems; shared accounts are not allowed. Access to all production systems is through SSO, with MFA enabled.

Access to AWS is granted only for limited periods of time, with a maximum of 8 hours. (For more information, see the blog post Rolling out access hours at Temporal.)

All Temporal engineering systems are secured by GitHub credentials, which require both membership in the Temporal GitHub organization and MFA. Access grants are reviewed quarterly.

Compliance

Temporal Technologies is SOC 2 Type 2 certified and compliant with GDPR. Compliance audits are available by request through our Contact page.