Progress Acquires MarkLogic! Learn More

Trust Center

Large investment banks, major healthcare organizations, and classified government systems all trust MarkLogic with their most critical data assets.


MarkLogic Data Platform Security Overview

The MarkLogic data platform provides robust, enterprise-grade security controls that are proven in mission-critical environments. Here are the ways MarkLogic approaches security:


Who is the user? How do we verify their identity? MarkLogic answers those questions by supporting various protocols to securely store and process identity information. MarkLogic supports SSO with LDAP (Active Directory), Kerberos, SAML, or digital certificates.

What can a certain user do and see? This question of authorization, which is crucial to all aspects of data security, is handled with more granular controls than any other data platform. MarkLogic supports Role-based Access Control (RBAC) and other security models to define granular privileges to restrict access to actions, data, and resources.

  • Document and Element Level Security to control access to specific XML and JSON documents and the elements/properties/paths within those documents.
  • Data Redaction to mask or conceal sensitive data like PII data stored as XML elements or JSON properties for data protection and privacy. Use rule-based redaction policies for data loss prevention to confidently share data with third parties.

What happened, exactly? MarkLogic records every action by default to answer detailed questions about system activities along a timeline. This includes data inserts, reads, and updates, code execution, and authentication changes. MarkLogic provides full access to system logs.

Can someone get access without credentials? Can they modify the files? Can they erase evidence of wrongdoing? MarkLogic has advanced encryption to encrypt data on the wire (in transit) and on disk (encryption at rest).

Encryption is comprehensive (data, configurations, and logs), transparent (no coding required), and fast (negligible performance impact). MarkLogic supports client-owned encryption keys using the public cloud provider’s key management system.

Three security eBooks stacked

MarkLogic Security White Papers

Learn more about MarkLogic’s robust security features, including how we build a secure product, how to develop secure apps on MarkLogic, and how to deploy MarkLogic securely.

Building Security into MarkLogic

Developing Secure Applications on MarkLogic

How to Deploy MarkLogic Securely

Secure Architectures When Deploying MarkLogic On-Premises

Security Features

MarkLogic offers advanced enterprise data security controls that are beyond what any multi-model database offers. Data loss prevention and other security principles are central to what we do.

Secure by default

Security is not a feature that needs to be turned on and configured. When data is loaded, it is immediately secured.

MarkLogic has scalable controls for authentication, ensuring that the system easily integrates into your environment.

MarkLogic has granular access controls to govern what a user can do and see. Each user is associated with any number of roles, and each role is given privileges that determine what they can do. Also, each document has permissions dictating which roles can see and edit it. Security checks verify the necessary credentials before granting the requested action, and security information is stored in a specific security database in MarkLogic.

MarkLogic secures data at the collection level, document level, and even element/property level (like cell-level security in a relational database). This goes beyond what other document databases provide as it’s very hard to engineer on the back-end and maintain performance, but MarkLogic does it.

MarkLogic closely monitors database activity and makes it possible to audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.

Cutting-edge data encryption protects against unauthorized access of the database by a SysAdmin or Storage Admin. It allows data, configuration, and logs to be encrypted while data is in-flight and at-rest on disk using TLS & AES-256 encryption, and it conforms to FIPS 140 criteria.

In addition to RBAC, MarkLogic can also employ other security models such as Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), or Label-Based Access Control (LBAC). These models further restrict access based on attributes (e.g., social security number, IP address, user’s age, or time of day), policies, or simple labels representing “high” or “low” levels of trust.

Out-of-the-box, MarkLogic provides you with the industry-leading security you need. Your organization may also require the Advanced Security add-on, which includes three additional capabilities.

  • Redaction
  • External Key Management System (KMS) Support
  • Compartment Security

Learn more about Advanced Security

Vulnerability Reporting

MarkLogic has a proactive approach for identifying, monitoring, and responding to security incidents and vulnerabilities found in our software.

Report an Issue


Digital Compliance

MarkLogic is built with demanding security policies to help you meet your policy objectives. It has third party certifications that validate functionality to ensure the security and integrity of your data, protect against breaches, and prevent unauthorized access.

SOC 2 Type II

The MarkLogic SOC 2 Type II report is an independent assessment of our control environment performed by a third party. It is based on the AICPA’s Trust Services Criteria and addresses the key trust principles of security, availability, confidentiality, processing integrity, and privacy.



Attestation for compliance with US Food and Drug Administration regulations around handling electronic records.



The NIST Cybersecurity Framework (CSF) is US-issued guidance for organizations on how to improve their ability to prevent, detect, and respond to cybersecurity risks. NIST 800-53 maps to other standards (e.g., ISO 27001) and underlies other standards like HIPAA and FedRAMP.

Security framework established by the General Services Administration (GSA) in 2012 to protect data confidentiality, integrity, and availability in cloud environments.

Guidelines for complying with the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) related to processing, maintaining, storing, and sharing protected health information (PHI).

MarkLogic is HIPAA-ready.

The Defense Federal Acquisition Regulation Supplement is US DoD-specific rules for procurement within the US public sector.


International standard (ISO/IEC 15408) for a common set of functional and assurance security requirements, evaluated by licensed labs.

MarkLogic is the only non-relational database to have this.


Documented guidelines for deploying in U.S. DoD/DISA IT systems that provide guidance on how to set up and configure a product.

MarkLogic has been “STIG’d” for multiple US federal projects.


A Voluntary Product Accessibility Template (VPAT®) explains how information and communication technology products meet the accessibility requirements of the U.S. government Section 508 standards.


General Data Protection Regulation (GDPR) that went into effect in May 2018 with the goal of strengthening personal data protection in Europe.

MarkLogic complies with GDPR, and helps customers comply with GDPR.

Your Data is Private with MarkLogic

MarkLogic product deployments are architected to ensure complete data privacy. That is why when you’re using MarkLogic, no one except those you authorize, ever get access to the data you store in MarkLogic. Ever.

For self-managed MarkLogic deployments, MarkLogic support teams may get access to authorized telemetry data that includes performance data, configuration data, and log data in order to more quickly solve support problems. The telemetry feature can be easily toggled on or off.

View our Privacy Statement regarding personal data collection.

Built for the Enterprise

Reduce risk by using a proven enterprise-grade platform with market-leading data security and governance.

Contact Us