Hybrid Deployment Frequently Asked Questionslink
Read answers to frequently asked questions about Hybrid Deployment.
How does Fivetran secure the connection between its cloud and the local processing agent?link
In the Hybrid Deployment model, you establish an outbound connection to a secured Fivetran endpoint using mTLS. You do not have to open any ports because Fivetran does not connect to your local environment. You can also limit the outbound traffic to this endpoint.
When registering a local processing agent, Fivetran generates and provides an auth.json
file containing the certificates specific to your account and agent.
What data does Fivetran receive from my local environment?link
Fivteran receives only metadata from your local environment.
The local processing agent in your environment sends the following information to the Fivetran cloud environment:
- Registration information: When you start the agent on your machine, it sends the following data to the orchestration component of the Fivetran cloud:
- Orchestration server hostname
- Orchestration server port number
- Client certificate and key
- Local processing agent logs: Fivetran logs only the internal tracing messages for your agent, and the agent sends them securely to the Fivetran cloud. These logs contain the agent registration status, sync job status, container errors, etc. A copy of these logs is available on your local machine for review. By default, these logs are available in
~/Fivetran/logs/<processing_agent_name>
. However, you can change their location. You can also disable the logging in your local environment. - Sync (data pipeline processing) logs: The sync logs contain internal tracing messages of all internal Fivetran processes and events, such as sync start and end times and sync errors. These logs contain only the metadata of synced objects to indicate when Fivetran processes the objects and their status. A copy of these logs is available on your local machine for review. By default, these logs are available in
~/Fivetran/logs/<processing_agent_name>/jobs/<process_id>
. However, you can disable logging in your local environment. - Local processing agent metrics: The agent sends the following metrics to indicate its performance and status:
- Start time and run duration of the agent
- Initiation status of the sync jobs and their failures, internal integration ID, process ID, and Docker container metadata for debugging purposes
- Initiation status of the test jobs (for validating connector and destination credentials) and their internal integration ID, process ID, and Docker container metadata
- Initiation status of the schema config jobs (for retrieving connector schema and object details), internal integration ID, process ID, and Docker container metadata
- Sync job metrics: The local processing agent sends the following sync job metrics:
- Number of rows extracted or loaded per object
- Volume of data extracted or loaded
- Processing time for data extraction or loading
Does the local processing agent pass my source or destination credentials to the Fivetran cloud environment?link
No, the local processing agent does not pass your source and destination credentials to the Fivetran cloud.
The agent does not use your credentials. Even though the jobs use them, the client TLS certificate of the auth.json
file protects them, and Fivetran secures the connection between the agent and the jobs using mTLS. Fivetran never stores your credentials in its cloud.
How does Fivetran maintain the security of container images?link
We regularly scan all the container images to detect any potential security vulnerabilities. We perform these scans using Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools.
Can any local processing agent run my sync jobs?link
No, a local processing agent is specific to a particular Fivetran user account and destination. Each combination of user account, destination, and local processing agent has a unique registration in Fivetran and has a specific TLS certificate.
When the Fivetran Cloud Orchestrator schedules a job, it creates a new OAuth token and sends it to the local processing agent. This token is specific to a user account and valid only for 60 minutes. The OAuth token lets the local processing agent download the necessary containers from our Artifact Registry.
Are all connections to the Fivetran dashboard (UI) secure?link
Yes, Fivetran uses TLS (v1.2 or above) to encrypt all connections to its dashboard. It does not allow any direct connections between the dashboard and the local processing agent, processes, or containers.
How does Fivetran secure my source and destination credentials?link
By default, your connections to your source and destinations are SSL-encrypted. Fivetran securely stores your credentials in a key management system backed by a hardware security module. Fivetran's cloud service provider manages this hardware security module. You can also use your own keys for additional control over the encryption Fivetran uses.
Is the local processing agent FIPS 140-2 compliant?link
Fivetran has not yet tested the local processing agent on a FIPS 140-2-enabled machine. Therefore, it is not currently FIPS 140-2 certified.
Where can I access Fivetran's compliance reports, security certifications, and policies?link
You can access them in Fivetran's Trust Center.