New in Confluent Cloud: Making Data & Pipelines Accessible for AI-Ready Streaming | Learn More As organizations have transitioned from batch processing to real-time streaming architectures, a critical governance gap has emerged. Legacy data governance tools designed for databases, warehouses, and file systems assume that information is stationary and focus on protecting, classifying, and auditing data at rest.
Modern applications, however, are dynamic: A payment event moves through a dozen microservices between authorization and settlement; a patient record streams across hospital systems; a trade confirmation crosses regions in milliseconds. This is data in motion, and it accounts for the vast majority of sensitive information flowing through production systems.
Confluent’s Stream Governance addresses this gap of critical governance by providing a suite of capabilities built specifically to bring enterprise-grade governance, security, and compliance controls to streaming data across financial services, healthcare, retail, and any other industry where sensitive data moves at speed:
Stream Catalog:** **Discover, classify, and tag sensitive data across all streams to maintain visibility into what data you have and who owns it.
Stream Lineage:** **Visualize end-to-end data flows in real time to trace exactly where data originated, how it transformed, and where it landed.
Schema Registry:** **Enforce data contracts at the topic level to control which fields are published, ensuring data quality and safe evolution.
Role-based access control (RBAC):** **Grant granular permissions to ensure that only authorized services can access sensitive streams at the cluster, topic, or group level.
Client-side field level encryption (CSFLE):** **Encrypt individual sensitive fields before they enter the stream, protecting specific data elements throughout their journeys from producer to consumer.
Client-side payload encryption (CSPE):** **Encrypt the entire message payload on the client before it’s written to the stream with CSPE, now available on Confluent Cloud. Whereas CSFLE targets individual fields, CSPE protects the full payload, giving teams a flexible, defense-in-depth approach to encryption coverage.
Audit logs:** **Maintain an immutable record of access and administrative actions, providing the concrete evidence that auditors require.
When combined, these capabilities make compliance an inherent property of the stream itself rather than a manual checkpoint applied after the fact.
The question isn’t whether streaming data requires governance; it’s whether your tooling was built for data in motion. The following compliance challenges illustrate why this distinction is vital.
Payment card data, protected health information, and other categories of regulated personal data share a common problem: They must be encrypted in transit and access-controlled at every point, but they rarely stay in one place. A payment event might touch a dozen services between authorization and settlement, or a patient record might stream across clinical systems, billing platforms, and analytics pipelines before it reaches a system of record. Each handoff is an exposure point.
Confluent addresses this through TLS encryption across every topic, RBAC so that only the services that need sensitive data can read it, and Schema Registry to enforce exactly which fields are allowed in each stream. Confluent holds a payment card industry data security standard (PCI DSS) attestation of compliance and is HIPAA-compliant, so the platform itself, not just the databases on either end of it, can be part of a customer's compliant architecture.
Teams can apply CSFLE to tokenize sensitive fields before a stream is published to downstream consumers. For workloads requiring broader payload protection, CSPE encrypts the entire message before it enters the stream, ensuring that no intermediate service can inspect payload contents it isn't authorized to read. Audit logs are immutable, providing the traceable evidence that compliance teams require.
Privacy regulations across jurisdictions grant individuals the right to have their personal data deleted. That’s straightforward in a relational database: Run a delete query, and you’re done. But it’s genuinely hard in a streaming architecture where personal data might be spread across dozens of topics, replicated across regions, and referenced in derived streams.
Confluent handles this in several ways. Stream Lineage tracks where personal data originated and where it flowed so that when a deletion request arrives, teams can identify every place that data lives. Stream Catalog enables classification of sensitive data, including personally identifiable information (PII), with governance rules applied at the topic level.
Field-level encryption via CSFLE with per-user keys means a “deletion” can be accomplished by destroying the key; the data becomes permanently unreadable without having to locate and scrub every record. For teams using CSPE, the same key-destruction approach applies at the full payload level, simplifying erasure workflows even further and extending cryptographic deletion to the entire message rather than individual fields.
Privacy frameworks also commonly require data minimization to collect only what you need. Schema Registry enforces which fields are published to a topic in the first place, making minimization enforceable rather than aspirational.
Regulators across industries require institutions to demonstrate that their critical systems, including those from third-party technology providers, can withstand and recover from disruption. Requirements share a common core: documented risk assessments, tested incident response, contractual clarity with vendors, and the ability to trace the path of an incident through systems. The EU’s Digital Operational Resilience Act (DORA), which came into full effect in January 2025, and the Australian Prudential Regulation Authority Cross-Industry Prudential Standard (APRA CPS) 230 frameworks are prominent examples from the financial services sector, but comparable resilience expectations are emerging across healthcare, critical infrastructure, and other regulated sectors.
Streaming infrastructure is at the heart of these requirements. Real-time data flows, payment events, trade confirmations, and care coordination records are increasingly classified as “critical operations.” The challenge is that data moving between microservices is often a blind spot: Traditional governance tools are designed for static databases, leaving data in motion exposed to both security gaps and operational lag.
Confluent addresses operational resilience requirements directly. Stream Lineage provides a real-time visual map of data flows, satisfying requirements to document critical operations and identify single points of failure. When an incident occurs in a streaming pipeline, Stream Lineage shows exactly where it happened and which downstream systems were affected, turning a theoretical audit trail into an operational tool.
On the infrastructure side, Confluent Cloud’s Kora engine is built for high availability, with a 99.99% uptime service level agreement (SLA), automatic failover, and multi-region replication. When regulators ask “what happens if this goes down?,” the answer needs to be operational, not theoretical.
Security mandates are addressed through a layered encryption approach. CSFLE ensures that sensitive fields such as PII are encrypted before entering the stream; CSPE extends that protection to the full message payload, ensuring that even if a service intercepts a message, it can’t read its contents without authorization. Schema Registry enforces data contracts between systems, preventing downstream failures that compromise operational resilience. Every event is recorded in an immutable audit log, providing the accountability evidence that auditors require.
To comply with financial reporting requirements, public companies must ensure that financial data hasn�’t been tampered with and that auditors can verify the integrity of reporting systems. In practice, that means access controls, audit trails, and evidence that no unauthorized party touched data between source and report.
Real-time financial data trade confirmations, ledger updates, and reconciliation events increasingly flow through streaming infrastructure. Confluent’s immutable log is directly useful here: Once a record is written to an Apache Kafka® topic, it can’t be altered. That’s not a marketing claim; it’s how the architecture works. With RBAC, CSFLE for sensitive field protection, CSPE for full payload integrity, and complete audit logging of consumer activity, Confluent gives audit teams a traceable record of exactly what moved through the system and who could see it.
These compliance requirements look different on paper, but they share the same core demands: Know where your sensitive data is, control who can access it, encrypt it in transit, and prove all of that with logs an auditor can read.
The traditional approach to governance was built for data at rest tools designed to lock down data rather than let it move safely. Confluent’s Stream Governance suite—Stream Lineage, Stream Catalog, Schema Registry, RBAC, CSFLE, and CSPE—was built from the ground up for data in motion.
Compliance doesn’t have to slow down streaming. With the right platform, it can be a property of the stream itself.
Before your next audit, it's worth asking the following questions. If a regulator requested that you trace a single payment event from authorization to settlement or that you trace a patient record across every system it touched, could you do it in real time? If a customer submitted a deletion request today, could you confirm every place their data lives and respond within the regulatory deadline? If your streaming infrastructure went down tonight, could you show exactly what was affected and in what order?
If you’re uncertain of your answers, that's what Stream Governance was designed to solve. Explore Confluent's security and compliance resources at* confluent.io/trust-and-security** and access detailed documentation through the *Confluent Documentation Portal
Financial institutions must process fraud detection in real time without sacrificing security or uptime. Confluent Cloud leverages Kafka and Flink to deliver a secure, compliant, and highly resilient data streaming platform that stops fraud in-flight while meeting strict financial regulations.
The dbt-confluent adapter brings dbt's familiar development workflow to Confluent Cloud for Apache Flink, enabling data engineers to build, test, and deploy streaming SQL pipelines with the tools they already know.