CoreWeave Security

Trust. It’s a big word.

‍‍

<Industry-leading cloud and software security>

CoreWeave implements top-tier industry best practices and standards to prioritize security and privacy every step of the way.

Our platform earns trust with these robust practices.

Identity and access management**

**Coming soon

CoreWeave identity access management (IAM) ensures your organization’s workforce and application workloads can easily access what they need, but nothing more.

  • Fine-grained. Our platform allows customers to specify precisely who or what can perform what actions on specific resources.
  • Federation-centric. We support OIDC and SAML-based Workload identity federation with Ephemeral Federated Principal token exchange and SAML-based SSO for Workforce identity.
  • API-driven. CoreWeave’s AccessPolicy and AccessPolicyAssignment APIs can be managed via Infrastructure-as-Code.

Kubernetes and container security

CoreWeave Kubernetes Service (CKS) offers robust node isolation—where every node is single-tenant. This key feature empowers customers requiring maximum security for their workloads. CKS ensures that each customer cluster node operates within a securely isolated environment.

Storage encryption

CoreWeave Storage follows industry best practices with security. Encryption at rest, identity access management, authentication, and policies with role-based access strengthen data protection and security. Plus, CoreWeave AI Object Storage features encryption in transit.

Network access controls and encryption

Create virtual, accelerated networks to manage your cloud resources on CoreWeave—powered by NVIDIA BlueField-3 DPUs. Deploy VPC networking to ensure customer network traffic stays private.

Incident response and patching

We proactively monitor and patch common CVEs and communicate those remediations to clients. We partner with various intelligence verticals to prioritize patching as quickly as possible.

CoreWeave also contracts with industry-best pentesting companies to regularly check products and services for vulnerabilities.

Data center security

CoreWeave secures its data centers with a physical security program derived from industry professionals across Cloud Hyperscalers, three-letter agencies, law enforcement, and data center operators.

CoreWeave is committed to delivering physical security as a fundamental component of its platform and provides assurances tied to its Physical Security Baseline.

24/7/365 protection

All CoreWeave data centers are limited-access, fenced buildings with no visible signage. Around-the-clock security personnel prevent unauthorized access—keeping your data safe.

Air-tight entry processes and protocol

All data center access is controlled on a strict need-to-work basis with required business justification management approval.

Internal data and IP safeguarding

All CoreWeave employees are only granted access via biometric identification. Role-based access control (RBAC) manages access to sensitive data.

Protected hardware

We lock infrastructure hardware in secure cabinets.

Consistent surveillance

All CoreWeave data centers have cameras positioned at each access point that track access in real time.

No loose ends

All paper documents at any data center location are shredded on-site.

Security compliance

CoreWeave aligns its security and compliance programs to industry-standard  SOC2 and ISO 27001 frameworks and requires our data center colocation providers to adhere to them throughout the lifecycle of their contract with CoreWeave. 

Corporate cross-team engagement

Our internal Engineering, Security, Legal, Operations, and Compliance teams ensure these commitments are continuously met and maintained.

Personnel and access

Only authorized CoreWeave employees and personnel can touch CoreWeave infrastructure with strict as-needed and role-based access.

<Our shared responsibility model>

We build trust with clarity.

CoreWeave has developed a Shared Responsibility Model (SRM) to outline the responsibilities of both CoreWeave and customers from a security perspective.

The model below ensures clients understand their accountability while we fully manage, monitor, and control our own components.

Customer

  1. Customer Layer
    Customer Data Access Collection, Protection and Use; Legal, Acceptable Use, Privacy Policy Requirements
  2. Application Layer
    Application Performance; Reliability; Security and Management; Application Code
  3. Access Layer
    Identity and Access Management Policy Definitions; Environment Security; Network Policies and Firewalls
  4. Data Layer
    Data Classification; Data Protection; Encryption; Disaster Recovery Plans; Backups

CoreWeave

  1. Platform Layer
    Kubernetes Container Orchestration; API Services; Identity and Access Management Platform, Container Networking; Cloud Console; Virtual Private Cloud
  2. Compute Layer
    Operating System; Container Support; Hardware Drivers; Health Checking and Node Lifecycle; Endpoint Detection and Response
  3. Network Layer
    Internal and External Connectivity; Routing; Perimeter Monitoring; Firewalling
  4. Physical Layer
    Data Center Security; Power and Cooling; IT Inventory and Asset Management; Physical
Who trusts us
These customers trust CoreWeave for their business-critical AI workloads.

Additional resources

Dive deeper into how we operate our privacy and compliance programs.

Privacy policy

Learn more about CoreWeave’s privacy policy, which safeguards your IP and data.

Data security

Read about our vetted approach to data security.

Digital security and compliance

View our comprehensive security docs on digital security and compliance measures.

CoreWeave and CrowdStrike

Learn about our partnership with CrowdStrike.

Products

Solutions

AI Infrastructure

Why CoreWeave

Resources

About

© CoreWeave.
290 W Mt Pleasant Ave
Suite 4100
Livingston, NJ 07039