Clean Rooms
Databricks Clean Rooms provide a secure, isolated environment where two or more organizations can collaboratively analyze sensitive data without either party gaining direct access to the other's underlying data. Built on Delta Sharing and Databricks serverless compute, Clean Rooms are available on AWS, Azure, and GCP.
Think of it as shared compute around your data and IP — not shared data copies.
Is this right for you?
Clean Rooms solve a specific problem: two or more parties need to run analytics or AI on combined data, but neither party can share raw records with the other. If that's your scenario, Clean Rooms are the right fit. If your use case is simpler — delivering data to consumers who run their own workloads — Delta Sharing alone is a better starting point.
For a full decision guide including how to combine Clean Rooms with Delta Sharing across the partner lifecycle, see When to use Clean Rooms.
Who this is for
This guide is for partners who want to build, package, or sell collaboration products on Databricks:
| Partner type | How you use Clean Rooms |
|---|---|
| Data providers | Offer try-before-you-buy evaluation environments; package recurring collaboration workspaces as a subscription product |
| Identity & martech partners | Run graph matching and ID translation without exposing raw PII or your graph internals to customers |
| ISVs and app builders | Run your application logic as IP-protected libraries inside Clean Rooms; deliver repeatable collaboration workflows to customers |
| Systems integrators | Design collaboration architectures for joint customers; build and operate managed Clean Room programs |
Databricks Clean Rooms is GA on AWS and Azure (since February 2025), and on GCP (since Summer 2025). HIPAA compliance support is available on all clouds.
What is a Clean Room?
A Clean Room is a neutral, isolated environment managed by Databricks where collaborating parties can run pre-approved notebooks against combined datasets—without either party ever seeing the other's raw data. Only the results of the approved computation are surfaced.
Each party's data is Delta Shared into the central clean room. The central environment is ephemeral—compute is spun up only when a notebook runs, and all files are deleted when the job finishes.
Key capabilities
| Capability | Description |
|---|---|
| No-trust model | No party, including the creator, has admin privileges. Databricks manages the environment. |
| Code approval | Notebooks must be explicitly approved (or auto-approved) by all parties before running. |
| Multi-party | Supports up to 10 collaborating organizations in a single clean room. |
| Any cloud / any platform | Collaborate across AWS, Azure, and GCP without data movement. External data can be sourced via Lakehouse Federation. |
| Any language | Run SQL, Python, R, or Scala workloads in the clean room. |
| Output tables | Generate approved, read-only output tables that collaborators can access in their own metastores. |
| Full audit trail | All actions are recorded in the clean_room_events system table and account audit logs. |
How it fits with Delta Sharing
Clean Rooms work alongside — not instead of — Delta Sharing. A common partner motion uses both:
- Clean Rooms for joint analytics and IP-protected computation
- Delta Sharing for ongoing production data delivery after evaluation
For a full decision guide, see When to use Clean Rooms.
How it differs from Delta Sharing
| Delta Sharing | Clean Rooms | |
|---|---|---|
| Data visibility | Recipient sees the data | No party sees the other's raw data |
| Compute | Runs in recipient's environment | Runs in Databricks-managed neutral environment |
| Code control | Recipient runs their own code | Code must be mutually approved |
| Primary pattern | Data distribution and monetization | Joint analysis on sensitive data |
Requirements
To use Clean Rooms, each collaborating workspace must have:
- Serverless compute enabled
- Unity Catalog enabled
- Delta Sharing enabled on the Unity Catalog metastore
CREATE CLEAN ROOMprivilege
See What is Databricks Clean Rooms? for the full prerequisites checklist.
Partner readiness checklist
Use this checklist before onboarding your first customer to a production clean room.
Your workspace
- Unity Catalog enabled, with your production tables in a dedicated catalog
- Serverless compute enabled and tested
- Delta Sharing enabled on your metastore
- Service principal created for clean room ownership (group-owned, not tied to an individual user)
- Service principal has
SELECTon all assets you intend to publish into clean rooms - Service principal has
CREATE CLEAN ROOMandMANAGE CLEAN ROOMprivileges - Self-collaboration dry run completed — you have created a clean room where your organization is both creator and collaborator, validated notebook execution, and reviewed output table visibility
Your assets
- PII has been separated from derived features — clean room tables contain only the minimal data needed for computation (see Architecture — Data modeling)
- Join key normalization is documented — hash function, field list, and normalization rules are written down and shared with the customer before room creation
- Column aliases are finalized — the schema you expose to customers is treated as a stable API contract
- Notebooks are versioned and tested against your dry-run data
- IP protection strategy is chosen — hidden asset mode and/or compiled libraries for any proprietary logic
Customer setup
-
Customer has confirmed Unity Catalog, serverless compute, and Delta Sharing are enabled
-
Customer has confirmed a service principal or group will own their side of the room
-
Central clean room (CCR) region agreed upon — in the same region as the data-heavy party, satisfying both parties' data residency requirements Operations
-
Monitoring configured on
clean_room_eventssystem table — alerts on unexpected auto-approvals and failed runs -
Notebook version change process defined — how you communicate and coordinate notebook upgrades across active rooms
-
Run schedule and output consumption SLA agreed with the customer
In this section
| Topic | Description |
|---|---|
| Architecture | Partner integration patterns, data modeling, cross-cloud decisions, and output table design |
| Security | Customer security review preparation (8 categories), approval workflow at scale, and IP protection |
| Use cases | Industry-specific patterns: adtech, financial services, healthcare, and identity resolution |
| When to use Clean Rooms | Decision guide for Clean Rooms vs Delta Sharing |
What's next
- Not sure which tool to use? Start with When to use Clean Rooms
- Understand the architecture before setting up your first clean room
- Review the security model to prepare for security conversations with collaborators
- Explore use cases to identify the right patterns for your industry