SECURITY
Ensuring robust security for our users’ data is central to Skycloak’s mission. Below, we outline the essential measures and protocols we have implemented to safeguard our users’ information and maintain continuity of service.
Overview
Skycloak adheres to strict industry standards for data security, continuously enhancing our infrastructure, access controls, and encryption practices. We are committed to transparency and provide ongoing updates on our compliance journey, including progress on certifications.
External Communications
All external communications with Skycloak services, including Keycloak clusters, are secured via HTTPS with TLS v1.3. This ensures that any data transmitted to and from our services remains encrypted and protected from interception.
Intra-Network Communications
For intra-network communications, we employ mutual TLS (mTLS) with TLS v1.3, ensuring that all internal service communications are encrypted, authenticated, and fully secure.
Data Encryption
- AES-256 encryption is applied to all sensitive data in our database, including passwords.
- AEAD-256 encryption secures data in transit between database cluster nodes, adding an additional layer of protection for database traffic.
Access Control
We implement role-based access control (RBAC) internally, ensuring that only authorized personnel can access sensitive resources. Permissions are assigned and enforced according to job function and responsibility.
Security Assessments and Monitoring
- Our code undergoes thorough reviews, and we conduct regular vulnerability scans on both our codebase and infrastructure.
- We are currently preparing for penetration testing in the upcoming months in conjunction with our SOC 2 Type 2 certification. Results and findings will be accessible on our Trust Center.
- Continuous threat monitoring of live systems enables us to detect and respond to security incidents proactively.
Network Security
Our multi-layered firewall system covers the network, server, and internal service communication levels. All resources operate within a private network to reduce exposure and prevent unauthorized access.
Compliance and Certifications
Skycloak is actively engaged in achieving comprehensive compliance with industry standards. We are currently undergoing a SOC 2 Type 1 audit, expected to complete by early November. Additionally, we are finalizing our GDPR compliance, and we cover most controls of the ISO framework, aiming for full ISO certification by mid-2025.
Business Continuity and Disaster Recovery
- Backup and Restore: Skycloak’s default disaster recovery includes frequent point-in-time backups, enabling us to restore data with close to zero RPO.
- Warm Standby: For higher availability, a warm standby setup can be enabled in a separate region that connects to the same database cluster. This configuration maintains a 0 RPO, with an estimated RTO of 10-30 minutes for full activation.
Incident Management and Notifications
In the event of a security incident, Skycloak follows a structured incident response process. We monitor all clusters’ health and logs continuously and utilize automated self-healing solutions. If an incident impacts user data, we will notify affected customers within 72 hours.
Contact Us
If you have any questions or concerns about our security practices, please reach out to us at [email protected].