Security isn't a feature we bolt on. It is the foundation everything at Skycloak is built on. From our multi-cloud infrastructure to employee access controls, every layer is designed to protect your data and meet the highest compliance standards.
SOC 2, ISO 27001, and GDPR reports available on request.
We maintain rigorous third-party audits and certifications so your security and compliance teams don't have to take our word for it. Reports are available on request.
Independently audited across all five Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Compliant
Certified information security management system covering risk assessment, access control, encryption, incident management, and business continuity planning.
Certified
Full compliance with the EU General Data Protection Regulation. Standard Contractual Clauses (SCCs) available for international data transfers. Data Processing Agreements on request.
CompliantEvery request to your Keycloak instance passes through five distinct security layers, each independently hardened and monitored.
Cloudflare provides DDoS mitigation, Web Application Firewall (WAF) rules, and TLS termination at the edge before traffic reaches our infrastructure.
Private virtual networks with network access control lists and security groups enforce strict ingress and egress rules on every cloud we run on. No internal services are exposed to the public internet.
A dedicated service mesh enforces mutual TLS (mTLS) between all services. Every internal communication is encrypted and authenticated at the transport layer.
Keycloak runs in hardened containers with read-only filesystems, non-root processes, and resource limits. Application-level firewalls filter malicious requests.
AES-256 encryption at rest with hardware-backed key management. TLS 1.3 for all data in transit.
Your Keycloak instance runs on hardened cloud infrastructure with complete tenant isolation across dedicated compute, database, and credential boundaries.
Production and development workloads run in fully isolated cloud environments. Production infrastructure is locked down with strict IAM policies and segregated access controls.
Every customer gets dedicated compute resources, a dedicated database, and dedicated credentials. No shared database tables, no shared instances, no noisy-neighbor risk.
Deploy in the region closest to your users: US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central). Data stays in your chosen region.
Real-time health checks, performance monitoring, and automated alerting. Self-healing mechanisms automatically replace unhealthy instances without manual intervention.
All data is encrypted in transit and at rest using industry-standard cryptographic protocols with hardware-backed key management.
As a managed Keycloak provider, we handle the infrastructure and operations so you can focus on your application. Here's exactly where the boundary lies.
You choose where your data lives. We ensure it stays there with strict controls and transparent data handling practices.
Deploy in US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central), with more regions added over time. Your data, including backups and logs, never leaves your chosen region.
For cross-border data transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Data Processing Agreements are available on request.
Audit logs retained up to 365 days depending on plan (90 days default). Automated database backups retained for 7 days. Upon account termination, a 60-day grace period is provided for data export, after which all data is permanently deleted.
Our infrastructure runs across multiple cloud providers, including AWS, Azure, GCP, OVH, Akamai, and Scaleway, depending on region, and Cloudflare provides edge security (DDoS protection, WAF, TLS termination). We do not use third-party analytics, monitoring, or tracking services that access your customer data. Full subprocessor list available on request.
Structured disaster recovery procedures and severity-based incident response to minimize downtime and keep you informed.
All incidents are classified by severity with defined notification timelines:
| Severity | Description | Notification |
|---|---|---|
| Critical | Active data breach or complete service outage | Within 1 hour |
| High | Significant service degradation or potential breach | Within 4 hours |
| Medium | Limited impact, no data compromise | Within 24 hours |
| Low | Minor issue, no user impact | Within 72 hours |
The security of your data depends on the people who manage it. Every team member follows strict security practices from day one.
Regular testing by independent security firms, continuous vulnerability scanning, and transparent reporting, with reports available on request.
Annual third-party penetration testing following OWASP Testing Guide methodology. Results and remediation reports available on request.
Continuous automated scanning of infrastructure and dependencies. Keycloak CVEs are actively tracked, and affected instances are upgraded to patched versions promptly.
All infrastructure changes undergo peer review and automated security checks before deployment. Secure SDLC practices enforced across all codebases.
We value the work of security researchers. If you believe you've found a security vulnerability in Skycloak, we want to hear from you.
Please provide detailed reproduction steps and allow us reasonable time to investigate and remediate before public disclosure. We will credit researchers who report valid findings, upon request.
Common questions from security and procurement teams.
Explore our advanced security add-ons including WAF, DDoS protection, rate limiting, geo-blocking, and more.
Our team is ready to discuss your security and compliance requirements. Request our SOC 2 report, schedule a security review, or report a concern.