Ensuring robust security for our users’ data is central to Skycloak’s mission. Below, we outline the essential measures and protocols we have implemented to safeguard our users’ information and maintain continuity of service.
Overview
Skycloak adheres to strict industry standards for data security, continuously enhancing our infrastructure, access controls, and encryption practices. We are committed to transparency and provide ongoing updates on our compliance journey, including progress on certifications.
External Communications
All external communications with Skycloak services, including Keycloak clusters, are secured via HTTPS with TLS v1.3. This ensures that any data transmitted to and from our services remains encrypted and protected from interception.
Intra-Network Communications
For intra-network communications, we employ mutual TLS (mTLS) with TLS v1.3, ensuring that all internal service communications are encrypted, authenticated, and fully secure.
Data Encryption
- AES-256 encryption is applied to all sensitive data in our database, including passwords.
- AEAD-256 encryption secures data in transit between database cluster nodes, adding an additional layer of protection for database traffic.
Access Control
We implement role-based access control (RBAC) internally, ensuring that only authorized personnel can access sensitive resources. Permissions are assigned and enforced according to job function and responsibility.
Security Assessments and Monitoring
Our code undergoes thorough reviews, and we conduct regular vulnerability scans across both our codebase and infrastructure.
We perform annual third-party penetration tests, with results and remediation details available to customers upon request or via our Trust Center.
Continuous threat monitoring of live systems enables us to detect and respond to security incidents proactively.
Network Security
Our multi-layered firewall system covers the network, server, and internal service communication levels. All resources operate within a private network to reduce exposure and prevent unauthorized access.
Compliance and Certifications
Skycloak maintains compliance with multiple industry standards:
-
SOC 2 Type II — Audited and certified for operational effectiveness of security controls.
-
ISO/IEC 27001 — Information Security Management System (ISMS) compliant.
-
GDPR — Fully compliant with EU General Data Protection Regulation requirements.
Our certifications, audit reports, and data protection documentation are available to enterprise customers and prospects via our Trust Center.
Business Continuity and Disaster Recovery
- Backup and Restore: Skycloak’s default disaster recovery includes frequent point-in-time backups, enabling us to restore data with close to zero RPO.
- Warm Standby: For higher availability, a warm standby setup can be enabled in a separate region that connects to the same database cluster. This configuration maintains a 0 RPO, with an estimated RTO of 10-30 minutes for full activation.
Incident Management and Notifications
In the event of a security incident, Skycloak follows a structured incident response process. We monitor all clusters’ health and logs continuously and utilize automated self-healing solutions. If an incident impacts user data, we will notify affected customers within 72 hours.
Contact Us
If you have any questions or concerns about our security practices, please reach out to us at [email protected].