Trust & Security

Keycloak security and compliance.

Security isn't a feature we bolt on. It is the foundation everything at Skycloak is built on. From our multi-cloud infrastructure to employee access controls, every layer is designed to protect your data and meet the highest compliance standards.

SOC 2, ISO 27001, and GDPR reports available on request.

Compliance certifications.

We maintain rigorous third-party audits and certifications so your security and compliance teams don't have to take our word for it. Reports are available on request.

SOC 2 Type II

Independently audited across all five Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Compliant

ISO 27001

Certified information security management system covering risk assessment, access control, encryption, incident management, and business continuity planning.

Certified

GDPR

Full compliance with the EU General Data Protection Regulation. Standard Contractual Clauses (SCCs) available for international data transfers. Data Processing Agreements on request.

Compliant
Visit the Trust Center

Five-layer defense in depth.

Every request to your Keycloak instance passes through five distinct security layers, each independently hardened and monitored.

1

Edge Protection

Cloudflare provides DDoS mitigation, Web Application Firewall (WAF) rules, and TLS termination at the edge before traffic reaches our infrastructure.

2

Network Isolation

Private virtual networks with network access control lists and security groups enforce strict ingress and egress rules on every cloud we run on. No internal services are exposed to the public internet.

3

Service Mesh

A dedicated service mesh enforces mutual TLS (mTLS) between all services. Every internal communication is encrypted and authenticated at the transport layer.

4

Application Security

Keycloak runs in hardened containers with read-only filesystems, non-root processes, and resource limits. Application-level firewalls filter malicious requests.

5

Data Encryption

AES-256 encryption at rest with hardware-backed key management. TLS 1.3 for all data in transit.

Infrastructure security.

Your Keycloak instance runs on hardened cloud infrastructure with complete tenant isolation across dedicated compute, database, and credential boundaries.

Isolated Environments

Production and development workloads run in fully isolated cloud environments. Production infrastructure is locked down with strict IAM policies and segregated access controls.

Complete Tenant Isolation

Every customer gets dedicated compute resources, a dedicated database, and dedicated credentials. No shared database tables, no shared instances, no noisy-neighbor risk.

Global Regions

Deploy in the region closest to your users: US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central). Data stays in your chosen region.

Continuous Monitoring

Real-time health checks, performance monitoring, and automated alerting. Self-healing mechanisms automatically replace unhealthy instances without manual intervention.

Encryption everywhere.

All data is encrypted in transit and at rest using industry-standard cryptographic protocols with hardware-backed key management.

Data in Transit

  • TLS 1.3 for all external communications
  • Mutual TLS (mTLS) between all internal services
  • AEAD-256 encrypted database cluster communications
  • Perfect Forward Secrecy on all connections

Data at Rest

  • AES-256 encryption for all stored data
  • Hardware-backed key management with automated rotation
  • Encrypted backups and snapshots
  • Customer data encrypted at the field level where applicable

Token Security

  • Short-lived access tokens with configurable lifetimes
  • Refresh token rotation on each use
  • Instant token revocation capability
  • Cryptographically signed JWTs with RS256/ES256

Shared responsibility model.

As a managed Keycloak provider, we handle the infrastructure and operations so you can focus on your application. Here's exactly where the boundary lies.

Skycloak Manages
  • Keycloak infrastructure provisioning & scaling
  • Operating system & container patching
  • Keycloak version upgrades & CVE tracking
  • Database management, backups & disaster recovery
  • Network security, firewalls & DDoS protection
  • TLS certificates & encryption key management
  • Monitoring, alerting & incident response
  • SOC 2, ISO 27001 & GDPR compliance of infrastructure
  • High availability & automatic failover
You Manage
  • Realm configuration & authentication policies
  • User management & access control rules
  • Client application configuration & secrets
  • Custom themes & login page branding
  • Integration security with your applications
  • Password policies & MFA enforcement choices
  • Identity provider federation setup
  • Compliance of data you store in custom attributes
  • End-user communication & consent flows

Data residency & privacy.

You choose where your data lives. We ensure it stays there with strict controls and transparent data handling practices.

Region Selection

Deploy in US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central), with more regions added over time. Your data, including backups and logs, never leaves your chosen region.

International Transfers

For cross-border data transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Data Processing Agreements are available on request.

Data Retention

Audit logs retained up to 365 days depending on plan (90 days default). Automated database backups retained for 7 days. Upon account termination, a 60-day grace period is provided for data export, after which all data is permanently deleted.

Subprocessors

Our infrastructure runs across multiple cloud providers, including AWS, Azure, GCP, OVH, Akamai, and Scaleway, depending on region, and Cloudflare provides edge security (DDoS protection, WAF, TLS termination). We do not use third-party analytics, monitoring, or tracking services that access your customer data. Full subprocessor list available on request.

Business continuity & incident response.

Structured disaster recovery procedures and severity-based incident response to minimize downtime and keep you informed.

Disaster Recovery

Near-Zero
Recovery Point (RPO)
10-30 min
Recovery Time (RTO)
99.99%+
Uptime SLA
  • Daily automated snapshots with point-in-time recovery
  • Warm standby option in a separate region
  • Automated self-healing for cluster health issues
  • DR testing cadence: daily verification, weekly PITR tests, monthly failover drills, quarterly full DR exercises

Incident Response

All incidents are classified by severity with defined notification timelines:

SeverityDescriptionNotification
CriticalActive data breach or complete service outageWithin 1 hour
HighSignificant service degradation or potential breachWithin 4 hours
MediumLimited impact, no data compromiseWithin 24 hours
LowMinor issue, no user impactWithin 72 hours

Personnel security.

The security of your data depends on the people who manage it. Every team member follows strict security practices from day one.

Background checks for all employees before hire
Mandatory annual security awareness training
MFA required on all internal systems, no exceptions
Least-privilege access with quarterly reviews
Continuous compliance monitoring and evidence collection
Segregation of duties across infrastructure roles

Security assessments.

Regular testing by independent security firms, continuous vulnerability scanning, and transparent reporting, with reports available on request.

Penetration Testing

Annual third-party penetration testing following OWASP Testing Guide methodology. Results and remediation reports available on request.

Vulnerability Scanning

Continuous automated scanning of infrastructure and dependencies. Keycloak CVEs are actively tracked, and affected instances are upgraded to patched versions promptly.

Code Reviews

All infrastructure changes undergo peer review and automated security checks before deployment. Secure SDLC practices enforced across all codebases.

Responsible disclosure.

We value the work of security researchers. If you believe you've found a security vulnerability in Skycloak, we want to hear from you.

Report to:
Response time:Acknowledgment within 2 business days
Resolution target:Critical issues triaged within 24 hours

Please provide detailed reproduction steps and allow us reasonable time to investigate and remediate before public disclosure. We will credit researchers who report valid findings, upon request.

Security FAQ.

Common questions from security and procurement teams.

Can I get a copy of your SOC 2 Type II report?
Yes. Our SOC 2 Type II report is available to customers and prospects under NDA. Contact us to request access, and our team will share it, along with our ISO 27001 certificate and other compliance documentation.
Where is my data stored?
You choose the region: US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central), with more regions added over time. Your data, including backups and logs, stays in your chosen region.
Is customer data shared between tenants?
No. Every customer runs in its own fully isolated tenant with dedicated resources, so there is complete tenant isolation and no noisy-neighbor risk. For the architecture details, reach out.
What happens if there is a security incident?
Incidents are classified by severity with defined notification timelines: Critical within 1 hour, High within 4 hours, Medium within 24 hours, and Low within 72 hours. We follow a structured incident response process and keep you informed throughout.
How do you handle Keycloak CVEs?
We actively track Keycloak CVEs and security advisories. Affected instances are upgraded to patched versions promptly as part of managed version upgrades, so you are not left running vulnerable releases.
Do you have a Data Processing Agreement (DPA)?
Yes. A GDPR-compliant Data Processing Agreement is available on request, along with Standard Contractual Clauses (SCCs) for international data transfers.
What subprocessors do you use?
Our infrastructure runs across multiple cloud providers, including AWS, Azure, GCP, OVH, Akamai, and Scaleway, depending on region, and Cloudflare provides edge security (DDoS protection, WAF, TLS termination). We do not use third-party analytics, monitoring, or tracking services that access your customer data. A full subprocessor list is available on request.
Do you support SSO for admin access?
Yes. You can federate admin access to your own identity provider over OIDC or SAML, and MFA can be enforced. Internally, MFA is required on all Skycloak systems with no exceptions and access follows least-privilege with quarterly reviews.

Looking for security features?

Explore our advanced security add-ons including WAF, DDoS protection, rate limiting, geo-blocking, and more.

View Security Features

Questions about security?

Our team is ready to discuss your security and compliance requirements. Request our SOC 2 report, schedule a security review, or report a concern.

SOC 2 Type II Compliant GDPR Compliant ISO 27001 Certified
Talk to Sales Start Free Trial
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman