Trust & Security

Your Data Protected

Security isn't a feature we bolt on — it's the foundation everything at Skycloak is built on. From AWS infrastructure to employee access controls, every layer is designed to protect your data and meet the highest compliance standards.

Visit Trust Center Request Security Docs

Compliance Certifications

We maintain rigorous third-party audits and certifications so your security and compliance teams don't have to take our word for it. All reports are available through our Trust Center.

SOC 2 Type II

SOC 2 Type II

Independently audited across all five Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Compliant ISO 27001

ISO 27001

Certified information security management system covering risk assessment, access control, encryption, incident management, and business continuity planning.

Certified GDPR

GDPR

Full compliance with the EU General Data Protection Regulation. Standard Contractual Clauses (SCCs) available for international data transfers. Data Processing Agreements on request.

Compliant HIPAA

HIPAA

Healthcare data protection compliance with Business Associate Agreements (BAA) for covered entities and their business associates.

Coming Soon
View Trust Center & Request Reports

Five-Layer Defense in Depth

Every request to your Keycloak instance passes through five distinct security layers, each independently hardened and monitored.

1

Edge Protection

Cloudflare provides DDoS mitigation, Web Application Firewall (WAF) rules, and TLS termination at the edge before traffic reaches our infrastructure.

2

Network Isolation

AWS VPC with private subnets, Network Access Control Lists (NACLs), and Security Groups enforce strict ingress and egress rules. No internal services are exposed to the public internet.

3

Service Mesh

A dedicated service mesh enforces mutual TLS (mTLS) between all services. Every internal communication is encrypted and authenticated at the transport layer.

4

Application Security

Keycloak runs in hardened containers with read-only filesystems, non-root processes, and resource limits. Application-level firewalls filter malicious requests.

5

Data Encryption

AES-256 encryption at rest with hardware-backed key management. TLS 1.3 for all data in transit.

Infrastructure Security

Your Keycloak instance runs on hardened AWS infrastructure with complete tenant isolation across dedicated compute, database, and credential boundaries.

Isolated Environments

Production and development workloads run in fully isolated AWS environments. Production infrastructure is locked down with strict IAM policies and segregated access controls.

Complete Tenant Isolation

Every customer gets dedicated compute resources, a dedicated database, and dedicated credentials. No shared database tables, no shared pods, no noisy-neighbor risk.

Global Regions

Deploy in the region closest to your users: US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central). Data stays in your chosen region.

Continuous Monitoring

Real-time health checks, performance monitoring, and automated alerting. Self-healing mechanisms automatically replace unhealthy pods without manual intervention.

Encryption Everywhere

All data is encrypted in transit and at rest using industry-standard cryptographic protocols with hardware-backed key management.

Data in Transit

  • TLS 1.3 for all external communications
  • Mutual TLS (mTLS) between all internal services
  • AEAD-256 encrypted database cluster communications
  • Perfect Forward Secrecy on all connections

Data at Rest

  • AES-256 encryption for all stored data
  • Hardware-backed key management with automated rotation
  • Encrypted backups and snapshots
  • Customer data encrypted at the field level where applicable

Token Security

  • Short-lived access tokens with configurable lifetimes
  • Refresh token rotation on each use
  • Instant token revocation capability
  • Cryptographically signed JWTs with RS256/ES256

Shared Responsibility Model

As a managed Keycloak provider, we handle the infrastructure and operations so you can focus on your application. Here's exactly where the boundary lies.

Skycloak Manages

  • Keycloak infrastructure provisioning & scaling
  • Operating system & container patching
  • Keycloak version upgrades & CVE tracking
  • Database management, backups & disaster recovery
  • Network security, firewalls & DDoS protection
  • TLS certificates & encryption key management
  • Monitoring, alerting & incident response
  • SOC 2, ISO 27001 & GDPR compliance of infrastructure
  • High availability & automatic failover

You Manage

  • Realm configuration & authentication policies
  • User management & access control rules
  • Client application configuration & secrets
  • Custom themes & login page branding
  • Integration security with your applications
  • Password policies & MFA enforcement choices
  • Identity provider federation setup
  • Compliance of data you store in custom attributes
  • End-user communication & consent flows

Data Residency & Privacy

You choose where your data lives. We ensure it stays there with strict controls and transparent data handling practices.

Region Selection

Deploy in US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central). Your data — including backups and logs — never leaves your chosen region.

International Transfers

For cross-border data transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Data Processing Agreements are available on request.

Data Retention

Audit logs retained up to 365 days depending on plan (90 days default). Automated database backups retained for 7 days. Upon account termination, a 60-day grace period is provided for data export, after which all data is permanently deleted.

Subprocessors

AWS provides core infrastructure (compute, database, storage) and Cloudflare provides edge security (DDoS protection, WAF, TLS termination). We do not use third-party analytics, monitoring, or tracking services that access your customer data. Full subprocessor list available on request.

Business Continuity & Incident Response

Structured disaster recovery procedures and severity-based incident response to minimize downtime and keep you informed.

Disaster Recovery

Near-Zero Recovery Point (RPO)
10–30 min Recovery Time (RTO)
99.99%+ Uptime SLA
  • Daily automated snapshots with point-in-time recovery
  • Warm standby option in a separate AWS region
  • Automated self-healing for cluster health issues
  • DR testing cadence: daily verification, weekly PITR tests, monthly failover drills, quarterly full DR exercises

Incident Response

All incidents are classified by severity with defined notification timelines:

Severity Description Notification
Critical Active data breach or complete service outage Within 1 hour
High Significant service degradation or potential breach Within 4 hours
Medium Limited impact, no data compromise Within 24 hours
Low Minor issue, no user impact Within 72 hours

Personnel Security

The security of your data depends on the people who manage it. Every team member follows strict security practices from day one.

Background checks for all employees before hire
Mandatory annual security awareness training
MFA required on all internal systems — no exceptions
Least-privilege access with quarterly reviews
Continuous compliance monitoring and evidence collection
Segregation of duties across infrastructure roles

Security Assessments

Regular testing by independent security firms, continuous vulnerability scanning, and transparent reporting through our Trust Center.

Penetration Testing

Annual third-party penetration testing following OWASP Testing Guide methodology. Results and remediation reports available through the Trust Center.

Vulnerability Scanning

Continuous automated scanning of infrastructure and dependencies. Keycloak CVEs are actively tracked, and affected instances are upgraded to patched versions promptly.

Code Reviews

All infrastructure changes undergo peer review and automated security checks before deployment. Secure SDLC practices enforced across all codebases.

Responsible Disclosure

We value the work of security researchers. If you believe you've found a security vulnerability in Skycloak, we want to hear from you.

Report to: [email protected]
Response time: Acknowledgment within 2 business days
Resolution target: Critical issues triaged within 24 hours

Please provide detailed reproduction steps and allow us reasonable time to investigate and remediate before public disclosure. We will credit researchers who report valid findings, upon request.

Security FAQ

Common questions from security and procurement teams.

Can I get a copy of your SOC 2 Type II report?

Yes. SOC 2 Type II, ISO 27001, and penetration test reports are available through our Trust Center. Contact us if you need access to gated documents.

Where is my data stored?

You choose your deployment region at cluster creation: US East (Ohio), EU Central (Frankfurt), Asia Pacific (Sydney), or Canada (Central). All data — including backups and audit logs — stays within your chosen region.

Is customer data shared between tenants?

No. Every Skycloak customer receives dedicated compute resources, a dedicated database, and dedicated credentials. There are no shared database tables, no shared pods, and no shared secrets between customers.

What happens if there's a security incident?

We follow a severity-based incident response process. Critical incidents (active breaches or total outages) trigger notification within 1 hour. High-severity incidents within 4 hours. All incidents include root cause analysis and remediation documentation.

How do you handle Keycloak CVEs?

We actively track all Keycloak security advisories. When a CVE is disclosed, we assess impact and upgrade affected instances to the patched Keycloak version. Critical vulnerabilities are prioritized for immediate action. You'll be notified of any CVE that affects your instance.

Do you have a Data Processing Agreement (DPA)?

Yes. Our DPA includes Standard Contractual Clauses (SCCs) for international data transfers. Contact us at sales to request one.

What subprocessors do you use?

AWS provides core infrastructure and Cloudflare provides edge security services. We do not use third-party analytics, telemetry, or monitoring services that access customer identity data. A detailed subprocessor list is available on request.

Do you support SSO for admin access?

Yes. Skycloak dashboard access supports SSO via OpenID Connect. You can use your own identity provider to authenticate your team's access to the management console.

Looking for Security Features?

Explore our advanced security add-ons including WAF, DDoS protection, rate limiting, geo-blocking, and more.

View Security Features

Questions About Security?

Our team is ready to discuss your security and compliance requirements. Request our SOC 2 report, schedule a security review, or report a concern.

Contact Sales Visit Trust Center
SOC 2 Type II Compliant
GDPR Compliant
ISO 27001 Certified
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman