Run your data operations on a single, unified platform.

  • Easy setup, no data storage required
  • Free forever for core features
  • Simple expansion with additional credits
cross-icon
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Arrow pointing to the right

Enterprise-Grade
Security by Default

Keboola is designed for teams that operate critical data pipelines across finance, IT operations, and business analytics.

Granular Role-based Access Control

Multi-layered Network Security Architecture

Logical & Physical Environment Isolation

Active Metadata
& full audit trail

TRUSTED COMPLIANCE STANDARDS

GDPR icon

GDPR

Full EU data protection compliance with Data Processing Agreements available.
plus icon

CCPA

Support for California Consumer Privacy Act (CCPA) obligations as a service provider.
plus icon
HIPAA icon

HIPAA

Business Associate Agreements available for healthcare data privacy compliance

Keboola Deployment Options

Choose the deployment model that best fits your security and compliance needs.

Data Storage Location
Control Plane
Data Residency Control
Network Isolation
Management Overhead
Time to Value
Typical TCO
Multi-Tenant SaaS
Most popular
Managed by Keboola
Shared (Logically Isolated)
Region-specific
Keboola SaaS Security
None
Hour
$
Hybrid Model
Best of Both
Your Snowflake/BigQuery Account
Shared (Logically Isolated)
Your Control
Keboola SaaS Security
Minimal (DWH only)
Day
$$
Single-Tenant Private
Enterprise
Your Cloud Account
(VPC)
Dedicated
Your Control
Tailored to Your Needs
(VPC, Private Link)
Your IT
(Cloud infra only)
Week
$$$


All deployment options include enterprise-grade security, 24/7 monitoring, and dedicated support.

Comprehensive Security Architecture

Our defense-in-depth approach to protecting your data across every layer.

Data Protection

AES-256 encryption is used for data at rest, with TLS 1.2+ for data in transit. This ensures customer data is protected from unauthorized access throughout its lifecycle.

AES-256 encryption
TLS 1.3 in transit
Encrypted backups
Data masking

Network Security

Multi-layer network protections including Virtual Private Cloud (VPC) isolation, IP whitelisting, secure peering options, and managed DDoS mitigation.

VPC isolation
Control / Data Plane concept
DDoS mitigation
IP whitelisting

Monitoring & Audit

Comprehensive audit logs capture user and system actions across the platform. Logs are immutable and retained to support compliance audits and investigations.

24/7 SIEM
Audit trails
Anomaly detection
Incident response

Access Control

Enterprise-grade authentication with support for Multi-Factor (MFA), SSO integrations (Okta, Azure AD), and role-based access control (RBAC).

RBAC
SSO/SAML 2.0
MFA enforcement
Session management

Secret Management

Secure credential storage and least-privilege access.

Vault integration (coming soon)
Full metadata
Key versioning
Access logging

Infrastructure

Cloud-native infrastructure on AWS/Azure/GCP with redundancy and disaster recovery.

Multi-region
Auto-scaling
Disaster recovery
99.9% Uptime

Keboola Security Resources

Deep dive into our policies and technical documentation

Data Retention Policy

Business Continuity Plan

Business Continuity & Disaster Recovery Policy

PHI Data Breach Notification Procedure

Network Security Procedure

Information Security Policy

Incident Management Policy

Data Breach Notification Policy

Security FAQs

How does Keboola handle audit logging and support access?

Keboola provides comprehensive audit capabilities:

  • Complete audit trails: All user actions, data changes, job executions, and configuration modifications are logged with timestamps and user attribution
  • Telemetry data: Job execution details, data flows, schema evolution, and operational metadata available for compliance reporting
  • Controlled support access: Keboola support engineers must request access through the platform; project administrators receive notifications and can approve or reject requests
  • Time-limited access: When approved, support access is granted with full audit logging and configurable auto-join policies
  • Customer-controlled: Organizations can disable auto-join to require explicit invitations for all access

Learn more at keboola.com/product/security

What data residency options does Keboola offer for regulatory compliance?

Keboola provides multi-region deployment options across three major cloud providers:

Available regions:

  • United States: AWS US Virginia, GCP US Virginia
  • European Union: AWS EU Frankfurt, Azure EU Ireland, GCP EU Frankfurt
  • Custom regions: Single-tenant deployments in any region supported by the cloud provider

For EU data protection, sub-processors (AWS EMEA SARL, Microsoft Ireland Operations, Google Cloud EMEA Ltd.) are contractually bound to EU processing.

BYODB deployments give customers direct control over data residency since data resides in customer-owned databases.

Learn more at keboola.com/dpa | security.keboola.com

What access controls does Keboola provide for enterprise security?

Keboola implements multi-layered access controls:

  • Role-Based Access Control (RBAC): Granular bucket-level permissions with roles including Share, Admin, Guest, Developer, and Reviewer
  • Single Sign-On (SSO): SAML integration with Active Directory, Azure AD, Google Authentication, and other providers
  • Multi-Factor Authentication (MFA): Authenticator apps (TOTP) and hardware security keys (FIDO/U2F)—administrators can enforce MFA for all users
  • Token-based authorization: Short-lived tokens with specific scopes for automated processes, restricted to specific buckets or operations
  • Brute force protection: CAPTCHA verification after 10 failed login attempts within 5 minutes

Learn more at keboola.com/product/security

How does Keboola ensure security across different deployment models?

Keboola's security architecture adapts to three deployment models:

  • Multi-tenant SaaS: Network isolation between tenants, encrypted storage, access controls. Available in AWS (US, EU), Azure (EU), and GCP (US, EU). VPC deployment options available for Enterprise.
  • Single-tenant deployment: Complete Keboola stack within customer's cloud environment—maximum control, custom security policies, custom domains, direct Active Directory integration
  • BYODB (Bring Your Own Database): Customer data stays in customer-owned Snowflake or BigQuery instances. Keboola orchestrates but never stores customer data on Keboola infrastructure.

All deployment models maintain full audit logging and Docker containerization ensuring components run in isolated environments.

Learn more at help.keboola.com/storage/byodb

How does Keboola encrypt data at rest and in transit?

Keboola implements defense-in-depth encryption at multiple layers:

Data at rest:

  • AES-256 encryption through AWS KMS, Azure Key Vault, and Google Cloud KMS
  • All stored data—Snowflake tables, file storage, configuration values—remains encrypted

Data in transit:

  • TLS 1.2+ (HTTPS) for all API communications, web interface access, and component data transfers

Application-level encryption:

  • Sensitive configuration values prefixed with # are automatically encrypted before storage
  • No decryption API exists for end users—encrypted values only decrypted during component execution
  • Ciphers are region-locked and cannot transfer between deployments

Learn more at developers.keboola.com/overview/encryption

What security certifications and compliance standards does Keboola meet?

Keboola maintains enterprise-grade security certifications:

  • SOC 2 Type II: Annual certification demonstrating ongoing operational effectiveness of security controls—available through the Trust Center
  • GDPR Compliance: Maintained since May 2018 with comprehensive Data Processing Agreement (DPA) and Standard Contractual Clauses
  • HIPAA Compliance: Available for healthcare organizations in the Enterprise tier

Cloud infrastructure partners (AWS, Azure, GCP) maintain ISO 27001, CSA STAR, and other certifications. Sub-processors are contractually bound to process data only in approved regions.

The Trust Center provides access to compliance documentation, vulnerability disclosure policies, and bug bounty program.

Learn more at security.keboola.com

Product
Resources
© Keboola 2020 – Terms & Conditions & Privacy
© Keboola
Cookie Policy
Change Cookie Settings
Terms & Conditions PrivacyTrust CenterResponsible Disclosure Program

Join our newsletter

#noSpamWePromise
By subscribing to our newsletter you agree with Keboola Czech s.r.o. Privacy Policy.
You are now subscribed to Keboola newsletter
Oops! Something went wrong while submitting the form.
cross-icon