Enterprise-Grade
Security by Default
Keboola is designed for teams that operate critical data pipelines across finance, IT operations, and business analytics.
Active Metadata & full audit trail
Granular Role-based Access Control
Logical & Physical Environment Isolation
Multi-layered Network Security Architecture
TRUSTED COMPLIANCE STANDARDS
GDPR
Full EU data protection compliance with Data Processing Agreements available.
CCPA
Support for California Consumer Privacy Act (CCPA) obligations as a service provider.
HIPAA
Business Associate Agreements for healthcare data privacy compliance. Enterprise tier feature.
Keboola Deployment Options
Choose the deployment model that best fits your security and compliance needs.
Multi-Tenant SaaS
Most popular
Hybrid Model
Best of Both
Single-Tenant Private
Enterprise
Data Storage LocationManaged by Keboola
Your Snowflake/BigQuery Account
Your Cloud Account
(VPC)
(VPC)
Control PlaneShared (Logically Isolated)
Shared (Logically Isolated)
Dedicated
Data Residency ControlRegion-specific
Your Control
Your Control
Network IsolationKeboola SaaS Security
Keboola SaaS Security
Tailored to Your Needs
(VPC, Private Link)
(VPC, Private Link)
Management OverheadNone
Minimal (DWH only)
Your IT
(Cloud infra only)
(Cloud infra only)
Time to ValueHour
Day
Week
Typical TCO$
$$
$$$
Multi-Tenant SaaS
Most popular- Data Storage LocationManaged by Keboola
- Control PlaneShared (Logically Isolated)
- Data Residency ControlRegion-specific
- Network IsolationKeboola SaaS Security
- Management OverheadNone
- Time to ValueHour
- Typical TCO$
Hybrid Model
Best of Both- Data Storage LocationYour Snowflake/BigQuery Account
- Control PlaneShared (Logically Isolated)
- Data Residency ControlYour Control
- Network IsolationKeboola SaaS Security
- Management OverheadMinimal (DWH only)
- Time to ValueDay
- Typical TCO$$
Single-Tenant Private
Enterprise- Data Storage LocationYour Cloud Account
(VPC) - Control PlaneDedicated
- Data Residency ControlYour Control
- Network IsolationTailored to Your Needs
(VPC, Private Link) - Management OverheadYour IT
(Cloud infra only) - Time to ValueWeek
- Typical TCO$$$
Security Architecture
Comprehensive Security Architecture
Our defense-in-depth approach to protecting your data across every layer.
Data Protection
AES-256 encryption is used for data at rest, with TLS 1.2+ for data in transit. This ensures customer data is protected from unauthorized access throughout its lifecycle.
AES-256 encryption- TLS 1.3 in transit
- Encrypted backups
- Data masking
Network Security
Multi-layer network protections including Virtual Private Cloud (VPC) isolation, IP whitelisting, secure peering options, and managed DDoS mitigation.
- VPC isolation
- Control / Data Plane concept
- DDoS mitigation
- IP whitelisting
Monitoring & Audit
Comprehensive audit logs capture user and system actions across the platform. Logs are immutable and retained to support compliance audits and investigations.
- 24/7 SIEM
- Audit trails
- Anomaly detection
- Incident response
Access Control
Enterprise-grade authentication with support for Multi-Factor (MFA), SSO integrations (Okta, Azure AD), and role-based access control (RBAC).
- RBAC
- SSO/SAML 2.0
- MFA enforcement
- Session management
Secret Management
Secure credential storage and least-privilege access.
- Vault integration (coming soon)
- Full metadata
- Key versioning
- Access logging
Infrastructure
Cloud-native infrastructure on AWS/Azure/GCP with redundancy and disaster recovery.
- Multi-region
- Auto-scaling
- Disaster recovery
- 99.9% Uptime
Keboola Security Resources
Deep dive into our policies and technical documentation.
Security FAQs
Keboola provides comprehensive audit capabilities: Complete audit trails with all user actions, data changes, job executions, and configuration modifications logged with timestamps and user attribution. Telemetry data includes job execution details, data flows, schema evolution, and operational metadata available for compliance reporting. Support access is controlled—engineers must request access through the platform and project administrators receive notifications to approve or reject requests. When approved, support access is granted with full audit logging and configurable auto-join policies. Organizations can disable auto-join to require explicit invitations for all access. Learn more at keboola.com/product/security
Keboola provides multi-region deployment options across three major cloud providers. Available regions include: United States (AWS US Virginia, GCP US Virginia), European Union (AWS EU Frankfurt, Azure EU Ireland, GCP EU Frankfurt), and Custom regions (single-tenant deployments in any region supported by the cloud provider). For EU data protection, sub-processors are contractually bound to EU processing. BYODB deployments give customers direct control over data residency since data resides in customer-owned databases. Learn more at keboola.com/dpa and security.keboola.com
Keboola implements multi-layered access controls: Role-Based Access Control (RBAC) with granular bucket-level permissions including Share, Admin, Guest, Developer, and Reviewer roles. Single Sign-On (SAML) integration with Active Directory, Azure AD, Google Authentication, and other providers. Multi-Factor Authentication (MFA) supporting authenticator apps (TOTP) and hardware security keys (FIDO/U2F)—administrators can enforce MFA for all users. Token-based authorization with short-lived tokens having specific scopes for automated processes, restricted to specific buckets or operations. Brute force protection includes CAPTCHA verification after 10 failed login attempts within 5 minutes. Learn more at keboola.com/product/security
Keboola's security architecture adapts to three deployment models: Multi-tenant SaaS with network isolation between tenants, encrypted storage, and access controls available in AWS (US, EU), Azure (EU), and GCP (US, EU), with VPC deployment options for Enterprise. Single-tenant deployment places the complete Keboola stack within customer's cloud environment for maximum control, custom security policies, custom domains, and direct Active Directory integration. BYODB (Bring Your Own Database) keeps customer data in customer-owned Snowflake or BigQuery instances while Keboola orchestrates but never stores customer data on Keboola infrastructure. All deployment models maintain full audit logging and Docker containerization. Learn more at help.keboola.com/storage/byodb/
Keboola implements defense-in-depth encryption at multiple layers. Data at rest uses AES-256 encryption through AWS KMS, Azure Key Vault, and Google Cloud KMS with all stored data—Snowflake tables, file storage, configuration values—remaining encrypted. Data in transit uses TLS 1.2+ (HTTPS) for all API communications, web interface access, and component data transfers. Application-level encryption protects sensitive configuration values prefixed with # by automatically encrypting before storage. No decryption API exists for end users—encrypted values only decrypt during component execution. Ciphers are region-locked and cannot transfer between deployments. Learn more at developers.keboola.com/overview/encryption/
Keboola maintains enterprise-grade security certifications: SOC 2 Type II annual certification demonstrating ongoing operational effectiveness of security controls available through the Trust Center. GDPR Compliance maintained since May 2018 with comprehensive Data Processing Agreement (DPA) and Standard Contractual Clauses. HIPAA Compliance available for healthcare organizations in the Enterprise tier. Cloud infrastructure partners (AWS, Azure, GCP) maintain ISO 27001, CSA STAR, and other certifications. Sub-processors are contractually bound to process data only in approved regions. The Trust Center provides access to compliance documentation, vulnerability disclosure policies, and bug bounty program. Learn more at security.keboola.com