Tyk Technologies Ltd

Tyk API Management Enterprise Appliance on Multi-Cloud

Enterprise Multi-Cloud API Platform. Gateways and dashboard deployed as an isolated environment across the multiple cloud providers. Tyk Enterprise Appliance provides absolute security and segregation of data and access. Design, Secure, Measure and Control your APIs through gateways connected to our dashboard. The developer portal offers self-signup and monetisation.


  • Expose, secure, enrol, measure and monetise your APIs
  • Gateways handle thousands of concurrent API Calls
  • Microservice features including service discovery, timeouts, circuit breakers, etc
  • Authentication against all standard auth mechanisms
  • Apply Quotas and Rate Limits to control access
  • Detailed Monitoring and Analytics through the dashboard
  • API Developer portal allows for complete self-service
  • API Documentation and sandbox for all your APIs
  • On-the-fly transforms to manipulate requests and responses
  • Span multiple clouds for performance and resilience


  • Low cost of implementation and ownership
  • Get started instantly via public cloud signup
  • Monetise or Demonstrate API usage and impact via included analytics
  • Version control and full API life-cycle management/governance
  • Lower cost of API development and management
  • Enables self service by API developers and consumers
  • Migrate from public cloud, to private to on-prem, as required
  • No vendor lock-in, Tyk can be deployed across multiple clouds
  • Automate and Integrate with DevOps Pipeline, including Jenkins, Github, etc
  • Conforms to standards including OpenAPI, Swagger, ISO, HIPAA & PCI


£0 a unit a year

Service documents


G-Cloud 12

Service ID

3 2 3 2 5 8 0 0 2 8 7 9 7 3 6


Tyk Technologies Ltd Tamara Evans
Telephone: 020 3409 1911
Email: tamara@tyk.io

Service scope

Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
When a support request is received, a priority level is set against the request dependent on its urgency and its impact on the customer’s business.

Included without charge, is a 6hr response for High Priority Issues.

This can be upgraded to a 24/7/365 one-hour response for high priority issues at additional cost.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Yes, at an extra cost
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences and ability to stop automatic animations.
Web chat accessibility testing
Onsite support
Onsite support
Support levels
Three SLA Levels are available: 1. Included without charge, every Tyk Pro API Gateway Platform includes access to our Helpdesk via email ticket. 2. For additional charge out Silver SLA includes a 4-hour fixed maximum response time and access to engineers via email support and 2 x screenshares. 3. For additional charge, our Gold SLA offers 24/7 365 access with fixed time responses. These services start from £20,000 per annum, depending upon the exact scope required and scale of deployment.
Support available to third parties

Onboarding and offboarding

Getting started
We provide 'getting started' guides and documentation that covers a wide range of Tyk features and functionality to help users make the most of the service & tutorial videos. Onboarding sessions with our engineers are also available at an extra cost.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
On completion of contract, the user owns the rights to all of their data. Included within the contract is an agreement that, upon the contract end, users can extract their data via API calls.
End-of-contract process
The client would decide to either renew the contract or end it. If client decides to renew, hosting is reviewed and agreed, if end is the option, the data can be exported. Offboarding is not included as standard in our licensing contracts. On conclusion of contract users may request support on how best to extract their required data from the service via helpdesk ticket. If defined during the contract opening & onboarding, we can include an offboarding sessions and assist with migration away from Tyk. At each end of contract, we will hold a call with the client's account manager to discuss feedback.

Using the service

Web browser interface
Using the web interface
All features and functions of the management platform can be accessed through the GUI in a browser.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences and ability to stop automatic animations.
Web interface accessibility testing
What users can and can't do using the API
All functionality of the platform can be accessed by API Calls - adding, editing and controlling the service. Tyk is API First!
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
  • Other
Other API automation tools
For the latest compatibity list, visit the Tyk website
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
The Tyk CLI provides full access to all features of the API Gateway and some access to features of the API Management platform.


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
Our Enterprise Appliance products are entirely segregated, running on isolated infrastructure, with no cross-over between clients or other products. This product is specifically designed for segregated operation, with a view to optimising toward performance and security for highly-regulated users.
Usage notifications
Usage reporting
  • API
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
All data and configuration is backed-up.
Backup controls
All data and configuration is backed-up. The client cannot reduce the scope of this.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Our Enterprise Appliance products are entirely segregated, running on isolated infrastructure, with no cross-over between clients or other products. This product is specifically designed for segregated operation, with a view to optimising toward performance and security for highly-regulated users.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Data may only flow between relevant systems, and is on private network segments depending on role.

Availability and resilience

Guaranteed availability
The SLA is variable according to the package purchased, from 99.5 to 99.95 availability levels.

Failure to meet service levels produces service credits pro-rata the availability breach.
Approach to resilience
All components of the system have redundancy built in to remove single failure points, and the application is horizontally scalable
Outage reporting
We have a monitoring service. If there are any alerts it is displayed on a dashboard and if it is a 24/7 client, this is sent via email. We also report these via helpdesk and login pages if applicable.

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication
This depends on the users settings within the platform, so is configurable at the administrators risk, but includes mandatory timeouts and Role Based Access Control.
Access restrictions in management interfaces and support channels
Management access is permitted only from internal networks, themselves requiring two factor authentication to access
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Alcumus IOSQAR
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Covers Development, provision, management and support of Tyk API Management Software.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Tyk implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation.
Policies address purpose, scope, roles, responsibilities and management commitment.
Employees maintain policies in a centralised and accessible location.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Help Desk maintains records of each customer’s configuration, enabling the support team to liaise with product team over product change requests.
All software changes and patches are documented and subject to change control procedures in accordance with PRINCE2.
An updated set of documentation is provided with each major release and users are notified.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We monitor OWASP and other sources for new software vulnerabilities and vulnerability reports, software patches or new releases. Major releases of public facing applications undergo internally and/or externally conducted penetration testing. Security in our products is constantly under scrutiny and we adapt and change our processes on a regular basis.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring tools are used to measure server performance metrics as well as storage and network/bandwidth utilisation.
Incident management type
Supplier-defined controls
Incident management approach
We have a well-established incident management process. A breach / data loss results in a high-priority incident being triggered and logged. A named contact at the customer would be notified and provided with tracking details and a Major Incident Report. Risks would be monitored/actioned via Information Security Management Risk log.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
We use AWS network as Data Centres for our SaaS product: https://aws.amazon.com/compliance/data-center/data-centers/


£0 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Our free version only differs in terms of scale from our Pro version. The free version currently allows users to access the software from a singular region and to preset daily traffic levels.
Link to free trial

Service documents