Tyk Technologies Ltd

Tyk API Gateway - Multi-Cloud Pro

API Gateway and Management Platform across multiple clouds. Hybrid architecture, API Gateways hosted in the DC or cloud provider(s) of your choice, management platform in the public cloud. Design, Secure, Measure and Control your APIs through API gateways connected to our API dashboard. API Developer Portal provides self-signup and monetisation.


  • Expose, secure, enrol, measure and monetise your APIs
  • Gateways handle thousands of concurrent API Calls
  • Microservice features including service discovery, timeouts, circuit breakers, etc
  • Authentication against all standard auth mechanisms
  • Apply Quotas and Rate Limits to control access
  • Detailed Monitoring and Analytics through the dashboard
  • API Developer portal allows for complete self-service
  • API Documentation and sandbox for all your APIs
  • On-the-fly transforms to manipulate requests and responses
  • Span multiple clouds for performance and resilience


  • Low cost of implementation and ownership
  • Get started instantly via public cloud signup
  • Monetise or Demonstrate API usage and impact via included analytics
  • Version control and full API life-cycle management/governance
  • Lower cost of API development and management
  • Enables self service by API developers and consumers
  • Migrate from public cloud, to private to on-prem, as required
  • No vendor lock-in, Tyk can be deployed across multiple clouds
  • Automate and Integrate with DevOps Pipeline, including Jenkins, Github, etc
  • Conforms to standards including OpenAPI, Swagger, ISO, HIPAA & PCI


£0 per unit per year

Service documents

G-Cloud 10


Tyk Technologies Ltd

Andrew Murray

020 3409 1911


Service scope

Service scope
Service constraints None
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times When a support request is received, a priority level is set against the request dependent on its urgency and its impact on the customer’s business.

Included without charge, is a 6hr response for High Priority Issues

This can be upgraded to a 24/7/365 one-hour response for high priority issues at additional cost.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences and ability to stop automatic animations.
Web chat accessibility testing N/A
Onsite support Onsite support
Support levels Our Enteprise SLA offers 24/7/365 access with fixed time responses.
This SLA has three tiers, with maximum response times of 1 hour, 2 hours or 24 hours depending on the severity of the issue. Depending on the hosting package selected, the cost starts from £30,000 per annum, but in some packages is included in the cost of the hosting.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide 'getting started' guides and documentation that covers a wide range of Tyk features and functionality to help users make the most of the service & tutorial videos. Onboarding sessions with our engineers are also available at an extra cost.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction On completion of contract, the user owns the rights to all of their data. Included within the contract is an agreement that, upon the contract end, users can extract their data via API calls.
End-of-contract process The client would decide to either renew the contract or end it. If client decides to renew, hosting is reviewed and agreed, if end is the option, the data can be exported. Offboarding is not included as standard in our licensing contracts. On conclusion of contract users may request support on how best to extract their required data from the service via helpdesk ticket. If defined during the contract opening & onboarding, we can include an offboarding sessions and assist with migration away from Tyk. At each end of contract, we will hold a call with the client's account manager to discuss feedback.

Using the service

Using the service
Web browser interface Yes
Using the web interface All features and functions of the management platform can be accessed through the GUI in a browser.
Web interface accessibility standard None or don’t know
How the web interface is accessible Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences & ability to stop automatic animations.
Web interface accessibility testing Unknown
What users can and can't do using the API All functionality of the platform can be accessed by API Calls - adding, editing and controlling the service. Tyk is API First!
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
  • Other
Other API automation tools For the latest compatibity list, visit the Tyk website
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface The Tyk CLI provides full access to all features of the API Gateway and some access to features of the API Management platform.


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources From a performance perspective, Tyk's infrastructure is configured for auto-scaling to handle increased levels of demand.
From a "protection against bad actors" perspective, all organisations and users within organisations, on the Tyk cloud have rate limits applied - to not over-load the systems.
Usage notifications Yes
Usage reporting
  • API
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up All data and configuration is backed-up.
Backup controls All data and configuration is backed-up. The client cannot reduce the scope of this.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Tyk Cloud infrastructure is protected by strict firewall rules within AWS's VPC network. Only load balancers are accessible from outside on http/s ports, concealing the actual application servers. Databases are accessible from outside, but are regulated by firewall & access rules.There are also credentials and encrypted connections.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Data may only flow between relevant systems, and is on private network segments depending on role.

Availability and resilience

Availability and resilience
Guaranteed availability The SLA is variable according to the package purchased, from 99.5 to 99.95 availability levels.

Failure to meet service levels produces service credits pro-rata the availability breach.
Approach to resilience All components of the system have redundancy built in to remove single failure points, and the application is horizontally scalable
Outage reporting We have a monitoring service. If there are any alerts it is displayed on a dashboard and if it is a 24/7 client, this is sent via email. We also report these via helpdesk and login pages if applicable.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication This depends on the users settings within the platform, so is configurable at the administrators risk, but includes mandatory timeouts and Role Based Access Control.
Access restrictions in management interfaces and support channels Management access is permitted only from internal networks, themselves requiring two factor authentication to access
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications HIPAA

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach In line with our ISO 9001 standards, and to allow us to reach PCI and HIPAA certification, Tyk implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation.
Policies address purpose, scope, roles, responsibilities and management commitment.
Employees maintain policies in a centralised and accessible location.
Information security policies and processes Tyk implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation.
Policies address purpose, scope, roles, responsibilities and management commitment.
Employees maintain policies in a centralised and accessible location.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The Help Desk maintains records of each customer’s configuration, enabling the support team to liaise with product team over product change requests.
All software changes and patches are documented and subject to change control procedures in accordance with PRINCE2.
An updated set of documentation is provided with each major release and users are notified.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We monitor OWASP and other sources for new software vulnerabilities and vulnerability reports, software patches or new releases. Major releases of public facing applications undergo internally and/or externally conducted penetration testing. Security in our products is constantly under scrutiny and we adapt and change our processes on a regular basis.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Monitoring tools are used to measure server performance metrics as well as storage and network/bandwidth utilisation.
Incident management type Supplier-defined controls
Incident management approach We have a well-established incident management process. A breach / data loss results in a high-priority incident being triggered and logged. A named contact at the customer would be notified and provided with tracking details and a Major Incident Report. Risks would be monitored/actioned via Information Security Management Risk log.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £0 per unit per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Our free version only differs in terms of scale from our Pro version. The free version currently allows users to access the software from a singular region and to preset daily traffic levels.
Link to free trial https://tyk.io/pricing/compare-api-management-platforms/


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑