Tyk Technologies Ltd

Tyk Open Source API Gateway

Fully managed Open source API Gateway and Management Platform, available across multiple public and private clouds. Tyk is the leading independent, Open source API Gateway and Management platform. Design, Secure, Measure and Control your APIs through Open Source API Gateways via our GUI. Provide a portal for developer self-signup.

Features

  • Expose, secure, enrol, measure and monetise your APIs
  • Gateways handle thousands of concurrent API Calls
  • Microservice features including service discovery, timeouts, circuit breakers, etc
  • Authentication against all standard auth mechanisms
  • Apply Quotas and Rate Limits to control access
  • Detailed Monitoring and Analytics through the dashboard
  • API Developer portal allows for complete self-service
  • API Documentation and sandbox for all your APIs
  • On-the-fly transforms to manipulate requests and responses

Benefits

  • Low cost of implementation and ownership
  • Get started instantly via public cloud signup
  • Monetise or Demonstrate API usage and impact via included analytics
  • Version control and full API life-cycle management/governance
  • Lower cost of API development and management
  • Enables self service by API developers and consumers
  • Migrate from public cloud, to private to on-prem, as required
  • No vendor lock-in, Tyk can be deployed across multiple clouds
  • Automate and Integrate with DevOps Pipeline, including Jenkins, Github, etc
  • Conforms to standards including OpenAPI, Swagger, ISO, HIPAA & PCI

Pricing

£0 a unit a year

Service documents

Framework

G-Cloud 12

Service ID

8 1 1 7 5 5 2 5 8 8 9 6 6 1 8

Contact

Tyk Technologies Ltd Tamara Evans
Telephone: 020 3409 1911
Email: tamara@tyk.io

Service scope

Service constraints
None
System requirements
None

User support

Email or online ticketing support
Email or online ticketing
Support response times
When a support request is received, a priority level is set against the request dependent on its urgency and its impact on the customer’s business.

Included without charge, is a 6hr response for High Priority Issues.

This can be upgraded to a 24/7/365 one-hour response for high priority issues at additional cost.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Yes, at an extra cost
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences and ability to stop automatic animations
Web chat accessibility testing
N/A
Onsite support
Yes, at extra cost
Support levels
Three SLA Levels are available: 1. Included without charge, every Tyk Pro API Gateway Platform includes access to our Helpdesk via email ticket. 2. For additional charge out Silver SLA includes a 4-hour fixed maximum response time and access to engineers via email support and 2 x screenshares. 3. For additional charge, our Gold SLA offers 24/7 365 access with fixed time responses. These services start from £20,000 per annum, depending upon the exact scope required and scale of deployment.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide 'getting started' guides and documentation that covers a wide range of Tyk features and functionality to help users make the most of the service & tutorial videos. Onboarding sessions with our engineers are also available at an extra cost.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
On completion of contract, the user owns the rights to all of their data. Included within the contract is an agreement that, upon the contract end, users can extract their data via API calls.
End-of-contract process
The client would decide to either renew the contract or end it. If client decides to renew, hosting is reviewed and agreed; if end is the option, the data can be exported. Offboarding is not included as standard in our licensing contracts. On conclusion of contract users may request support on how best to extract their required data from the service via helpdesk ticket. If defined during the contract opening & onboarding, we can include an offboarding sessions and assist with migration away from Tyk. At each end of contract, we will hold a call with the client's account manager to discuss feedback.

Using the service

Web browser interface
Yes
Using the web interface
All features and functions of the management platform can be accessed through the GUI in a browser.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Keyboard accessibility shortcuts, support for large text and screen reader improvements on iOS & Android, adjustable zoom preferences & ability to stop automatic animations.
Web interface accessibility testing
Unknown
API
Yes
What users can and can't do using the API
All functionality of the platform can be accessed by API Calls - adding, editing and controlling the service. Tyk is API First!
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
  • Other
Other API automation tools
For the latest compatibity list, visit the Tyk website
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
The Tyk CLI provides full access to all features of the API Gateway and some access to features of the API Management platform.

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
From a performance perspective, Tyk's infrastructure is configured for auto-scaling to handle increased levels of demand.
From a "protection against bad actors" perspective, all organisations and users within organisations, on the Tyk cloud have rate limits applied - to not overload the systems.
Usage notifications
Yes
Usage reporting
  • API
  • Email
  • Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
All data and configuration is backed-up.
Backup controls
All data and configuration is backed-up. The client cannot reduce the scope of this.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Tyk Cloud infrastructure is protected by strict firewall rules within AWS's VPC network. Only load balancers are accessible from outside on http/s ports, concealing the actual application servers. Databases are accessible from outside, but are regulated by firewall & access rules.There are also credentials and encrypted connections.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Data may only flow between relevant systems, and is on private network segments depending on role.

Availability and resilience

Guaranteed availability
The SLA is variable according to the package purchased, from 99.5 to 99.95 availability levels.

Failure to meet service levels produces service credits pro-rata the availability breach.
Approach to resilience
All components of the system have redundancy built in to remove single failure points, and the application is horizontally scalable
Outage reporting
We have a monitoring service. If there are any alerts it is displayed on a dashboard and if it is a 24/7 client, this is sent via email. We also report these via helpdesk and login pages if applicable.

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication
This depends on the users settings within the platform, so is configurable at the administrators risk, but includes mandatory timeouts and Role Based Access Control.
Access restrictions in management interfaces and support channels
Management access is permitted only from internal networks, themselves requiring two factor authentication to access
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus IOSQAR
ISO/IEC 27001 accreditation date
08/2019
What the ISO/IEC 27001 doesn’t cover
Covers Development, provision, management and support of Tyk API Management Software.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
HIPAA

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Tyk implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation.
Policies address purpose, scope, roles, responsibilities and management commitment.
Employees maintain policies in a centralised and accessible location.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Help Desk maintains records of each customer’s configuration, enabling the support team to liaise with product team over product change requests.
All software changes and patches are documented and subject to change control procedures in accordance with PRINCE2.
An updated set of documentation is provided with each major release and users are notified.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We monitor OWASP and other sources for new software vulnerabilities and vulnerability reports, software patches or new releases. Major releases of public facing applications undergo internally and/or externally conducted penetration testing. Security in our products is constantly under scrutiny and we adapt and change our processes on a regular basis.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring tools are used to measure server performance metrics as well as storage and network/bandwidth utilisation.
Incident management type
Supplier-defined controls
Incident management approach
We have a well-established incident management process. A breach / data loss results in a high-priority incident being triggered and logged. A named contact at the customer would be notified and provided with tracking details and a Major Incident Report. Risks would be monitored/actioned via Information Security Management Risk log.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
No

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
We use AWS network as Data Centres for our SaaS product: https://aws.amazon.com/compliance/data-center/data-centers/

Pricing

Price
£0 a unit a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Our free version only differs in terms of scale from our Pro version. The free version currently allows users to access the software from a singular region and to preset daily traffic levels.
Link to free trial
https://tyk.io/pricing/compare-api-management-platforms/

Service documents