Security and Privacy Overview

At CKEditor, we care deeply about security and privacy. Our Cloud Services are built on a strong, flexible system that protects your data with advanced security measures and constant monitoring. We are certified to SOC 2 Type 2 standards, which means we follow the industry’s best practices to keep your data secure, available, and private. We also believe in being open and honest, so we keep you informed about our operations.

Infrastructure and Hosting on AWS

CKEditor Cloud Services uses Amazon Web Services (AWS) for hosting. AWS is a well-known and trusted cloud platform that offers strong security, the ability to grow efficiently, and the ability to follow important rules. By choosing AWS, we ensure our services run on a safe and strong system. This helps us provide our users with the best performance, reliability, and data protection.

Global Infrastructure

We operate within the US East (Northern Virginia) and European (Frankfurt) AWS regions. The users residency and local legal solutions can affect the choice between these two.

We use AWS to provide services, such as:

AWS ECS to manage containerized applications. ECS provides a highly scalable and reliable way to orchestrate workloads, ensuring automatic scaling and distribution of resources to handle traffic spikes.
AWS ALB to efficiently distribute traffic. This helps maintain performance and availability, even if some instances experience heavy load or failure.
AWS RDS – an engine for databases that provide automated backups, multi-AZ replication, and point-in-time recovery.
AWS Elasticache to cache in-memory to ensure faster response times for our users.
AWS SNS/SQS for reliable message queuing, enabling asynchronous communication in the system.

AWS Security Services

AWS provides a wide range of built-in security services that enhance our platform’s protection:

AWS GuardDuty actively protects our system. It always watches for suspicious or unauthorized activity in our AWS environment, helping us quickly spot and respond to any possible security threats.
AWS Security Hub is a centralized security monitoring and compliance check across the entire AWS infrastructure.
AWS AppConfig manages dynamic configuration changes across applications, allowing us to safely and quickly deploy configuration updates without impacting the system’s security or stability.
AWS Config continuously monitors and assesses the configuration of our AWS resources to ensure compliance with internal security policies and best practices. AWS Config helps us track configuration changes and identify resources that may be non-compliant.
AWS CloudTrail records and logs all API activity and changes across our AWS infrastructure, providing complete visibility into user actions for auditing and incident response purposes. CloudTrail ensures a comprehensive audit trail of every action taken on our resources.
AWS Certificate Manager (ACM) automatically manages and provisions SSL/TLS certificates to secure our application traffic. This ensures all communication is encrypted, providing secure connections between the user and our services.
AWS Secrets Manager protects sensitive data, such as all configurations and database credentials, by securely storing and managing access to secrets.
AWS Key Management Service (KMS) handles cryptographic keys for encrypting data, ensuring strict control and compliance with industry standards.
AWS CloudWatch collects and monitors real-time logs, performance metrics, and application data to detect security and operational anomalies.

AWS Compliance

AWS complies with a wide range of global security and compliance certifications, including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and GDPR. CKEditor Cloud Services benefits from these certifications, inheriting the strong security posture of the AWS cloud.

Virtual Private Cloud (VPC)

All components of CKEditor Cloud Services are hosted on an AWS VPC, which provides network isolation. Public access is limited to load balancers, and all other components are protected behind strict security controls such as Security Groups, Network Access Control, and VPN access.

Security Groups

To control the traffic allowed into and out of our instances, we rely on AWS Security Groups. These groups are configured with strict and restrictive firewall rules, ensuring only authorized traffic can interact with our systems. This approach significantly enhances the security of our platform. Network access control lists provide an additional security layer operating on subnets/networking level.

Web Application Firewall (WAF)

We use AWS WAF to protect our system from common web attacks. This includes things like SQL injection and cross-site scripting (XSS). The WAF constantly updates its protection rules to defend against new threats.

DDoS Protection

To defend against Distributed Denial of Service (DDoS) attacks, we use AWS Shield Advanced. This managed DDoS protection service protects our web applications at network and application levels. AWS CloudFront and Route 53 also provide additional layers of DDoS mitigation by distributing traffic and reducing the attack surface.

High Availability and Disaster Recovery

Ensuring high availability and resilience is fundamental to CKEditor Cloud Services.

Multi-Zone Redundancy

Our services are deployed across multiple AWS availability zones. This means if one location has problems, we can quickly switch to another. This keeps our service running smoothly without interruptions.

Data Replication

Databases are continuously replicated across multiple availability zones, providing redundancy and fault tolerance. When an availability zone becomes unavailable, the system automatically switches to another.

Data Backup and Recovery

CKEditor Cloud Services automatically backs customer data with point-in-time recovery capabilities for up to 7 days. Backups are securely encrypted and stored in multiple AWS locations, ensuring the highest levels of redundancy and data protection.

Disaster Recovery Plan

We have a thorough plan to quickly get our systems back up and running if something goes wrong. We regularly test this plan to make sure it works well. This helps us keep our services available despite a big problem.

99.99% Uptime SLA

Our infrastructure is designed to deliver a 99.99% uptime SLA, supported by AWS’s highly reliable services.

Data Security and Encryption

Data security is at the heart of CKEditor Cloud Services, and we implement strong encryption and access control measures to protect sensitive information.

Encryption at Rest and in Transit

All data is encrypted using AES-256 at rest, and TLS 1.2+ encryption is enforced for all communications in transit. This ensures that data is securely transmitted and stored without exposure to unauthorized access.

Data Isolation

We isolate customer data using separate encryption keys for each customer and environment. This ensures that customer data is fully segregated and protected from unauthorized access.

Key Management

Our encryption keys are managed using AWS Key Management Service (KMS), which ensures that all cryptographic operations meet the highest security standards.

Access Control and Identity Management

Access control is tightly enforced across CKEditor Cloud Services, ensuring only authorized personnel can access critical systems and data.

Role-Based Access Control (RBAC)

Permissions are assigned based on roles, ensuring that users have access only to the data and systems necessary for their job functions. Regular access reviews ensure that permissions remain appropriate over time.

Multi-Factor Authentication (MFA)

We enforce MFA for all privileged access to the CKEditor Cloud Services infrastructure. This additional layer of protection ensures that even if credentials are compromised, unauthorized access is prevented.

Single Sign-On (SSO)

Internal access to systems is centralized using Google SSO, minimizing password management risks and improving security.

Access Audits

We perform regular access audits, logging all access attempts and monitoring for any suspicious activity. All changes to access rights are logged and can be audited for compliance and security purposes.

Application and Code Security

At CKEditor, we follow a secure Software Development Life Cycle (SDLC), ensuring security is embedded in every stage of development.

Code Reviews

All changes to our code are carefully checked by engineers. This helps catch any potential security problems before they can affect our live system. We do this to make sure our code is safe and works well.

Automated Code Analysis

We use static code analysis tools to scan code for vulnerabilities and insecure practices automatically. These scans ensure that every line of code adheres to security standards (for example OWASP Top Ten).

Automated Testing

All code is subject to automated unit testing and integration testing to validate its functionality and security.

Quality Assurance (QA) Testing

Our QA team conducts manual and automated testing on all updates before being deployed to production. This includes security testing, performance testing, and functional validation to ensure the application’s integrity and security.

Continuous Integration/Continuous Deployment (CI/CD)

Our CI/CD pipeline ensures that all deployments to production are automated and pass through multiple layers of security checks. Only code that meets strict security and performance criteria is allowed to be deployed.

Vulnerability Management and Patch Updates

We take a proactive approach to identifying and mitigating vulnerabilities across our systems.

Continuous Vulnerability Scanning

We use automated tools to scan our infrastructure and applications for known vulnerabilities continuously. These scans reference the latest Common Vulnerabilities and Exposures (CVE) database.

Penetration Testing

We engage third-party security experts to perform annual penetration testing of our systems, identifying potential vulnerabilities and ensuring our security posture remains robust.

Timely Patch Management

Our patch management policy ensures that security patches are applied promptly to mitigate potential risks. Critical patches are prioritized for immediate deployment, while non-critical updates are tested before implementation.

Security Monitoring and Incident Response

We continuously monitor our environment for security and performance, ensuring that any issues are swiftly identified and resolved.

Real-Time Monitoring

Using AWS CloudWatch, AWS GuardDuty, AWS Security Hub we continuously monitor for security events, performance metrics, and operational anomalies. If suspicious activity is detected, automated alerts are generated for immediate investigation.

Automated Alerts

Any abnormal activity, such as unauthorized access attempts or unusual traffic patterns, triggers real-time alerts. Our team reviews these alerts to prevent potential incidents.

Incident Response Plan

CKEditor Cloud Services has a clear plan for handling all security and reliability problems. This plan explains how we find, investigate, and fix issues. After each incident, we do a post-mortem analysis and review to determine why it occurred and improve our system to prevent similar incidents in the future.

Audit Logs

We maintain detailed audit logs of all actions taken in production environments, ensuring transparency and accountability. Logs are securely stored and available for review during security investigations or audits.

Observability and Continuous Testing

To ensure high availability and a seamless user experience, CKEditor Cloud Services continuously tests and monitors its applications through real-user simulations.

Performance Monitoring

We monitor key performance indicators (KPIs) such as network usage, CPU and memory utilization, latency request processing time, and more. All metrics are stored in Prometheus and Grafana. Any deviation from expected performance levels triggers alerts and investigations by our operations team.

Tests Bots

We employ automated bots that simulate fundamental user interactions with the system regularly (every 10 minutes), continuously testing for performance, reliability, and potential issues. These bots help identify potential bottlenecks or problems before they impact customers.

SOC 2 Type 2 Certification

As of January 2025, CKEditor Cloud Services is SOC 2 Type 2 certified, demonstrating our adherence to the highest security, availability, and confidentiality standards.

Security Controls

Our SOC 2 certification confirms that we have implemented robust security controls to protect customer data from unauthorized access, ensuring compliance with best industry practices.

Global Privacy Compliance

We comply with key global privacy regulations, including GDPR, ensuring your data is handled with the utmost care and transparency.

Vendor and Subprocessor Management

CKEditor Cloud Services partners with trusted vendors to deliver reliable and secure services. We ensure all subprocessors comply with strict security and privacy requirements.

Amazon Web Services (AWS)

Our primary hosting provider is AWS, compliant with SOC 1, SOC 2, ISO 27001, and GDPR. AWS’s infrastructure provides a secure foundation for CKEditor Cloud Services, ensuring high availability and data security.

Annual Subprocessor Reviews

We perform annual reviews of all subprocessors to ensure they maintain compliance with industry standards and regulatory requirements, including SOC 2 and GDPR.

Cloud Regions and Data Residency

We operate within the US East (Northern Virginia) and European (Frankfurt) AWS regions.

The choice of a cloud region determines data residency and can help meet the legal requirements (such as GDPR compliance) and performance KPIs (by locating the services closer to your end users).

The table below offers a more detailed insight into differences between both locations and their effects on each Cloud Services service.

Service	Purpose of Processing	Stores Data	Data at Rest ^[3]	Data in Transit ^[2]	Storage & Processing Location	Notes
Real-time Collaboration	Enable multi-user editing	Yes	User data (ID, email, name, avatar URL) Comments and suggestion threads Document content ^[1] All the data is encrypted at rest ^[4]	Same as at rest	Selected cloud region ^[0]	—
Document Conversion	Format conversion	No	—	Provided DOCX/HTML	Selected cloud region ^[0]	—
CKBox	Store and serve files	Yes	Uploaded files and their metadata	Same as at rest	Selected cloud region ^[0] ⚠️ See "Notes"	CKBox uses a globally distributed CDN to deliver files. Cached copies may reside outside the original region (uses AWS CloudFront). Cached content is automatically invalidated across all edge locations when an asset is removed or updated, making it no longer accessible.
CKEditor CDN	Serve CKEditor files (JS, CSS)	No	—	—	CKEditor's infrastructure in AWS Cloudfront	—
Usage Metering (UBB)	Track editor loads for license validation and billing	Yes	Non-personal usage logs (e.g. editor load counts, license ID) stored for billing/support	License key and usage info sent on editor initialization (no user content)	CKEditor's infrastructure in AWS US East region	Read more
Emoji Database	Provide emoji definitions (names, symbols, categories) to editor via CDN	No	—	—	CKEditor's infrastructure in AWS Cloudfront	Read more
Easy Image	Image upload and automatic resizing service	Yes	Uploaded images	Same as at rest	Selected cloud region ^[0] ⚠️ See "Notes"	⚠️ Legacy service (not available to new customers). CKEditor Easy Image uses a globally distributed CDN to deliver files. Cached copies may reside outside the original region (uses AWS CloudFront).
Image Optimizer (Uploadcare)	Premium feature provided by CKSource's partner Uploadcare	Yes	Uploaded files and their metadata	Same as at rest	Storage and processing: AWS us-east-1 Cached versions of the files: Globally on Fastly and CloudFront	—
MathType / ChemType	Premium feature provided by CKSource's partner Wiris	—	—	—	—	The service is operated by Wiris. For additional information or assistance, please reach out to the Wiris support team.
WProofreader	Premium feature provided by CKSource's partner WebSpellChecker	—	—	—	—	The service is operated by WebSpellChecker. For additional information or assistance, please reach out to the WebSpellChecker support team.

LEGEND
[0] Selected cloud region: based on the region in which a particular environment was created (US or EU).

[1] Document content is stored either just for the length of a collaboration session duration with two exceptions:

if Document storage is enabled – document content is stored permanently
if the Revision history feature is used – content of document revisions is stored permanently

[2] The “Data in Transit” column describes the primary content of the transmitted payload (for example document content, license key). In addition to the payload, standard transport-layer metadata – such as the end user’s IP address, HTTP headers, and TLS handshake data – may also be transmitted as part of the communication process.

[3] In addition to the data processed and stored for providing the service, CKEditor Cloud Services also retains a subset of data for logging purposes:

If a customer enables the Insights Panel, logs are collected and stored for 14 days, during which they are accessible to the customer for analysis.
Operational logs are also collected and retained for a period of 90 days in AWS CloudWatch to support service delivery and maintenance by the CKEditor Cloud Services team.
In both cases, log data is stored in the Selected cloud region [0].

[4] The data is encrypted at rest using AES-256 using separate encryption keys for each customer and environment. Read more in the Data security and encryption section.

Security Contact

If you have any questions or concerns about CKEditor Cloud Services’ security policies and practices, please get in touch with our team at security@ckeditor.com.