Apiable
Book demo

Security & Compliance

How Apiable handles your data, your traffic, and your trust

A reference page for security teams, procurement reviewers, and architects. Everything below is the same answer your champion would get from us on a call — published so they don't have to wait on one.

View live trust report Email support@apiable.io
AWS Well-Architected Framework Review delivered in 2025

AWS Partner · Well-Architected Framework Review passed in 2025

ISO 27001 in progress (Q3 2026) · GDPR-compliant · single-tenant per customer

On this page

  1. 1. Does Apiable proxy my API traffic?
  2. 2. Where is Apiable hosted?
  3. 3. How does Apiable handle authentication and encryption?
  4. 4. How does Apiable access my API gateway?
  5. 5. What's the shared responsibility model?
  6. 6. Compliance status (AWS WAFR, ISO 27001, GDPR)
  7. 7. Can Apiable be self-hosted?

Data flow

Does Apiable proxy my API traffic?

No. Apiable does not sit in your API request path.

Traffic between your developers and your gateway never passes through Apiable's infrastructure. Onboarding, plans, quotas, billing, and the developer portal run inside Apiable; the API calls themselves do not.

Optionally, Apiable retrospectively reads your gateway's log files (CloudWatch Logs, Konnect analytics, Apigee analytics, etc.) to track usage, generate insights, and drive billing. Log access is read-only and runs on your schedule, not in the request path.

What touches Apiable, what doesn't

  • In Apiable: partner accounts, plans, subscriptions, approvals, contracts, billing records, portal customisation, audit logs of admin actions.
  • Not in Apiable: your API request and response payloads, end-user data your APIs return, your gateway runtime, your underlying services and databases.

Hosting & regions

Where is Apiable hosted?

Apiable runs on AWS in the Frankfurt region (eu-central-1).

Customer data and configuration are stored there. Each customer gets a dedicated, single-tenant portal instance with its own database — no shared portal infrastructure between customers.

Additional regions are available for enterprise customers. If you need US, APAC, or another EU region, talk to us — we've delivered multi-region rollouts and can scope yours.

We've passed the AWS Well-Architected Framework Review (2025), AWS's audit of well-architected best practices for AWS Partner Network ISVs.

Authentication & encryption

How does Apiable handle authentication and encryption?

Portal authentication — bring your own IdP

Apiable does not provide a default identity provider. You connect your existing one over OpenID Connect — Microsoft Entra ID, Google, Okta, AWS Cognito, Auth0, Keycloak, or any OIDC-compliant provider. Apiable never stores or validates your end users' credentials.

API authorization — three first-class models

Tokens, scopes, and grant types follow the OAuth 2.0 specification (authorization code, client credentials, refresh). Pick the model that fits your stack:

  • 1.API-key only. Your gateway maps the API key to a subscription. Simplest setup, no JWT required.
  • 2.Apiable-managed authorization. Cognito user pool + Lambda authoriser, deployed into your AWS account via our modular CDK / CloudFormation Launch Stack URL / Terraform module. The auth surface runs in your account, not Apiable's.
  • 3.External authorization. Federate to your existing IdP (Duende, Auth0, Okta, Entra, Keycloak, etc.) using the apiable_api_key bridge-claim pattern. Apiable reverse-maps the credential at log ingestion.

Encryption

  • In transit: TLS 1.2+ enforced for all customer-facing endpoints.
  • At rest: AWS-managed encrypted services (RDS, S3, DynamoDB) with AES-256.

Audit logging

Admin actions in Apiable — product changes, plan changes, subscription approvals, user and role changes — are recorded in an immutable audit log accessible to your administrators.

Gateway access

How does Apiable access my API gateway?

Apiable connects to your gateway through a dedicated adapter per gateway type — AWS API Gateway, Kong, Apigee, Azure APIM. The adapter lists your APIs, syncs catalog metadata, creates and revokes consumer credentials, and retrieves OpenAPI specs where available.

How gateway credentials are stored

  • Not in Apiable's database. Gateway access credentials live in AWS Secrets Manager.
  • Dedicated AWS IAM role per customer. Apiable's access to your secrets is scoped to your role only.
  • Audited access. AWS Secrets Manager access is logged. The audit is available to you on demand.
  • For AWS API Gateway specifically: we use an assume-role pattern (RoleARN). The key and secret are generated temporarily and are not stored on Apiable.

How API consumer credentials are stored

  • Not stored in Apiable's database.
  • Retrieved on demand by the Apiable backend, displayed in the portal UI, then released — not cached.
  • Generated by your gateway's native auth, by the Apiable-managed Cognito + Lambda authoriser deployed into your AWS account, or by your existing IdP via the External AuthZ bridge-claim pattern.

Honest disclosure

Adding an Apiable integration grants Apiable Admin access to the connected API gateway. That's the level of access we need to list APIs, create plans, and manage consumer credentials. Procurement and security teams should know this upfront — it's why the credentials live in AWS Secrets Manager, behind a dedicated IAM role, with audit-on-demand.

Shared responsibility

What's the shared responsibility model?

A three-tier split. You own your upstream systems. Apiable owns the portal layer. The developer experience your partners see is jointly owned.

You own

Customer

You own your upstream systems and the integration layer.

  • API Gateway & Backend Protection

    IAM roles, usage plans, request validation, TLS/mTLS, firewall rules, IP allowlists, private networking, observability.

  • Secure Integration with Apiable

    Least-privilege roles (e.g. RoleARN for AWS API Gateway). Monitor and rotate credentials. Audit access logs between Apiable and your APIs.

  • Identity & Access Management

    Your identity provider (Cognito, Auth0, Keycloak, Azure AD, Okta). You define roles, scopes, token policies, and session durations. Apiable integrates via OIDC / OAuth 2.0 — it never stores or validates your credentials.

Shared

Shared

Joint responsibility for the developer experience your partners see.

  • Governance & Visibility

    Which APIs are public, private, or internal. API metadata, changelogs, docs, terms of use, onboarding and approval flows.

  • Developer Experience

    User roles, API credentials, access tokens. Self-service or invitation-only onboarding. Per-app rate limits and quota tiers.

  • Compliance & Oversight

    Align portal settings to your compliance mandates. Monitor usage patterns and enforce API terms. Analyse logs and metrics for audits and reporting.

We own

Apiable

We own the security of the API portal itself.

  • Platform-Level Controls

    AWS hosting in hardened VPC environments. Infrastructure as Code for consistent, auditable deployments. Encrypted storage of API credentials and tokens in AWS Secrets Manager. Abuse prevention and anomaly detection.

  • Operational Security

    Continuous patching and maintenance. Vulnerability scanning and penetration testing. High availability and disaster recovery.

  • Compliance

    GDPR-compliant infrastructure. ISO 27001 in progress (Q3 2026). AWS Well-Architected Framework Review passed in 2025 and maintained on AWS's audit cycle.

Compliance status

Where Apiable is today on AWS WAFR, ISO 27001, and GDPR

An honest snapshot. Status changes are reflected on this page and on our live trust report.

Standard Status Notes
AWS Well-Architected Framework Review Passed Audited against AWS well-architected best practices for ISVs in 2025. Required for AWS Marketplace listing.
GDPR Compliant EU data processor. Frankfurt-only hosting.
ISO 27001 In progress Live status published at trust.apiable.io. Targeted for Q3 2026.

If you need to complete a vendor security questionnaire today, trust.apiable.io is the best starting point. For specific controls or evidence, email support@apiable.io.

Operational security

What sits behind the audited compliance posture:

  • Hardened AWS VPC deployment
  • Infrastructure as Code — auditable deployments
  • Continuous patching and maintenance
  • Vulnerability scanning and penetration testing
  • High availability and disaster recovery
  • Encrypted secret storage in AWS Secrets Manager

Self-hosting

Can Apiable be self-hosted?

In your own AWS account, yes — as a named enablement-package item. Otherwise, no.

Default delivery is managed SaaS in our AWS account in Frankfurt. If you need the platform deployed into your own AWS account, that's available as a named item on your enablement package — talk to us early so we can scope it into the contract.

We don't currently offer:

  • Single-tenant deployment in your own Azure or GCP account
  • On-premises deployment
  • Air-gapped deployments

If your concern is data residency or sovereignty rather than physical hosting, the answer is usually different — Apiable doesn't proxy your API traffic, and your underlying APIs and data stay in your gateway and your infrastructure.

For anything on the "we don't offer" list above, talk to us — we'd rather scope it together than have you guess.

Need something we haven't published?

Architecture deep-dive call, sub-processor list, a specific vendor questionnaire response, evidence for a particular control — email support@apiable.io and we'll route to the right person on our team.

Email support@apiable.io View live trust report

See what your API program looks like as a revenue engine.

Join the companies monetizing API usage, scaling partner onboarding, and proving measurable business impact—without overloading their teams.

Book Your Demo