This is a preview of the Storyblok Website with Draft Content

JoyConf 2026 is back. Content Confidence. Human Connection. Save your spot!

Security

At Storyblok, the security of your information is our top priority. We rely on industry best practices and strictly enforced operational controls to ensure the security of all electronic data you entrust us with.

Access Control

How does Storyblok monitor and control access to the platform?
Access to Storyblok is monitored and reviewed by automated tools that identify abnormalities and inform the responsible authorities. Monitoring includes mitigation of brute force attacks.

How are content changes tracked?
Every content change is logged and can be reviewed by your developers in the user activity event stream.

Where is Storyblok hosted, and how is physical data center access controlled?
Storyblok is hosted on Amazon AWS. AWS provides physical data center access only to approved employees. Employees requesting access must provide a valid business justification; requests are granted on the principle of least privilege, specify which layer of the data center is needed, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked once the requested time expires. Individuals are restricted to the areas specified in their permissions.

How is access to Storyblok's internal network secured?
Access to the internal network is only possible using a public/private key pair via Secure Shell (SSH).

Enterprise Identity & Access Controls

What identity and access management capabilities does Storyblok offer enterprises?
Storyblok provides enterprise-grade identity and access management capabilities designed to help organizations securely manage authentication, provisioning, and API access at scale.

Does Storyblok support Single Sign-On (SSO)?
Yes. Storyblok supports Single Sign-On through identity providers such as Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, and Salesforce, and supports SAML standards including SAML 2.0 and SAML 1.0.

Can organizations configure and enforce their own SSO settings?
Yes. Organizations can configure and manage their own SSO connection, identity provider metadata, domain mapping, and attribute settings, directly within the Storyblok dashboard, without support involvement. Organizations can also enforce SSO-only authentication, which disables password login for users on domains configured for SSO.

Does Storyblok support SCIM provisioning?
Yes. System for Cross-domain Identity Management (SCIM) support enables automated user provisioning and deprovisioning directly through supported identity providers, reducing manual user management overhead while keeping access controls accurate and up to date.

How does Storyblok support secure API and third-party access?
Storyblok offers Scoped Personal Access Tokens (PATs), which let organizations apply least-privilege access principles to integrations, automation workflows, and developer tooling by limiting tokens to only the permissions required. Storyblok also supports OAuth 2.0 authorization for connecting third-party applications, with a consent screen, refined scopes, and space-level permission control, so organizations can define exactly which spaces and data an integration is granted access to.

How does Storyblok govern access?
Access to Storyblok is monitored and reviewed by automated tools to identify abnormalities and inform responsible authorities. Monitoring includes mitigation of brute force attacks, and every content change is logged and reviewable through the user activity event stream.

Data Protection

Where is data hosted, and what certifications does the infrastructure hold?
The solution is hosted on Amazon AWS in Frankfurt, Germany, which holds security certifications including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, and MTCS Level 3.

How are connections to Storyblok secured?
The solution only uses secure HTTPS connections to communicate with other systems, with access controls in place to grant access only to permitted systems.

How does Storyblok detect malicious traffic?
Unusual and malicious traffic is automatically detected by Amazon CloudWatch Alarms, which send notifications to the responsible Storyblok employee.

How is data backed up and recovered?
Data is backed up to a second physical location using a read replica with automatic failover, and additionally backed up daily to Amazon S3 with a changelog for a 30-day retention period. Restoration is possible at any point within that 30-day window. Storyblok performs monthly recovery tests, including point-in-time database recovery and recovery of static assets through Amazon S3's version control feature.

What protocols are used for API communication?
Storyblok APIs use HTTPS with the TLSv1.2 protocol. TLSv1.1 is deprecated; the domain api-tls12.storyblok.com accepts only TLSv1.2.

How does Storyblok protect against web-based attacks?
Storyblok uses a web application firewall (Amazon WAF) for its APIs to mitigate cross-site scripting, brute force, and SQL injection attacks. If an attack is detected, a rule is added to the WAF to deny access to the attacker.

How does Storyblok test its own security?
Storyblok performs continuous automated security testing through Detectify, as well as manual periodic DDoS tests on the API.

Change Management

Storyblok applies a systematic approach to managing change so that changes to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The Storyblok change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:

  • Reviewed – Peer reviews of the technical aspects of a change are required.
  • Tested – Changes being applied are tested to help ensure they will behave as expected and not adversely impact security.
  • Approved – All changes must be authorized in order to provide appropriate oversight and understanding of business impact.