GDPR Compliance.
ZITADEL is engineered in Switzerland with a privacy-first foundation. We deliver the identity infrastructure you need while ensuring complete compliance with the General Data Protection Regulation (GDPR) and global privacy standards.
GDPR Compliant
ZITADEL provides full compliance with European data privacy regulations (GDPR), backed by a robust Data Processing Agreement (DPA) and Standard Contractual Clauses.
Flexible Data Residency
ZITADEL Cloud lets you choose your storage location—Switzerland, the European Union, or Global—ensuring your user data remains in-region.
DPF Self-Certified
Self-certified under the EU-U.S. Data Privacy Framework, the UK Extension, and Swiss-U.S. DPF for compliant transatlantic transfers.
Our Compliance & Security Certifications
Swiss Engineered
Strict privacy & security
Radical Transparency
Open source & public audits
All Legal & Trust Documentation
Review our standard Data Processing Addendum (DPA), subprocessor lists, and audit reports directly in the ZITADEL Trust Center. We believe in radical transparency: no NDAs required to review our core compliance materials.
Self-Host ZITADEL for Absolute Sovereignty
For organizations with strict compliance mandates, digital sovereignty requirements, or the need to eliminate vendor risk, ZITADEL can be self-hosted on your own infrastructure. You get the same enterprise-grade features while retaining 100% control over your user data.
Deploy Open Source
ZITADEL is open-source under the Apache 2.0 / AGPLv3 licenses. Deploy it today or upgrade to a commercial self-hosted license.
View Deployment DocsFrequently Asked Questions
Is ZITADEL GDPR compliant?
Yes. ZITADEL complies fully with the GDPR. We act as a data processor for our customers (data controllers). Our Data Processing Agreement (DPA) includes standard contractual clauses, technical and organizational measures (TOMs), and our subprocessor list to guarantee full compliance.
Which legal entity do I contract with, and what is ZITADEL's corporate structure?
ZITADEL is operated by ZITADEL Inc. (headquartered in San Francisco, USA) as the parent company, and CAOS AG (based in St. Gallen, Switzerland) as the operating subsidiary.
Your contracting partner depends on your tier and location:
- All Cloud Customers (Global): Contract with CAOS AG (Swiss Law).
- Enterprise Customers in the US: Contract with ZITADEL Inc. (US Law).
- Enterprise Customers in the Rest of the World: Contract with CAOS AG (Swiss Law).
For more details, please see our detailed help article on Corporate Structure & Contracting Entities.
Can I keep my data strictly within the European Union (EU) or Switzerland?
Yes. When setting up a ZITADEL Cloud instance, you can select your preferred data region (Switzerland, EU, or Global). Choosing Switzerland or the EU ensures that your data is stored and processed exclusively in those locations.
How does ZITADEL handle international data transfers?
Transatlantic data transfers between our entities or subprocessors are fully covered under our EU-U.S. Data Privacy Framework (DPF) self-certification, UK Extension, and Swiss-U.S. DPF. For transfers outside this scope, standard contractual clauses are incorporated into our DPA.
Can I self-host ZITADEL to maintain absolute control over my data?
Yes. ZITADEL is an open-source platform. If you have strict sovereignty requirements, you can self-host ZITADEL on your own infrastructure or in a private cloud environment, giving you 100% control over data storage and processing locations.