GDPR Compliance.

ZITADEL is engineered in Switzerland with a privacy-first foundation. We deliver the identity infrastructure you need while ensuring complete compliance with the General Data Protection Regulation (GDPR) and global privacy standards.

GDPR Compliant

ZITADEL provides full compliance with European data privacy regulations (GDPR), backed by a robust Data Processing Agreement (DPA) and Standard Contractual Clauses.

Flexible Data Residency

ZITADEL Cloud lets you choose your storage location—Switzerland, the European Union, or Global—ensuring your user data remains in-region.

DPF Self-Certified

Self-certified under the EU-U.S. Data Privacy Framework, the UK Extension, and Swiss-U.S. DPF for compliant transatlantic transfers.

Our Compliance & Security Certifications

GDPR CompliantGDPR
ISO 27001 CertifiedISO 27001
SOC 2 Type IISOC 2 Type II
HIPAA CompliantHIPAA
OpenID CertifiedOpenID Connect
Swiss Secure

Swiss Engineered

Strict privacy & security

Radical Transparency

Radical Transparency

Open source & public audits

All Legal & Trust Documentation

Review our standard Data Processing Addendum (DPA), subprocessor lists, and audit reports directly in the ZITADEL Trust Center. We believe in radical transparency: no NDAs required to review our core compliance materials.

Self-Host ZITADEL for Absolute Sovereignty

For organizations with strict compliance mandates, digital sovereignty requirements, or the need to eliminate vendor risk, ZITADEL can be self-hosted on your own infrastructure. You get the same enterprise-grade features while retaining 100% control over your user data.

Zero Vendor Risk: Cut dependencies on third-party SaaS infrastructure and avoid vendor lock-in.
Absolute Data Sovereignty: Store and process all user identity records completely within your own network borders.
Local Security & Audits: Seamlessly integrate identity logs into your internal SIEM and security tools.
Flexible Deployments: Scale easily on-premise or in private clouds using Kubernetes, Docker, or Linux.

Deploy Open Source

ZITADEL is open-source under the Apache 2.0 / AGPLv3 licenses. Deploy it today or upgrade to a commercial self-hosted license.

View Deployment Docs

Frequently Asked Questions

Is ZITADEL GDPR compliant?

Yes. ZITADEL complies fully with the GDPR. We act as a data processor for our customers (data controllers). Our Data Processing Agreement (DPA) includes standard contractual clauses, technical and organizational measures (TOMs), and our subprocessor list to guarantee full compliance.

Which legal entity do I contract with, and what is ZITADEL's corporate structure?

ZITADEL is operated by ZITADEL Inc. (headquartered in San Francisco, USA) as the parent company, and CAOS AG (based in St. Gallen, Switzerland) as the operating subsidiary.

Your contracting partner depends on your tier and location:

  • All Cloud Customers (Global): Contract with CAOS AG (Swiss Law).
  • Enterprise Customers in the US: Contract with ZITADEL Inc. (US Law).
  • Enterprise Customers in the Rest of the World: Contract with CAOS AG (Swiss Law).

For more details, please see our detailed help article on Corporate Structure & Contracting Entities.

Can I keep my data strictly within the European Union (EU) or Switzerland?

Yes. When setting up a ZITADEL Cloud instance, you can select your preferred data region (Switzerland, EU, or Global). Choosing Switzerland or the EU ensures that your data is stored and processed exclusively in those locations.

How does ZITADEL handle international data transfers?

Transatlantic data transfers between our entities or subprocessors are fully covered under our EU-U.S. Data Privacy Framework (DPF) self-certification, UK Extension, and Swiss-U.S. DPF. For transfers outside this scope, standard contractual clauses are incorporated into our DPA.

Can I self-host ZITADEL to maintain absolute control over my data?

Yes. ZITADEL is an open-source platform. If you have strict sovereignty requirements, you can self-host ZITADEL on your own infrastructure or in a private cloud environment, giving you 100% control over data storage and processing locations.