Secure by default.

Trust, security, integrity and availability are core values of our product. ZITADEL is open source following transparent processes, tooling and product management. Our company is based in Switzerland complying to strict privacy laws.


Development and Location

Switzerland stands for security

The security and privacy of your data is our greatest promise. As a Swiss vendor we are required to one of the strictest privacy laws and compliance with GDPR .

Stay in control where your data is stored by choosing on of our available regions or self-host for highest control.

code scanning transparency



Transparency is a key principle. That is why our source code is open source and free to use. Our product development and the tools, processes and vendors we use to create our software are available on Github or our Website.

Measures for security and data protection are disclosed in this trust center, our policies, and via OpenSSF Best Practices .

Our Sub-Processors

In order to achieve the best possible transparency we regularly publish which providers and services we use to offer ZITADEL. It can occur that we obtain the same services from several providers. We regularly audit all data processing agreements that we have with our sub-processors to guarantee privacy of your personal data.

When using ZITADEL Cloud the end-user data will be stored and processed by the following providers.


  • Google Workspace
  • IaaS Provider
  • Mail Relay (SMTP)
  • DNS Server
  • DDOS Mitigation
  • WAF
  • CDN
  • Cloud Load Balancer
  • PKI for TLS
  • DNS Registrar
How we use Google

We use Google as our infrastructure provider and for business applications and collaboration.

United States


  • Cockroach Cloud
How we use CockroachLabs

We use dedicated CockroachDB clusters on Google Cloud for the database layer of our cloud service.

United States


  • Infrastructure Monitoring
  • Metrics / Dashboards
  • Alerting
How we use Datadog

Datadog is used for infrastructure monitoring, analytics, and alerting. We process log files which could include IPs and potentially query parameters.

United States

The following providers are used for communication, request tracking, payment, and communication with our customers. No end-user data will be shared with these providers, except you use our default SMS/mail gateway.


  • Source Code Management
  • Code Scanning
  • Dependency Management
  • Security Advisory
  • Issue Management
  • Continuous Integration
How we use GitHub

We use Github amongst other things for source control, CI, testing and for tracking bugs and customer issues.

United States


  • Subscription management
  • Payment process
How we use Stripe

Stripe handles payments and invoicing of our cloud service. No end-user data will be shared with Stripe.

United States


  • Customer Management
  • Accounting
  • Payment process
How we use Bexio

Bexio is used for accounting, invoicing for services, and CRM.



  • Marketing automation
How we use Mailjet

Mailjet allows us and our customers to communicate through email. No end-user data will be shared with Mailjet.



  • Transactional mails
How we use Postmark

Postmark allows us and our customers to communicate through email. No end-user data will be shared with these providers, except you use our default mail provider in your ZITADEL Cloud Instance. We recommend that you configure your own mail server per instance.

United States


  • Hosting websites
How we use Vercel

Vercel Inc. provides us with hosting services for our different websites, including our marketing websites, documentation, and customer portal.

United States

Following companies are additional providers for auxiliary services or optional to our services. You need to opt-in, actively use a feature, or browse our websites.


  • Documentation search
United States, France


  • Community Chat
United States


  • ZITADEL Cloud status
  • Incidents / Maintenance


  • Privacy-friendly Web Analytics


  • SMS Gateway
How we use Twilio

Twilio is a messaging platform which allows you to send SMS to end-users. Customers can configure their own SMS Gateway per instance.

United States