# Managed Keycloak Switzerland

> Managed Keycloak on Swiss cloud infrastructure. 24/7 operations, up to 99.99% SLA, unlimited users, fixed price from CHF 360/month. By VSHN and Inventage.


Enterprise Identity and Access Management on Swiss cloud infrastructure. VSHN operates your Keycloak instances with 24/7 support and up to 99.99% availability SLA. Inventage provides expert-level Keycloak engineering and consulting. From CHF 360 per month.


## Pages

- [Homepage](https://www.managed-keycloak.ch/): Managed Keycloak in Switzerland – IAM as a Service | VSHN
- [Okta vs Auth0 vs Managed Keycloak — IAM Cost Comparison | VSHN](https://www.managed-keycloak.ch/comparison.md)
- [Open-Source IAM Comparison: Keycloak, Authentik, Zitadel](https://www.managed-keycloak.ch/open-source-iam.md)
- [Partner with VSHN on Managed Keycloak | VSHN](https://www.managed-keycloak.ch/partners.md)
- [Keycloak Sovereignty — Swiss IAM Hosting | VSHN](https://www.managed-keycloak.ch/sovereignty.md)

## Features

- **Keycloak Expertise from Inventage**: Inventage operates the Keycloak Competence Center Switzerland and provides Level 3 engineering support for your Keycloak deployment. Their engineers build custom extensions, resolve complex configuration issues, and contribute to the Keycloak project. Clients include Baloise, LGT, VP Bank, Zürich Insurance, and the Swiss Federal Office of Information Technology.

- **24/7 Operations by VSHN**: VSHN operates your Keycloak instances: monitoring, patching, upgrades, incident response, and backup management. Our ISO 27001-certified operations team provides round-the-clock coverage so your identity infrastructure is always available.

- **Digital Sovereignty & Swiss Hosting**: Identity is the foundation every other service depends on. It is the starting point for any digital sovereignty initiative. Managed Keycloak runs on Swiss cloud providers (cloudscale.ch, Exoscale), on Enterprise Private Cloud, or on your own on-premises infrastructure. Your identity data stays where you control it. VSHN is a Swiss-owned company with no foreign parent or investors, and all contracts are governed by Swiss law with no exposure to the US CLOUD Act. For customers requiring sovereign key custody, encryption with customer-controlled keys is available via the open PKCS#11 standard, supporting a broad selection of HSM vendors. For example, [Securosys CloudHSM](https://www.securosys.com/cloud-security/cloudhsm-overview) is a Swiss hardware security module where VSHN cannot access the key material. Because Keycloak is open source, you are never locked in. You can change service providers at any time. Learn more in our [sovereignty assessment](/sovereignty/).

- **Self-Service on Servala**: Order managed Keycloak instances through Servala with automated provisioning on eight cloud providers, including Enterprise Private Cloud and on-premises. Choose between Best Effort for development workloads or Guaranteed Availability with 99.99% SLA for production. PostgreSQL database, TLS encryption, and automated backups included.

- **Enterprise IAM Features**: Consolidate authentication across your organization with Single Sign-On, multi-factor authentication, and federation with LDAP or Active Directory. Keycloak supports up to 100 realms with unlimited users, custom themes, and standards-based protocols (OAuth 2.0, OpenID Connect, SAML 2.0) for integration with any application.

- **Open Source — No Lock-in**: Keycloak is licensed under Apache 2.0, originally created by Red Hat and now a CNCF incubating project. Standards-based protocols (OAuth 2.0, OpenID Connect, SAML 2.0) mean your integrations work with any provider. Your realms, users, and configuration belong to you, not to your service provider.


## What VSHN and Inventage deliver

- 24/7 operations and monitoring by VSHN
- Expert Keycloak engineering by Inventage
- Automated daily backups with encrypted off-site storage
- Continuous upgrades to the latest Keycloak version
- Security patches applied proactively
- Deployment on cloudscale.ch, Exoscale, Enterprise Private Cloud, on-premises, and additional providers via Servala
- Custom themes, extensions, and enterprise integrations supported
- Consulting and onboarding package available (CHF 8,000 / 5 days)

## Managed Keycloak pricing

- **Managed Keycloak** — CHF 360/month — Best effort SLA, 1 instance
- **Managed Keycloak HA** — CHF 1,500/month — 99.99% SLA, 2 instances + test/dev

Cloud provider computing resources charged separately. PostgreSQL database included. Business hours support included; 24/7 support plan optional.


## Trusted by Swiss organizations

- [HIN](https://www.vshn.ch/en/success-stories/hin-health-info-net/)
- [acrevis](https://www.vshn.ch/en/success-stories/acrevis/)
- [Schweizerisches Bundesarchiv BAR](https://www.vshn.ch/en/success-stories/schweizerisches-bundesarchiv-bar/)
- [Comerge](https://www.vshn.ch/en/vshn-partner/comerge/)

## Managed Keycloak FAQ

### What is Keycloak?

Keycloak is an open-source Identity and Access Management (IAM) solution that provides Single Sign-On (SSO), multi-factor authentication, social login, user federation with LDAP and Active Directory, and fine-grained authorisation. It supports industry-standard protocols including OAuth 2.0, OpenID Connect, and SAML 2.0. Keycloak is backed by Red Hat and is a CNCF incubating project, licensed under Apache 2.0.


### Who operates managed Keycloak?

VSHN provides Level 2 operations: 24/7 monitoring, infrastructure management, patching, upgrades, backups, and incident response. Inventage provides Level 3 engineering support: expert analysis of Keycloak configuration, custom extensions, and core product issues. Together, this three-tier model (your team for Level 1 end-user support, VSHN for operations, Inventage for engineering) covers the full support stack.


### What SLA is available for managed Keycloak?

The Best Effort plan at CHF 360 per month includes professional operations without a formal uptime commitment, suitable for development and staging environments. The Guaranteed Availability plan at CHF 1,500 per month provides 99.99% uptime SLA with two Keycloak instances and a PostgreSQL database, backed by 24/7 monitoring and incident handling. A dedicated test and development instance is included at Best Effort tier.


### Which cloud providers are supported?

Managed Keycloak is available on Swiss cloud providers including cloudscale.ch and Exoscale, both operating data centers exclusively in Switzerland. Through Servala, Keycloak is also available on Xelon, Switch, Levigo, APPUiO, Managed OpenShift, and Enterprise Private Cloud. Swiss providers are recommended for organizations with data residency requirements.


### How are backups handled?

All Keycloak data is stored in a managed PostgreSQL database. Automated daily backups with six retained copies by default. VSHN uses CloudNativePG with Barman for backup orchestration. Deletion protection is available as an additional safeguard.


### Can I use custom themes and extensions?

Yes. Managed Keycloak supports custom themes for login pages, account management, and email templates, including logos, colours, fonts, and custom stylesheets. Custom extensions are supported via container images. Inventage develops custom authenticators, event listeners, protocol mappers, and federation providers as part of their Level 3 engineering service.


### What Keycloak features are included?

Each managed Keycloak instance supports up to 100 realms with unlimited users, admin console access, built-in metrics and dashboards, custom subdomain configuration, keycloak-config-cli for declarative configuration, and TLS-encrypted PostgreSQL database. High-availability configurations use Infinispan clustering across two or three instances with zero-downtime maintenance.


### Why is managed Keycloak important for digital sovereignty?

The [EU Cloud Sovereignty Framework](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) defines eight dimensions of cloud sovereignty, from data residency and legal jurisdiction to operational independence and open-source technology. Managed Keycloak addresses all of them: your data stays on Swiss cloud providers (cloudscale.ch, Exoscale) with no exposure to the US CLOUD Act, VSHN's Swiss-based operations team independently manages patching and upgrades without non-European vendor involvement, and Keycloak's open-source license and open standards (OAuth 2.0, OpenID Connect, SAML 2.0) ensure you are never locked in. Identity is the service every other application depends on, making it the natural starting point for a sovereignty strategy. See our [sovereignty assessment](/sovereignty/) for details on how VSHN scores against the EU Cloud Sovereignty Framework.


### How does managed Keycloak compare to self-hosted?

Self-hosting Keycloak requires Kubernetes expertise, database administration, backup automation, security patching, and on-call coverage. Managed Keycloak provides all of this as a service with a fixed monthly fee. VSHN handles the infrastructure and operations while Inventage provides engineering expertise that would be difficult to build in-house. For production workloads, the Guaranteed Availability plan includes 99.99% SLA and 24/7 support.


### How do I get started?

The fastest way is to order managed Keycloak through Servala at servala.com/service/keycloak/ for self-service provisioning on your choice of cloud provider. For enterprise deployments with custom requirements, contact us using the form below. VSHN and Inventage offer a consulting and onboarding package (CHF 8,000 for 5 days, 40 hours) covering architecture design, realm configuration, identity provider integration, and theme customization.


### Can we migrate from Active Directory or ADFS to Keycloak?

It depends on what you are migrating away from. If your applications use ADFS or Entra ID (formerly Azure AD) for OpenID Connect or SAML authentication, switching to Keycloak is straightforward: Keycloak supports the same protocols, so you reconfigure each application to point to Keycloak as the identity provider. VSHN and Inventage handle the Keycloak deployment, realm setup, and application onboarding. Replacing on-premises Active Directory itself is a different matter. AD is deeply integrated into Windows infrastructure, Group Policy, file shares, and Kerberos-based authentication across most enterprises. A full AD replacement is a significant organizational effort that typically takes months to years and cannot be automated. Keycloak supports LDAP federation with AD, so both systems can coexist during a gradual transition. VSHN and Inventage can deploy and operate your managed Keycloak instance, configure LDAP federation, and set up protocol bridges for applications that need to authenticate against both systems. For the broader AD decommissioning, including application inventory, Group Policy migration, and organizational change management, you will need a dedicated integration partner alongside the Keycloak operations that VSHN provides.


### Can agencies deploy managed Keycloak for client projects?

Yes. Agencies and system integrators use VSHN-managed Keycloak to provide identity and access management for client applications. Each client gets a dedicated Keycloak instance with full tenant isolation on Swiss cloud infrastructure. VSHN handles operations, updates, and 24/7 monitoring while your team configures realms, clients, and authentication flows for the application. Invoice billing and written service agreements simplify cost allocation across client engagements.


## Contact us

Need managed Keycloak or IAM consulting? Order on Servala at servala.com/service/keycloak/, or contact us for a free initial consultation with VSHN and Inventage. Want to hear from a customer first? We can arrange a reference call.


Booking: #contact

---

## Okta vs Auth0 vs Managed Keycloak — IAM Cost Comparison | VSHN

# Okta vs Auth0 vs Managed Keycloak: IAM Cost Comparison

Identity and Access Management pricing follows two models: per-user (Okta, Auth0) or fixed-price (Keycloak). The difference compounds as your organization grows.

This page compares the three options so you can choose the right IAM platform for your budget and requirements.

## Quick comparison

| | Okta | Auth0 | VSHN Managed Keycloak |
|---|---|---|---|
| **Pricing model** | Per user/month | Per monthly active user | Fixed monthly price |
| **Starting price** | $6/user/month | Free to 7,500 MAU | CHF 360/month |
| **Data location** | USA (AWS) | USA (AWS) | Your choice (Swiss cloud, Azure, AWS, on-premises) |
| **Open source** | No | No | Yes (Apache 2.0) |
| **Vendor lock-in** | High | High | None |
| **SSO protocols** | SAML, OIDC | SAML, OIDC | SAML, OIDC, LDAP, Kerberos |
| **Self-hosted option** | No | No | Yes (that's what this is) |

## The per-user pricing trap

Okta and Auth0 charge per user. This works at small scale but becomes a growth penalty:

- **Okta Workforce Identity** starts at $6/user/month (Starter Suite). With SSO, MFA, and lifecycle management, expect $14-17/user/month (Essentials/Professional). Enterprise is custom pricing.
- **Auth0** charges per monthly active user (MAU). The free tier covers 7,500 MAU. Beyond that, Essentials starts at $35/month, Professional at $240/month. Enterprise contracts start around $30,000/year.

**Managed Keycloak is CHF 360/month.** No per-user fees. The management, support, and software stay the same whether you have 100 users or 100,000. You may need more cloud infrastructure as request volume grows. VSHN handles the capacity planning, and cloud resources are billed separately at cost.

## What you give up with Keycloak

Keycloak is not a drop-in replacement for everything Okta and Auth0 offer:

- **No built-in user directory sync**: Okta has deep HR system integrations (Workday, BambooHR). Keycloak uses LDAP/AD federation or custom providers.
- **No pre-built app catalog**: Okta's Integration Network has 7,000+ pre-configured apps. Keycloak requires manual SAML/OIDC configuration per app.
- **No managed passwordless at scale**: Okta's FastPass and Auth0's passkey support are more mature. Keycloak supports WebAuthn but requires more configuration.
- **Self-managed complexity**: without VSHN, running Keycloak in production requires Kubernetes expertise, database management, and upgrade planning.

This is where the VSHN + Inventage partnership matters: VSHN handles the infrastructure, Inventage provides Keycloak application expertise, including custom authentication flows, SSO integrations, and theme development. If you wouldn't build the Auth0 Actions customisations yourself either, Inventage builds the equivalent in Keycloak for you. You get the cost advantage of open source with professional support on both the platform and the application layer.

## What you gain with Keycloak

- **Digital sovereignty**: Identity is the most fundamental layer of your IT. It ties every application together. If your identity provider isn't sovereign, none of your applications are. Keycloak is Apache 2.0: your configuration, themes, and extensions belong to you. No vendor can change the terms, raise prices, or restrict features. See our [sovereignty assessment](/sovereignty/) for how VSHN scores against the EU Cloud Sovereignty Framework.
- **Your infrastructure, your rules**: VSHN operates Keycloak wherever you need it: on Swiss cloud (cloudscale.ch, Exoscale) for data residency, or in your existing Azure or AWS tenant so identity lives next to your applications. Either way, *you* own the infrastructure and *you* control who has access. With Okta or Auth0, your credentials live on their AWS account.
- **Full feature access**: no feature gating behind expensive tiers. SSO, MFA, fine-grained authorization, user federation, custom themes, and SCIM are all included.
- **Unlimited users**: no per-user fees. The service price is fixed; only cloud infrastructure scales with load (and VSHN handles the capacity planning).
- **FINMA-compatible**: ISO 27001 certified operations, Swiss data residency, audit-ready documentation.

## Managed Keycloak pricing

| Service | Monthly price | What you get |
|---|---|---|
| Managed Keycloak (Best Effort) | CHF 360 | 1 instance, monitoring, backups, upgrades, office-hours support |
| Managed Keycloak (99.99% SLA) | CHF 1,500 | 2 instances (HA), 24/7 on-call, SLA with service credits, dev/test instance included |
| Consulting package (Inventage) | CHF 8,000 | 5 days / 40 hours: architecture, auth flows, integration, customization |

Cloud infrastructure costs (compute, storage) are billed separately by the provider.

## When to choose each option

**Choose Okta when:**
- You need 7,000+ pre-built app integrations out of the box
- HR system sync (Workday, BambooHR) is critical
- You have budget for per-user pricing and don't expect rapid user growth
- US data hosting is acceptable

**Choose Auth0 when:**
- You need Auth0's Actions pipeline for highly custom login flows (progressive profiling, bot detection, third-party enrichment at login time). Keycloak has authentication flows and SPIs but they require Java, not JavaScript
- You want a managed B2B multi-tenant setup with per-organisation branding out of the box (Auth0 Organizations). Keycloak can do this with realms but requires more configuration
- Your MAU count is predictable and within Auth0's pricing sweet spot

**Choose VSHN Managed Keycloak when:**
- Your data must stay in Switzerland (FINMA, Swiss data protection, internal policy)
- You want predictable costs that don't scale with user count
- You need full control over your IAM platform without vendor lock-in
- You want open-source technology with professional Swiss operations
- You're replacing Okta or Auth0 to reduce costs at scale

## Next steps

Ready to evaluate Keycloak for your organization? Book a free 15-minute call. We'll review your current IAM setup and estimate the migration effort.


---

## Open-Source IAM Comparison: Keycloak, Authentik, Zitadel

# Open-Source IAM Comparison: Keycloak vs Authentik vs Zitadel vs Kanidm

You've decided on open-source IAM - now which platform? This page helps you choose between the main open-source options. If you're still evaluating open-source against SaaS products like Okta and Auth0, see our [SaaS vs open-source cost comparison](/comparison/).

## Quick comparison

| | Keycloak | Authentik | Zitadel | Kanidm |
|---|---|---|---|---|
| **First release** | 2014 | 2020 | 2019 | ~2020 |
| **Language** | Java | Python + Go | Go | Rust |
| **Protocols** | SAML, OIDC, LDAP, Kerberos | SAML, OIDC, LDAP, SCIM | OIDC, SAML | OIDC, LDAP |
| **Multi-tenancy** | Realms | Tenants | Organizations | Not yet |
| **Kubernetes** | Keycloak Operator | Helm only | Helm + gRPC API | Early |
| **UI customization** | Themes + Keycloakify | Flow designer | Limited | Limited |
| **Enterprise support** | Red Hat SSO | None official | Zitadel GmbH | None |
| **Community size** | Largest | Growing fast | Mid-size | Small |
| **Managed by VSHN** | Yes | No | No | No |

## Authentik

**Strengths:** Authentik has a modern, well-designed interface and a visual flow-based policy engine that makes authentication logic accessible without writing code. The Python extensibility model lets you add custom logic through expressions and stages without compiling Java SPIs. It added SCIM provisioning early and has a clear development trajectory. For teams evaluating Keycloak's UI complexity as a barrier, Authentik is the most credible alternative.

**Limitations:** Authentik's ecosystem is smaller than Keycloak's. Production references at large scale (100k+ users, high availability, complex enterprise federation) are fewer and harder to find. There is no commercially backed support offering - you rely on the community or paid third-party consultants. If your integrations depend on specific SAML edge cases or Kerberos, Keycloak has broader protocol coverage. The Python codebase also adds a runtime dependency that some security teams scrutinise.

## Zitadel

**Strengths:** Zitadel is built by a Swiss company based in St. Gallen. It is written in Go, which gives it a small binary footprint and cloud-native runtime characteristics. The built-in gRPC API makes it well-suited to infrastructure-as-code workflows: you manage tenants, applications, and policies via API rather than clicking through a UI. Zitadel's Organizations model provides first-class multi-tenancy and is actively developed.

**Limitations:** Zitadel's SAML support is less mature than Keycloak's - enterprises with large SAML app estates should test compatibility carefully before committing. The plugin and extension ecosystem is smaller, and Zitadel GmbH is the primary commercial backer, so ecosystem breadth depends on their roadmap. Kubernetes deployment is handled via Helm chart with the gRPC management API, but there is no Kubernetes operator equivalent to the Keycloak Operator.

## Kanidm

**Strengths:** Kanidm is written in Rust and designed from scratch with a security-first architecture. It avoids legacy protocol baggage and makes deliberate choices to reduce attack surface - for example, defaulting to modern cryptography and refusing to implement weaker compatibility modes. For teams building greenfield infrastructure who want a modern, auditable IAM stack, Kanidm is worth following.

**Limitations:** Kanidm is early stage. Protocol coverage is limited - SAML is not supported, which rules it out for most enterprise environments with existing SAML app integrations. The community is small and the project has not yet reached the operational maturity needed for most production enterprise deployments. Kanidm is suitable for evaluation and development workloads, but not as a primary IAM platform for regulated environments today.

## WSO2 Identity Server

WSO2 Identity Server is an enterprise-grade Java IAM platform with a long history. It is open source (Apache 2.0) but complex to operate and customise - it follows the same pattern as Keycloak but with heavier tooling and a steeper learning curve. Without WSO2's commercial support, operational complexity is high. It is less commonly chosen for new deployments in Europe.

## VSHN + Inventage: operations and application expertise

VSHN operates Keycloak infrastructure on Swiss cloud, including monitoring, backups, upgrades, and high-availability configuration. Inventage provides application-layer Keycloak expertise: custom authentication flows, SSO integrations, theme development with Keycloakify, and identity architecture consulting.

This combination covers the full stack: you are not choosing between infrastructure operations and application expertise, you get both. No other provider in Switzerland offers this partnership for managed Keycloak.

For Authentik, Zitadel, or Kanidm, you would need to assemble your own operations and development support. VSHN has expertise in all four platforms for assessment work, but managed operations are available for Keycloak only.

## When to choose each option

**Choose Keycloak when:**
- You need mature SAML, OIDC, LDAP, and Kerberos support in a single platform
- You need proven large-scale production deployments and a large community for reference
- Your team or partner (Inventage) has Java skills for custom SPI development
- You want a [CNCF-graduated](https://www.managed-keycloak.ch) project with mature project governance independent of any single vendor, Red Hat commercial backing, and long-term support
- You want managed operations from VSHN with a fixed monthly price

**Choose Authentik when:**
- Your team prefers Python over Java for extension development
- You want a modern visual flow designer and a cleaner admin interface
- Your SAML requirements are standard and well-covered
- You are comfortable managing your own operations without commercial support

**Choose Zitadel when:**
- You prefer a Swiss-built product with a Swiss vendor (note: VSHN Managed Keycloak also provides Swiss data residency and Swiss operations)
- You have infrastructure-as-code workflows and want full gRPC API management
- Your app estate is primarily OIDC-based
- You want a Go-native, cloud-native binary with low resource overhead

**Choose Kanidm when:**
- You are building greenfield infrastructure and can accept early-stage software
- You want to evaluate a security-first Rust-based IAM platform
- You do not require SAML support

## Evaluate Keycloak for your environment

VSHN and Inventage offer a free 15-minute initial call to assess your current IAM setup, review your protocol and integration requirements, and estimate migration effort from your existing platform. [Book a consultation.](#contact)


---

## Partner with VSHN on Managed Keycloak | VSHN

# Partner with VSHN on Managed Keycloak

You bring the customer relationship and Keycloak expertise: SSO/federation design, identity migration, custom themes and branding, OIDC/SAML integration. VSHN brings 24/7 managed operations, Swiss data residency, and a 99.99% SLA. Together you deliver a complete managed Keycloak solution without either side building capabilities you don't have.

## How we collaborate

**Lead Partner model.** For each project, one of us is the customer's single point of contact. Who leads depends on the project, agreed per engagement. The Lead Partner drives the project, handles invoicing, and owns first-level support.

**Joint delivery.** You handle consulting, integration, and project management. VSHN handles infrastructure operations, monitoring, backups, and SLA. Or the other way around, depending on the project. Roles are agreed per engagement, not locked into a rigid structure.

**Flexible billing.** Invoice the customer together or separately, agreed per project. Both models are supported: each party invoices their share directly, or one party invoices the full amount and redistributes.

**Protected relationships.** No undercutting. Your customer stays your customer. Existing relationships are respected on both sides, with contractual protections for both parties.

## Division of labour for Managed Keycloak

| Your role | VSHN's role |
|-----------|-------------|
| SSO/federation design | Keycloak instance operations |
| Identity migration | HA clustering and failover |
| Custom themes and branding | Automated backups and restore |
| OIDC/SAML integration | Upgrades and security patches |
| Project management | Monitoring, alerting, and 24/7 incident response |

## Partners delivering Managed Keycloak

**[Gepardec](https://www.gepardec.com)**. Keycloak consulting and Java modernisation. Delivers identity architecture design and OIDC/SAML integrations on VSHN-operated Keycloak infrastructure.

**[Puzzle](https://puzzle.ch)**. Software company with 140+ employees. Provides cloud consulting and integration work alongside VSHN managed Keycloak.

See all VSHN partners at [servala.com/partners](https://servala.com/partners/).

## Become a partner

Interested in delivering managed Keycloak together? Let's explore how we complement each other.

[Book a partnership discovery call](https://vshn.cal.vs.hn/keycloak) or [start a partnership conversation](#contact).


---

## Keycloak Sovereignty — Swiss IAM Hosting | VSHN

# Keycloak Sovereignty: Why Your Identity Provider Matters Most

Your identity provider holds the keys to everything: user credentials, session tokens, access policies, and authentication flows. If any system deserves sovereign hosting, it's IAM.

Cloud-based identity services like Auth0 (Okta, US), Azure AD (Microsoft, US), and AWS Cognito (Amazon, US) store your users' authentication data on US infrastructure under US law. The [CLOUD Act](https://en.wikipedia.org/wiki/CLOUD_Act) allows US authorities to access this data without Swiss judicial process.

## Why Keycloak is a strong choice for sovereignty

Keycloak is **fully open source** (Apache 2.0 license), maintained by Red Hat and a large community. Unlike proprietary IAM services:

- **No vendor lock-in**: standard protocols (OIDC, SAML, LDAP), portable configuration
- **Full code auditability**: the entire authentication stack is inspectable
- **No data exfiltration risk**: your identity data never leaves your infrastructure
- **Self-contained**: no callbacks to external services, no telemetry, no cloud dependencies
- **Proven at scale**: [2 million users, 400 logins/second](https://www.redhat.com/en/resources/apa-it-customer-case-study) (APA-IT/MediaKey case study)

VSHN operates Keycloak on Swiss Kubernetes infrastructure. Your users' identities stay under Swiss law, operated by a Swiss team.

## IAM sovereignty compared

| Dimension | Auth0 (Okta) | Azure AD | AWS Cognito | VSHN Managed Keycloak |
|-----------|-------------|----------|------------|---------------------|
| **Ownership** | Okta (USA) | Microsoft (USA) | Amazon (USA) | VSHN AG (Switzerland) |
| **Governing law** | US law | US law | US law | Swiss law |
| **CLOUD Act** | Exposed | Exposed | Exposed | Not exposed |
| **Data location** | Configurable (EU regions available) | Configurable | Configurable | Switzerland (cloudscale.ch, Exoscale, or your choice) |
| **Source code** | Proprietary | Proprietary | Proprietary | Open source (Keycloak) |
| **Protocol standards** | OIDC, SAML | OIDC, SAML, WS-Fed | OIDC | OIDC, SAML, LDAP, Kerberos |
| **Encryption key custody** | Provider-managed | Microsoft-managed | AWS-managed | Optional customer-controlled keys via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| **Operations team** | USA | USA | USA | Switzerland ([Swiss-only option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support)) |
| **Certifications** | SOC 2 | SOC 2, ISO 27001 | SOC 2 | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II |

## VSHN sovereignty self-assessment

We applied the EU's [Cloud Sovereignty Framework](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en) (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's [EUR 180M sovereign cloud tender](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.

*This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.*

| # | Dimension | Weight | Assessment | Evidence |
|---|-----------|--------|-----------|----------|
| SOV-1 | Strategic | 15% | **Strong** | Swiss AG, no foreign parent, all shareholders Swiss citizens ([Commercial Register](https://zh.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=CHE-275.566.226)) |
| SOV-2 | Legal | 10% | **Strong** | Swiss law ([GTC](https://products.vshn.ch/legal/gtc_en.html)), no CLOUD Act, [EU adequacy decision](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) |
| SOV-3 | Data & AI | 10% | **Strong** | Swiss DCs by default. Sovereign key management via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| SOV-4 | Operational | 15% | **Strong** | Swiss 24/7 ops, [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support). All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | **Strong** | Infrastructure-agnostic — [customer chooses provider](https://servala.com/providers/). Open-source software |
| SOV-6 | Technology | 15% | **Strong** | 100% open source. VSHN contributes to [K8up](https://github.com/k8up-io) (CNCF), [Crossplane providers](https://github.com/vshn), [Project Syn](https://github.com/projectsyn) |
| SOV-7 | Security | 10% | **Strong** | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II, Swiss SOC. [FINMA-regulated customers](https://www.vshn.ch/en/solutions/solutions-for-banks-and-financial-service-providers/) |
| SOV-8 | Environmental | 5% | **Moderate** | DC operators: Green Datacenter AG (ISO 22301/27001/27701), [Exoscale sustainability](https://www.exoscale.com/sustainability/). [VSHN CSR policy](https://handbook.vshn.ch/corporate_social_responsibility_policy.html) |

**Overall: SEAL-3 equivalent**, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.

Try Swiss infrastructure: [Servala](https://www.servala.com) (managed services, free trial), [Exoscale]({{partner:exoscale.signup_url}}) (Swiss IaaS). Want help choosing? [Contact us](#contact).

## Get a sovereignty assessment for your IAM setup

Concerned about your IAM provider's jurisdiction? We assess your sovereignty profile against the EU framework and plan a migration to sovereign Keycloak on Swiss infrastructure.