# Keycloak Sovereignty: Why Your Identity Provider Matters Most

Your identity provider holds the keys to everything: user credentials, session tokens, access policies, and authentication flows. If any system deserves sovereign hosting, it's IAM.

Cloud-based identity services like Auth0 (Okta, US), Azure AD (Microsoft, US), and AWS Cognito (Amazon, US) store your users' authentication data on US infrastructure under US law. The [CLOUD Act](https://en.wikipedia.org/wiki/CLOUD_Act) allows US authorities to access this data without Swiss judicial process.

## Why Keycloak is a strong choice for sovereignty

Keycloak is **fully open source** (Apache 2.0 license), maintained by Red Hat and a large community. Unlike proprietary IAM services:

- **No vendor lock-in**: standard protocols (OIDC, SAML, LDAP), portable configuration
- **Full code auditability**: the entire authentication stack is inspectable
- **No data exfiltration risk**: your identity data never leaves your infrastructure
- **Self-contained**: no callbacks to external services, no telemetry, no cloud dependencies
- **Proven at scale**: [2 million users, 400 logins/second](https://www.redhat.com/en/resources/apa-it-customer-case-study) (APA-IT/MediaKey case study)

VSHN operates Keycloak on Swiss Kubernetes infrastructure. Your users' identities stay under Swiss law, operated by a Swiss team.

## IAM sovereignty compared

| Dimension | Auth0 (Okta) | Azure AD | AWS Cognito | VSHN Managed Keycloak |
|-----------|-------------|----------|------------|---------------------|
| **Ownership** | Okta (USA) | Microsoft (USA) | Amazon (USA) | VSHN AG (Switzerland) |
| **Governing law** | US law | US law | US law | Swiss law |
| **CLOUD Act** | Exposed | Exposed | Exposed | Not exposed |
| **Data location** | Configurable (EU regions available) | Configurable | Configurable | Switzerland (cloudscale.ch, Exoscale, or your choice) |
| **Source code** | Proprietary | Proprietary | Proprietary | Open source (Keycloak) |
| **Protocol standards** | OIDC, SAML | OIDC, SAML, WS-Fed | OIDC | OIDC, SAML, LDAP, Kerberos |
| **Encryption key custody** | Provider-managed | Microsoft-managed | AWS-managed | Optional customer-controlled keys via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| **Operations team** | USA | USA | USA | Switzerland ([Swiss-only option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support)) |
| **Certifications** | SOC 2 | SOC 2, ISO 27001 | SOC 2 | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II |

## VSHN sovereignty self-assessment

We applied the EU's [Cloud Sovereignty Framework](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en) (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's [EUR 180M sovereign cloud tender](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.

*This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.*

| # | Dimension | Weight | Assessment | Evidence |
|---|-----------|--------|-----------|----------|
| SOV-1 | Strategic | 15% | **Strong** | Swiss AG, no foreign parent, all shareholders Swiss citizens ([Commercial Register](https://zh.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=CHE-275.566.226)) |
| SOV-2 | Legal | 10% | **Strong** | Swiss law ([GTC](https://products.vshn.ch/legal/gtc_en.html)), no CLOUD Act, [EU adequacy decision](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) |
| SOV-3 | Data & AI | 10% | **Strong** | Swiss DCs by default. Sovereign key management via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| SOV-4 | Operational | 15% | **Strong** | Swiss 24/7 ops, [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support). All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | **Strong** | Infrastructure-agnostic — [customer chooses provider](https://servala.com/providers/). Open-source software |
| SOV-6 | Technology | 15% | **Strong** | 100% open source. VSHN contributes to [K8up](https://github.com/k8up-io) (CNCF), [Crossplane providers](https://github.com/vshn), [Project Syn](https://github.com/projectsyn) |
| SOV-7 | Security | 10% | **Strong** | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II, Swiss SOC. [FINMA-regulated customers](https://www.vshn.ch/en/solutions/solutions-for-banks-and-financial-service-providers/) |
| SOV-8 | Environmental | 5% | **Moderate** | DC operators: Green Datacenter AG (ISO 22301/27001/27701), [Exoscale sustainability](https://www.exoscale.com/sustainability/). [VSHN CSR policy](https://handbook.vshn.ch/corporate_social_responsibility_policy.html) |

**Overall: SEAL-3 equivalent**, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.

Try Swiss infrastructure: [Servala](https://www.servala.com) (managed services, free trial), [Exoscale]({{partner:exoscale.signup_url}}) (Swiss IaaS). Want help choosing? [Contact us](#contact).

## Get a sovereignty assessment for your IAM setup

Concerned about your IAM provider's jurisdiction? We assess your sovereignty profile against the EU framework and plan a migration to sovereign Keycloak on Swiss infrastructure.