Keycloak Sovereignty: Why Your Identity Provider Matters Most
Your identity provider holds the keys to everything — user credentials, session tokens, access policies, and authentication flows. If any system deserves sovereign hosting, it's IAM.
Cloud-based identity services like Auth0 (Okta, US), Azure AD (Microsoft, US), and AWS Cognito (Amazon, US) store your users' authentication data on US infrastructure under US law. The CLOUD Act allows US authorities to access this data without Swiss judicial process.
Why Keycloak is a strong choice for sovereignty
Keycloak is fully open source (Apache 2.0 license), maintained by Red Hat and a large community. Unlike proprietary IAM services:
- No vendor lock-in — standard protocols (OIDC, SAML, LDAP), portable configuration
- Full code auditability — the entire authentication stack is inspectable
- No data exfiltration risk — your identity data never leaves your infrastructure
- Self-contained — no callbacks to external services, no telemetry, no cloud dependencies
- Proven at scale — 2 million users, 400 logins/second (APA-IT/MediaKey case study)
VSHN operates Keycloak on Swiss Kubernetes infrastructure. Your users' identities stay under Swiss law, operated by a Swiss team.
IAM sovereignty compared
| Dimension | Auth0 (Okta) | Azure AD | AWS Cognito | VSHN Managed Keycloak |
|---|---|---|---|---|
| Ownership | Okta (USA) | Microsoft (USA) | Amazon (USA) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Not exposed |
| Data location | Configurable (EU regions available) | Configurable | Configurable | Switzerland (cloudscale.ch, Exoscale, or your choice) |
| Source code | Proprietary | Proprietary | Proprietary | Open source (Keycloak) |
| Protocol standards | OIDC, SAML | OIDC, SAML, WS-Fed | OIDC | OIDC, SAML, LDAP, Kerberos |
| Encryption key custody | Provider-managed | Microsoft-managed | AWS-managed | Optional customer-controlled keys via Managed OpenBao + Swiss HSM |
| Operations team | USA | USA | USA | Switzerland (Swiss-only option) |
| Certifications | SOC 2 | SOC 2, ISO 27001 | SOC 2 | ISO 27001, ISAE 3402 Type II |
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your IAM setup
Concerned about your IAM provider's jurisdiction? We assess your sovereignty profile against the EU framework and plan a migration to sovereign Keycloak on Swiss infrastructure.