.png?width=210&height=60&name=zitadel-logo_text-dark%20(1).png){kind=logo}
Understanding ZITADEL’s Corporate Structure and Contractual Entities
A guide to ZITADEL’s global entities (ZITADEL Inc. and CAOS AG), governing laws, and international data privacy compliance.
At ZITADEL, we operate as a global company to best serve our community and customers worldwide. Because our corporate headquarters are in the United States while our core cloud operations are tied to Switzerland, we occasionally get questions about which entity you will be contracting with and how legal frameworks apply.
This article clarifies our corporate setup, determines your exact contractual partner, and explains our compliance frameworks.
Our Corporate Structure: ZITADEL Inc. & CAOS AG
To understand our legal setup, it helps to look at the relationship between our two entities:
- The Parent Company (HQ): ZITADEL Inc. is incorporated in San Francisco, USA. This is our global headquarters and the ultimate parent company.
- The Subsidiary (Operating Entity): CAOS AG is our established operating entity in Switzerland. ZITADEL Inc. owns CAOS AG.
Who is Your Contractual Partner?
Your contracting entity depends on how you use ZITADEL (Cloud vs. Enterprise) and where your company is located:
ZITADEL Cloud Customers (Global)
All self-service customers subscribing to the ZITADEL Cloud Service contract directly with our Swiss entity, regardless of where they are located in the world.
- Contracting Entity: CAOS AG (Switzerland)
- Applicable Law: Swiss Law
Enterprise Customers
For custom Enterprise agreements, the contracting entity is determined by your region:
- Enterprise Customers in the US: You contract directly with our US entity.
- Contracting Entity: ZITADEL Inc. (USA)
- Applicable Law: US Law (State-specific per agreement)
- Enterprise Customers in the Rest of the World (RoW): You contract with our Swiss entity.
- Contracting Entity: CAOS AG (Switzerland)
- Applicable Law: Swiss Law
Data Privacy, Compliance, and International Data Transfers
Navigating international data privacy regulations is a strategic priority for modern businesses. Our corporate structure is explicitly designed to meet strict global compliance standards, including the GDPR.
- Governed by our DPA: Regardless of which entity you contract with, all customer data processing is strictly regulated by our Data Processing Agreement (DPA).
- Data Privacy Framework (DPF) Certification: ZITADEL is self-certified under the Data Privacy Framework (DPF). This provides an adequacy decision under the GDPR regarding transatlantic data transfers, ensuring that data moving between our entities or to US-based systems remains fully compliant with European and Swiss privacy standards.
- Dual Regulatory Compliance: Because our parent company is based in the US, we adhere strictly to US regulatory requirements. Simultaneously, for all contracts under CAOS AG, we fully comply with Swiss and European data protection laws.
Quick Reference Summary
| Customer Type | Location | Contracting Entity | Governing Law |
| All Cloud Customers | Global (Anywhere) | CAOS AG (Switzerland) | Swiss Law |
| Enterprise Customers | United States | ZITADEL Inc. (USA) | US Law |
| Enterprise Customers | Rest of the World | CAOS AG (Switzerland) | Swiss Law |
Note on Data Protection: All customer data, regardless of the contract type or entity, is protected under our DPA and covered by our DPF self-certification for GDPR-compliant international data transfers.
If your legal or compliance team requires further documentation—such as our custom DPA or DPF certification details—please check our Legal & Compliance Documentation or reach out to your account manager.