Skip to content
Documentation
  • There are no suggestions because the search field is empty.

Which security and privacy certifications or attestations does Zitadel maintain?

A comprehensive overview of our compliance frameworks, security attestations, and international privacy standards.

At ZITADEL, data privacy and security are embedded into every layer of our company and product architecture. Whether you utilize ZITADEL Cloud or deploy our self-hosted, open-source platform, we maintain a robust, continuously audited security posture designed to satisfy the strict requirements of highly regulated industries.
 

Our security and compliance framework is built on formal framework alignments, independent third-party audits, and continuous controls monitoring.

Core Security Certifications & Attestations

ISO/IEC 27001:2022 Certification

ZITADEL maintains an official ISO/IEC 27001:2022 certification. This globally recognized standard validates our Information Security Management System (ISMS), confirming that our processes, operations, and technical controls meet international best practices for data protection and security management.

SOC 2 Type II Attestation

ZITADEL holds an independent SOC 2 Type II attestation. Built upon five key trust service principles (security, availability, processing integrity, confidentiality, and privacy), our SOC 2 Type II audit ensures that ZITADEL's operational controls are continuously monitored and effectively maintained over a prolonged observation window, rather than just a single point in time.

HIPAA Compliance & BAA Support

ZITADEL supports healthcare and digital health applications by maintaining compliance validation for the Health Insurance Portability and Accountability Act (HIPAA). For enterprise customers who need to process Protected Health Information (PHI) within ZITADEL Cloud, we are committed to executing Business Associate Agreements (BAAs).

OpenSSF Best Practices

Demonstrating our commitment to open-source software security, ZITADEL has achieved the OpenSSF (Open Source Security Foundation) Best Practices recognition. This highlights our adherence to secure coding practices, vulnerability management, and open-source software lifecycle standards.

Data Privacy & International Regulatory Alignment

GDPR & UK GDPR Compliance

As a company born in Switzerland with operations globally, ZITADEL strictly complies with the European Union General Data Protection Regulation (EU GDPR) and the UK GDPR. Data privacy is central to our platform’s design. We offer:

  • Data Processing Agreements (DPAs) that establish clear data protection obligations.
  • Data Transfer Impact Assessments (DTIAs) to evaluate and mitigate the risks of international transborder data flows.
  • Strict regional isolation and designated data-residency compliance options on ZITADEL Cloud.

CCPA (California Consumer Privacy Act)

ZITADEL is fully compliant with the California Consumer Privacy Act (CCPA), ensuring that we respect the privacy rights of California residents and provide the necessary controls to manage and protect consumer data.

Data Privacy Framework (DPF)

To ensure seamless, legal cross-border data transfers, ZITADEL self-certifies under the EU-U.S. Data Privacy Framework (DPF) and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.

  • This registration guarantees enhanced privacy safeguards for transfers from the EU/EEA, UK, and Switzerland to the U.S.
  • ZITADEL registers with JAMS (Judicial Arbitration and Mediation Services) as our independent recourse mechanism (IRM) to resolve data privacy inquiries and complaints.

Core Security & Compliance Commitments

Beyond standard certifications, ZITADEL relies on operational safeguards to maintain a defense-in-depth posture:

  • Annual Audits and Recertifications We are committed to undergoing comprehensive annual audits and formal recertifications of our entire compliance program to ensure our security controls evolve alongside emerging global threats.

  • Continuous Monitoring: We use Vanta to establish real-time connections to our core systems, ensuring our organizational and technological security controls are continuously monitored and tracked.
  • Regular Penetration Testing: ZITADEL undergoes comprehensive third-party penetration testing annually to identify, evaluate, and mitigate potential system vulnerabilities.
  • Infrastructure Isolation: ZITADEL Cloud data is hosted securely on Google Cloud Platform (GCP) across customer-designated regional perimeters (including the US, EU, Switzerland, and Australia) to honor data sovereignty.

Accessing Security Documentation & Policies

We believe in full security transparency. Customers and evaluating enterprises can visit ZITADEL's interactive Trust Center to learn more about our posture or directly request access to sensitive compliance materials.

Available materials in our Trust Center include:

  • ISO/IEC 27001:2022 Certificate & Statement of Applicability (SoA)
  • SOC 2 Type II Audit Reports
  • Latest Third-Party Penetration Test Results
  • Information Security, Incident Response, and Business Continuity Policies
  • Data Processing Agreement (DPA) templates

Visit the ZITADEL Trust Center to request compliance documentation.