.png?width=210&height=60&name=zitadel-logo_text-dark%20(1).png){kind=logo}
Understanding the Zitadel Shared Responsibility Model: Cloud vs. Self-Hosted
A comprehensive guide to the division of security, operational, and infrastructure duties.
In any modern Identity-as-a-Service (IDaaS) framework, security is a collaborative effort. Whether you choose the fully managed ZITADEL Cloud or the high-control Self-Hosted (Enterprise) path, understanding where your responsibilities end and ZITADEL’s begin is critical for compliance and operational excellence.
The Managed Path: ZITADEL Cloud
ZITADEL Cloud is designed for teams that want to focus on their core product rather than infrastructure management. In this model, ZITADEL acts as a service provider, handling the "heavy lifting" of the platform's availability and core security.
-
ZITADEL’s Role: We manage the underlying infrastructure, including networking, compute scaling, database performance, and platform-level security (DDoS and WAF). We also handle daily backups and software updates.
-
Your Role: You remain the owner of your data , applications, and user access policies. While we provide trial services for SMTP and SMS, you are responsible for configuring production-grade communication providers and managing your own custom domains.
The Sovereign Path: ZITADEL Self-Hosted
Self-hosting (Enterprise license) is preferred by organizations that need absolute control over their data residency or wish to eliminate ZITADEL as a sub-processor of personal information.
-
ZITADEL’s Role: Zitadel provides the software, maintenance of the application code, and enterprise-level support. We ensure the software is built to scale and secure.
-
Your Role: You take full ownership of the environment. This includes the cost and operations of the infrastructure, setting up your own DDoS/WAF protections, managing backups, and ensuring the availability of the database and networking layers.
Responsibility Comparison Matrix
The following table breaks down the division of duties based on your chosen deployment type.
| Responsibility | Cloud | Self-Hosted |
|---|---|---|
| Data / Information | Customer | Customer |
| User Access | Customer | Customer |
| SMTP Service | Customer (trial: ZITADEL) | Customer |
| SMS Service | Customer (trial: ZITADEL) | Customer |
| Custom Domain / TLS | Customer (trial: ZITADEL) | Customer |
| DDoS & Bot protection | ZITADEL | Customer |
| WAF / Threat detection | ZITADEL | Customer |
| Backup | ZITADEL | Customer |
| Networking | ZITADEL | Customer |
| Compute / Scaling | ZITADEL | Customer |
| Database | ZITADEL | Customer |
| Application | ZITADEL | ZITADEL |
Key Differences
Infrastructure & Security
In the Cloud model, ZITADEL manages the "Security of the Cloud." This includes protecting the service from large-scale network attacks and ensuring the hardware runs efficiently. In a Self-Hosted model, you are responsible for "Security in and of the Cloud," meaning you must implement your own firewalls, load balancers, and monitoring tools.
Communication Providers (SMTP/SMS)
One common misconception is that ZITADEL handles all user communications.
In Cloud: We provide default SMTP/SMS services to help you get started quickly, but these are rate-limited. For production, you must bring your own provider (e.g., SendGrid, Twilio).
In Self-Hosted: No default providers are included; you must configure these from day one.
Backups and RPO/RTO
ZITADEL Cloud guarantees a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) aimed at minimal downtime during disasters. In a self-hosted environment, these metrics are entirely dependent on your own internal IT operations and backup frequency.