.png?width=210&height=60&name=zitadel-logo_text-dark%20(1).png){kind=logo}
Zitadel Enterprise Cloud vs. Enterprise Self-Hosted
This article outlines the key differences between Zitadel Enterprise Cloud and Zitadel Enterprise Self-Hosted, and provides guidance on when your organization should opt for a self-hosted environment.
Choosing the right deployment model for your identity infrastructure is a critical decision that impacts security, compliance, and operational overhead. While ZITADEL provides the same powerful core software across all versions, the Enterprise offerings provide professional-grade support and licensing that go beyond the community version.
At a Glance: Comparison Table
| Feature | Zitadel Enterprise Cloud | Zitadel Enterprise Self-Hosted |
| Management | Fully managed by Zitadel | Managed by your internal Ops/DevOps team |
| Infrastructure | ZITADEL’s shared/managed infrastructure | Your own data center, private cloud, or VPC |
| Licensing | Commercial License included | Commercial License (replaces AGPL) |
| Data Location | Selected regions | Any region or infrastructure worldwide |
| Updates | Automated and managed | Controlled by you (manual/automated) |
| Support | Enterprise SLA, Onboarding, and Technical Account Management | Enterprise SLA, Onboarding, and Technical Account Management |
| Isolation | Shared environment (Multi-tenant) | Full isolation (Single-tenant) |
Why Choose ZITADEL Enterprise Self-Hosted?
While Zitadel Cloud is the fastest way to get started, certain organizational requirements make Enterprise Self-Hosted the superior choice.
Eliminating Supply Chain Risk
By self-hosting, you remove Zitadel as a third-party sub-processor of your users' Personal Identifiable Information (PII).
In a self-hosted setup, ZITADEL staff have zero access to your infrastructure or data. This is often a requirement for organizations with strict compliance mandates or those operating in highly regulated industries.
Performance and the "Noisy Neighbor" Problem
In a shared SaaS environment, resources are distributed across multiple customers. While Zitadel Cloud uses sophisticated rate-limiting, quotas, and automatic scaling to ensure stability, high-scale applications may require dedicated performance. Self-hosting allows you to:
-
Allocate dedicated CPU/Memory resources specifically for your IAM.
-
Eliminate the risk of performance degradation caused by other users on a shared platform.
-
Optimize database performance for your specific traffic patterns.
- Reduce latency by hosting Zitadel where your customers are
Custom Data Residency and Locations
Zitadel Cloud offers hosting in specific geographic regions. If your legal requirements or user base demand data residency in a region where Zitadel Cloud is not yet present, self-hosting allows you to deploy Zitadel in any local data center or cloud region of your choice.
Air-Gapped and Regulated Systems
For government, defense, or high-security financial sectors, systems may need to operate in "air-gapped" environments with no connection to the public internet.
Self-hosted Zitadel can be deployed in completely isolated networks. Offline operation ensures identity services remain available even if your external internet connectivity is compromised.
Compliance with Specialized Regulatory Standards
While Zitadel Cloud adheres to industry-standard security practices and maintains certifications like SOC2 Type 2, certain sectors require highly specialized regulatory frameworks that a multi-tenant SaaS environment may not guarantee.
For example, organizations working with US federal agencies may require FedRAMP authorization, while others may need to comply with HIPAA under specific infrastructure configurations or localized government security standards (such as C5 in Germany or IRAP in Australia).
By opting for Enterprise Self-Hosted, you can deploy ZITADEL within your own pre-certified infrastructure. This allows you to inherit your own environment's compliance posture and maintain full control over the audit trails and security controls necessary to meet these rigorous mandates.
Moving Away from AGPL
Zitadel's community version is licensed under the AGPL (Affero General Public License), which is a "copy-left" license. For many enterprises, the requirements of AGPL are incompatible with their internal legal policies or proprietary software models.
An Enterprise Self-Hosted contract includes a commercial license that replaces the AGPL. This provides:
-
Legal Certainty: Full freedom to integrate and modify without the reciprocal "open-source" obligations of AGPL.
-
Corporate Approval: Peace of mind for legal departments that prefer traditional commercial terms over open-source copy-left licenses.
Summary: Which should you choose?
Choose Enterprise Cloud if you want a turnkey, worry-free solution where the creators of the software handle all maintenance, scaling, and security patches, while still receiving enterprise-grade support.
Choose Enterprise Self-Hosted if you require absolute control over your data sovereignty, need to operate in a specific region or air-gapped environment, want to eliminate "noisy neighbor" risks, or need to replace the AGPL license with a commercial one for legal compliance.