Data sovereignty with Keycloak

loginfactor operates Managed Keycloak either on-premises in your infrastructure or in ISO 27001-certified EU-based data centers. For maximum data sovereignty we recommend EU cloud providers or on-premises - on request we can also deploy Keycloak in EU regions of AWS, Azure or Google Cloud. All contracts contain clear rules on data locations. Keycloak instances, databases, backups and logs remain exclusively within the EU. loginfactor provides transparency on sub-processors and data location policies.

loginfactor guarantees portability through standardized database dumps (PostgreSQL, MySQL) and by providing the relevant custom extensions. You receive full access to: realm configurations (exported as JSON) and the user database including password hashes. Optionally, we actively support the move from loginfactor SaaS to on-premises or your own cloud: migration runbooks, technical transition support and validation of the new environment. The goal is an orderly transfer of data and configuration without vendor lock-in.

Yes. loginfactor supports moves between operating models as part of projects. Switches are possible between: loginfactor SaaS (EU-based data centers) to on-premises, loginfactor SaaS to your own cloud (AWS, Azure, Google Cloud), and on-premises to loginfactor SaaS. We have experience with different migration strategies and plan the technical implementation together with you: database migration, configuration transfer, test phases and production cutover. loginfactor supports you throughout the process and ensures the changeover is predictable with minimal downtime.

Keycloak is a fully standards-based identity provider (IdP) and supports open protocols: OpenID Connect (OIDC), OAuth 2.0, SAML 2.0. This guarantees interoperability and avoids vendor lock-in through proprietary APIs. Integrations include identity brokering (federation to existing IdPs such as Microsoft Entra ID/Azure AD, Okta, Google Workspace), LDAP/Active Directory synchronization, API gateways (Kong, Traefik, NGINX) and enterprise apps (SAP, Salesforce, ServiceNow). loginfactor additionally implements custom SPIs (Service Provider Interfaces) for specific integration requirements. All configurations are portable and can be transferred to other Keycloak instances.

Yes. Keycloak is 100%% open source (Apache License 2.0) and publicly available on GitHub. The entire source code is auditable - security fixes, feature implementations and architecture decisions are transparent and community-driven. This avoids the black-box risks of proprietary IAM systems. loginfactor uses official Keycloak sources and delivers custom extensions as separate modules. For maximum sovereignty, you can audit the Keycloak source code yourself or have it reviewed by third parties.