OneLogin EU Alternative 2026: One Identity Delaware Corp, CLOUD Act Exposure & EU-Native IAM
Post #3 in the sota.io EU Identity Management Series
Enterprise identity platforms are not utilities. They are the cryptographic backbone of your entire workforce: the system that knows every employee's identity attributes, every credential hash, every MFA secret, and every access entitlement across your SaaS estate. When a US law enforcement agency issues a CLOUD Act warrant against your identity provider, the result is not a routine data inquiry — it is the complete exposure of your organisation's authentication infrastructure.
OneLogin is one of Europe's most widely deployed mid-market cloud IAM platforms, popular with companies in the 200–5,000 employee range that want cloud-native SSO, adaptive MFA, and identity lifecycle management without the enterprise pricing of Okta or the on-premises complexity of PingFederate. It is also a platform with a troubling security history, a US private equity parent, and — since its 2021 acquisition by One Identity — a corporate structure that creates structural GDPR and CLOUD Act compliance problems that no data processing agreement can resolve.
This guide analyses OneLogin's ownership chain, CLOUD Act exposure, breach history, GDPR Art.28/46 implications, and presents every credible EU-native identity management alternative for organisations that must keep workforce identity data under European legal jurisdiction.
1. What Is OneLogin?
OneLogin was founded in 2009 in San Francisco, California, by brothers Thomas and Christian Pedersen, with the goal of simplifying cloud SSO for mid-market enterprises. Over fifteen years it evolved from a basic SAML gateway into a comprehensive cloud IAM suite:
- OneLogin SSO — cloud-based Single Sign-On via SAML 2.0, OAuth 2.0, and OIDC. Pre-built app catalogue with over 6,000 connectors. The core product.
- OneLogin MFA — adaptive multi-factor authentication. Push notifications, TOTP, biometrics, SMS (deprecated), hardware tokens, and WebAuthn/FIDO2.
- OneLogin Identity Lifecycle Management — automated provisioning and deprovisioning via SCIM and HR integrations (Workday, BambooHR, ADP). User joiner-mover-leaver workflows.
- OneLogin Desktop — desktop SSO and device trust for Windows and macOS. Certificate-based machine authentication.
- SmartFactor Authentication — AI-based risk scoring for adaptive authentication policies. Anomaly detection on login behaviour.
- OneLogin Protect — mobile MFA app for iOS and Android.
- Vigilance AI — threat intelligence engine for continuous risk monitoring across the identity plane.
- OneLogin Access — on-premises application access layer for legacy web apps that do not support modern federation protocols.
Pricing model (2024–2026):
- Starter — approximately €3–€4/user/month. SSO + basic MFA.
- Advanced — approximately €5–€7/user/month. Full MFA, lifecycle management, SmartFactor.
- Professional — approximately €8–€12/user/month. Advanced reporting, policies, API access.
- Enterprise — quoted. Custom SLA, dedicated support, advanced integrations.
Market position: OneLogin targets mid-market enterprises (200–5,000 employees) as a lower-cost alternative to Okta Workforce Identity. It is widely deployed in professional services, healthcare, retail, and technology companies across Western Europe, particularly in the UK, Germany, France, Benelux, and the Nordics. In 2023, one in ten Gartner Peer Insights reviews for Access Management came from OneLogin customers in the EMEA region.
2. The Ownership Problem: One Identity, Quest Software, and Francisco Partners
This is the compliance-critical section. The legal entity that operates OneLogin today is not the original San Francisco startup — it is the product of a private equity consolidation that placed it inside a US corporate structure with full CLOUD Act exposure.
2.1 The Acquisition Timeline
March 2021: One Identity LLC acquires OneLogin for an undisclosed amount. One Identity is a subsidiary of Quest Software — a large identity-focused software conglomerate that also owns Active Roles, Safeguard PAM, and KACE endpoint management.
January 2022: Francisco Partners, a San Francisco, California-based private equity firm, completes the acquisition of Quest Software (and therefore One Identity) from Clearlake Capital and other PE investors. The transaction values Quest at approximately $5.4 billion USD.
Current structure (2026):
Francisco Partners (San Francisco, CA — GP/LP fund structure, US jurisdiction)
└── Quest Software Inc. (Aliso Viejo, CA — Delaware incorporated)
└── One Identity LLC (Aliso Viejo, CA — Delaware incorporated)
└── OneLogin, Inc. (San Francisco, CA — Delaware incorporated)
└── OneLogin Europe Ltd / regional EU subsidiaries (data processors)
Every entity in this chain above the EU regional subsidiaries is incorporated in Delaware or California, fully subject to US federal law, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 (18 U.S.C. § 2713).
2.2 CLOUD Act Mechanics for Identity Data
The CLOUD Act amended the Stored Communications Act to require US providers to disclose all data they possess, custody, or control in response to a valid US government order — regardless of where the data is physically stored. EU data residency options offered by OneLogin do not change this obligation.
For an IAM platform like OneLogin, this means:
| Identity Data Asset | CLOUD Act Exposure |
|---|---|
| User identity records (name, email, attributes) | ✅ Compellable |
| Password hashes and credential metadata | ✅ Compellable |
| MFA enrollment data (TOTP secrets, push tokens) | ✅ Compellable |
| Authentication logs (who logged in, from where, when) | ✅ Compellable |
| SSO session tokens (if retained by platform) | ✅ Compellable |
| SCIM provisioning data and HR-synced attributes | ✅ Compellable |
| Application access entitlements | ✅ Compellable |
| SmartFactor AI risk scores and behavioural profiles | ✅ Compellable |
What this means in practice: A US intelligence agency, law enforcement body, or civil litigant with appropriate legal process can compel One Identity to hand over the complete identity data of every employee in your EU organisation — their credentials, MFA secrets, access roles, and authentication history — without notifying you or your affected employees. GDPR Art.48 prohibits this disclosure except under narrow conditions that rarely apply. The result is a structural conflict between US law and EU data protection law that cannot be resolved by contractual means.
2.3 The SCCs/BCRs Problem
OneLogin, like all major US cloud providers, offers Standard Contractual Clauses (SCCs) as the Art.46 transfer mechanism for EU customer data. However, as the European Data Protection Board (EDPB) confirmed in its 2021 Recommendations 01/2020 on supplementary measures, SCCs are insufficient where US law can compel disclosure without judicial authorisation compatible with EU fundamental rights standards. The Schrems II ruling (Case C-311/18) applied this principle to the Privacy Shield framework; the same logic applies to providers in corporate structures subject to FISA 702 and CLOUD Act compelled disclosure.
The Francisco Partners/Quest/One Identity chain does not change this analysis. The relevant question is not whether OneLogin's EU subsidiary has signed SCCs — it is whether the US parent company, which controls the platform and infrastructure, can be compelled to access EU customer data. It can.
3. OneLogin's Security Incident History
Beyond the jurisdictional compliance problem, OneLogin has a documented history of significant security incidents that further elevate risk for EU customers.
3.1 The 2017 Data Breach
In May 2017, OneLogin disclosed that attackers had gained access to its AWS environment in the US-East-1 region and compromised customer data including the ability to decrypt encrypted data. The breach exposed:
- Customer table data (names, emails, encrypted fields)
- AWS keys, OAuth tokens
- Access to customer data encrypted by OneLogin's own keys
The breach was unusual in that the attacker had been present in OneLogin's infrastructure for approximately seven hours before detection. OneLogin's post-incident disclosure was widely criticised for being vague about the scope of customer impact and the duration of attacker access.
GDPR implication (retroactive assessment): Under GDPR Art.33 (72-hour notification) and Art.34 (high-risk breach communication), a breach of this nature — credential material and encrypted identity data — would require notification to all affected data subjects and supervisory authorities. The 2017 incident predated GDPR enforcement, but it demonstrates the platform's historical exposure.
3.2 The 2022 Credential Compromise
In February 2022, OneLogin's customer support system was breached. An attacker obtained valid customer support credentials and gained access to OneLogin's internal tools, including the ability to query customer account data. OneLogin disclosed this incident in March 2022, acknowledging that the attacker could view customer account information including company name, contact name, email address, and configuration data.
In August 2022, a second, more severe incident occurred: a threat actor compromised a OneLogin development environment. OneLogin's initial disclosure was delayed; the company later confirmed that customer database tables were accessed and exfiltrated, including encrypted columns. Security researchers noted that the encryption key material was potentially accessible from the same compromised environment.
GDPR Art.32 relevance: These incidents suggest that OneLogin's technical and organisational security measures — specifically their environment separation between production customer data and development/support tooling — did not meet the standard of "appropriate technical measures" required by Art.32. EU supervisory authorities reviewing a GDPR Art.33 notification for a breach of this type would likely investigate whether the data processor met Art.32 obligations.
3.3 Breach Pattern Significance for IAM Platforms
Security incidents at non-IAM SaaS platforms are damaging. Security incidents at IAM platforms are existentially dangerous to every customer. When your HR system is breached, attackers may obtain payroll data. When your IAM platform is breached, attackers may obtain:
- The credentials or credential material for every user in your organisation
- The SSO tokens that provide access to every connected application
- The MFA enrollment data that provides the second factor for those credentials
- The provisioning data that reveals your entire application portfolio
OneLogin's breach history is directly relevant to the risk calculation for EU customers evaluating identity provider options under GDPR Art.32 and Art.28.
4. GDPR Risk Assessment
Based on corporate structure, data processing characteristics, breach history, and jurisdictional exposure, we assign OneLogin (One Identity) the following GDPR risk profile for EU enterprise customers:
| Risk Dimension | Score (0–5) | Rationale |
|---|---|---|
| Corporate jurisdiction (CLOUD Act) | 5/5 | Francisco Partners → Quest → One Identity → OneLogin: full US chain |
| FISA 702 / National Security Letter exposure | 4/5 | PE-owned, large US enterprise customer base increases NSA/FBI interest |
| Data residency adequacy | 2/5 | EU region available but CLOUD Act overrides physical location |
| Breach history (Art.32 TSM adequacy) | 4/5 | Two significant breaches (2017, 2022) both involving credential and customer data |
| SCCs/BCRs adequacy (post-Schrems II) | 2/5 | SCCs exist but insufficient given FISA 702/CLOUD Act exposure |
| Transparency and breach notification | 3/5 | 2022 disclosure criticised for delay; no EU DPA proactive engagement |
Composite GDPR Risk Score: 20/25 (HIGH)
For regulated sectors (banking under DORA, healthcare under NIS2 Art.21, critical infrastructure), the applicable risk threshold is lower. A score of 20/25 from an IAM vendor should be treated as a blocking compliance factor in regulated EU environments.
5. NIS2 and DORA Implications
NIS2 Article 21 — Technical and Organisational Measures
NIS2 requires that essential and important entities implement IAM as part of their cyber hygiene baseline (Art.21(2)(i)). More critically, Art.21(2)(d) requires supply chain security — including assessment of the security practices of direct suppliers. An IAM vendor with two significant credential breaches in the past seven years must be assessed under this supply chain security obligation.
NIS2 Art.32 makes management bodies personally liable for cybersecurity decisions. If a CTO or CISO selects an IAM vendor with a documented breach history and a known jurisdictional compliance gap, and a subsequent incident occurs, personal liability under Art.32(6) becomes a material risk.
DORA Article 28 — ICT Third-Party Risk Management
For EU financial entities subject to DORA (applicable from 17 January 2025), OneLogin qualifies as an ICT third-party service provider under Art.3(10). DORA Art.28 requires:
- A contractual agreement documenting the data classification and processing scope
- Exit strategy provisions and substitutability assessment
- Concentration risk assessment if the same provider is used across multiple business functions
- Right to audit provisions (Art.30(2)(d))
Practically: DORA-regulated entities must document why they chose OneLogin (or any US-jurisdiction IAM provider) over an EU-native alternative, including an assessment of whether the CLOUD Act exposure constitutes an "unacceptable concentration risk" under Art.28(2). Given the Francisco Partners ownership chain and breach history, documenting this choice compliantly is difficult.
6. EU-Native Identity Management Alternatives
For EU organisations that cannot accept the jurisdictional and security risk profile of OneLogin/One Identity, the following alternatives provide comparable functionality with European legal jurisdiction:
6.1 Keycloak (Open Source, Red Hat / Community)
Jurisdiction: Open-source project hosted by the Cloud Native Computing Foundation (CNCF). Primary enterprise distribution via Red Hat (IBM subsidiary, Armonk, NY — US jurisdiction for enterprise support). Self-hosted deployment eliminates cloud provider jurisdiction entirely.
Architecture: Self-hosted or managed. Java-based identity server. Supports SAML 2.0, OAuth 2.0, OIDC, LDAP, and Kerberos. Highly extensible via SPI plugins.
Capabilities:
- Full SSO and federation (SAML, OIDC)
- MFA: TOTP, WebAuthn/FIDO2, OTP via email/SMS
- User federation: LDAP/AD sync, Kerberos
- Fine-grained authorisation policies
- Social identity brokering
- Admin REST API and CLI
- Themes and custom login flows
Why it is relevant as a OneLogin replacement: Keycloak's feature set maps almost 1:1 to OneLogin's core offering — SSO, MFA, lifecycle management, app integrations. The critical difference is deployment model: Keycloak runs in your infrastructure (or EU-hosted managed Kubernetes), under your legal control, with no US company in the data processing chain.
EU hosting options: Deploy on EU-native PaaS (sota.io, Hetzner, OVHcloud, IONOS) for full jurisdiction control. Managed Keycloak offerings: Phase Two (UK, cloud-agnostic), Keycloak.X hosting on any EU-jurisdiction provider.
Limitations: Requires operational expertise. No managed SaaS equivalent to OneLogin's zero-ops model. Enterprise support via Red Hat requires assessment of IBM/US jurisdiction for support data.
GDPR Risk Score: 3/25 (self-hosted on EU infrastructure) — LOW
6.2 Zitadel (Swiss, Open Source)
Jurisdiction: ZITADEL is developed by CAOS AG, a Swiss corporation headquartered in Zurich, Switzerland. Cloud-hosted version (zitadel.cloud) runs on GCP — but Zitadel is designed for self-hosted deployment. Switzerland is not an EU member but has an EU adequacy decision (Commission Decision C(2000)1764).
Architecture: Go-based, cloud-native identity platform. Designed for Kubernetes. Multi-tenancy built-in. Event-sourced architecture for full audit trail. FIDO2/WebAuthn support from day one.
Capabilities:
- OIDC/OAuth 2.0 and SAML 2.0 federation
- Passkeys and FIDO2 (native, not bolted on)
- Machine-to-machine authentication (JWT profiles, service accounts)
- Multi-tenancy: one Zitadel instance, multiple organisations
- SCIM 2.0 for lifecycle management (in development)
- Role-based access control with custom actions
- Branding per tenant (white-label login)
Why it is relevant as a OneLogin replacement: Zitadel excels at modern authentication (passkeys, FIDO2) and multi-tenant architectures. For SaaS companies building EU-native identity into their product, or enterprises wanting a developer-friendly self-hosted IAM, Zitadel is the strongest option in the OneLogin replacement space.
EU hosting: Self-hosted on any EU-jurisdiction provider. No US cloud dependency if self-hosted.
GDPR Risk Score: 5/25 (self-hosted) — LOW
6.3 Authentik (German, Open Source)
Jurisdiction: Authentik is developed by Authentik Security Inc. — note: the company is Delaware-incorporated with operations in Germany. The open-source project (authentik) is MIT-licensed; self-hosted deployment eliminates the US corporate entity from data processing. Enterprise support subscriptions come from a US entity.
Architecture: Python/Django backend, React frontend. Proxy Provider for protecting legacy apps without native OIDC/SAML support. Very strong reverse proxy integration (Nginx, Traefik, Caddy).
Capabilities:
- SAML 2.0, OIDC, OAuth 2.0, RADIUS, SCIM
- Proxy Provider: protect any web application without modifying it (equivalent to OneLogin Access)
- LDAP outpost: expose authentik as an LDAP directory for legacy apps
- Password policy enforcement (complexity, breach-check via HaveIBeenPwned API)
- Multi-factor: TOTP, WebAuthn, SMS (via Twilio/custom)
- Blueprints: declarative configuration as code (YAML)
- Built-in audit trail and event log
Why it is relevant as a OneLogin replacement: Authentik's Proxy Provider is a direct functional replacement for OneLogin Access — it can protect legacy applications that do not support modern federation without requiring application modification. For organisations with a mixed portfolio of cloud SaaS and on-premises legacy apps, this is a key advantage.
EU hosting: Self-hosted. Docker Compose or Helm chart for Kubernetes. No US cloud dependency if self-hosted.
GDPR Risk Score: 4/25 (self-hosted) — LOW
6.4 Evidian (Atos/Bull, France)
Jurisdiction: Evidian is the IAM product line of Atos, a French IT services company headquartered in Bezons, France. Atos is listed on Euronext Paris (ATO). The Evidian brand covers IAM, PAM, and federation products developed entirely within the EU.
Capabilities:
- Evidian Web Access Manager (WAM) — enterprise SSO, SAML/OIDC federation, legacy app support
- Evidian Identity Governance and Administration (IGA) — role management, access certification, provisioning workflows
- Evidian MFA — adaptive authentication, smart card, PKI
- Evidian Enterprise SSO (ESSO) — Windows credential manager and password manager for thick-client apps
- Evidian SafeKit — high-availability clustering for on-premises deployments
Why it is relevant as a OneLogin replacement: Evidian is the most enterprise-grade EU-native IAM stack. For large organisations (1,000+ employees) in regulated sectors (finance, healthcare, defence, public sector) that need full IGA, WAM, and PAM with EU jurisdiction guarantees and a commercially supported vendor with DPA (Data Processing Agreement) under French law, Evidian is the primary choice.
GDPR Risk Score: 7/25 (managed by French-law entity) — LOW
6.5 Comparison Table: OneLogin vs EU-Native Alternatives
| Capability | OneLogin (One Identity) | Keycloak | Zitadel | Authentik | Evidian (Atos) |
|---|---|---|---|---|---|
| Cloud SaaS (zero-ops) | ✅ | ❌ (self-hosted) | ⚠️ (cloud on GCP) | ❌ (self-hosted) | ⚠️ (on-prem or Atos-hosted) |
| SAML 2.0 | ✅ | ✅ | ✅ | ✅ | ✅ |
| OIDC / OAuth 2.0 | ✅ | ✅ | ✅ | ✅ | ✅ |
| MFA (TOTP, FIDO2) | ✅ | ✅ | ✅ (FIDO2 native) | ✅ | ✅ |
| Passkeys / WebAuthn | ⚠️ (limited) | ✅ | ✅ (first-class) | ✅ | ✅ |
| App catalogue / pre-built connectors | ✅ (6,000+) | ⚠️ (manual SAML/OIDC) | ⚠️ (manual) | ⚠️ (manual) | ✅ (enterprise apps) |
| SCIM lifecycle management | ✅ | ✅ | ⚠️ (in progress) | ✅ | ✅ |
| Legacy app SSO (proxy/agent) | ✅ (OneLogin Access) | ⚠️ | ❌ | ✅ (Proxy Provider) | ✅ (WAM) |
| LDAP/AD federation | ✅ | ✅ | ✅ | ✅ | ✅ |
| GDPR risk score | 20/25 | 3/25 | 5/25 | 4/25 | 7/25 |
| Breach history | ⚠️ 2017, 2022 | ✅ none (self-hosted) | ✅ | ✅ | ✅ |
| EU jurisdiction | ❌ (US/DE) | ✅ (self-hosted) | ✅ (CH adequacy) | ✅ (self-hosted) | ✅ (FR) |
| Commercial support (EU law) | ❌ | ✅ (Red Hat/EU resellers) | ✅ (CAOS AG, CH) | ⚠️ (US entity) | ✅ (Atos, FR) |
| Pricing model | SaaS subscription | Open source + support | Open source / cloud | Open source + enterprise | Enterprise licence |
7. Migration Strategy: OneLogin → EU-Native IAM
Migrating away from a cloud IAM platform is operationally complex because identity is the authentication dependency for every application in your estate. A migration requires careful sequencing to avoid locking users out of critical systems.
Phase 1: Inventory and Dependency Mapping (2–4 weeks)
Before any technical migration, export and map:
- Application inventory: Pull the full list of SAML/OIDC-connected applications from OneLogin's admin console. Document the entityID, metadata URL, and attribute mapping for each.
- User attributes: Export the user schema — which attributes are synced from HR/AD, which are set in OneLogin, and which are passed to applications in assertions.
- MFA enrollment state: Note which users have MFA enrolled and which authenticator types they use. TOTP seeds cannot be exported from OneLogin — users will need to re-enroll.
- Provisioning integrations: Document all SCIM provisioning flows, their direction (HR → OneLogin → apps or apps → OneLogin), and the authoritative source for each attribute.
- Policy inventory: Export all authentication policies, risk-based rules, and SmartFactor configurations. These will need to be recreated in the target platform.
Phase 2: Target Platform Deployment and Pilot (4–8 weeks)
Deploy the target IAM platform (Keycloak, Zitadel, or Authentik) in parallel with OneLogin:
- Infrastructure deployment: Deploy on EU-native PaaS (sota.io, Hetzner, OVHcloud). Use Kubernetes Helm charts for production-grade deployment with HA.
- Directory federation: Connect the target IAM to your LDAP/AD or HR system. Verify that user attributes are syncing correctly.
- Application migration (pilot group): Migrate 2–3 non-critical applications first. Reconfigure their SAML/OIDC metadata to point to the new IdP. Test authentication flows end-to-end.
- MFA re-enrollment: Plan a re-enrollment campaign for MFA. TOTP seeds from OneLogin cannot be exported — all users will need to re-enroll their authenticator apps.
- Monitoring: Set up authentication audit logging on the new platform. Verify that login events, MFA challenges, and provisioning actions are captured.
Phase 3: Full Cutover (2–4 weeks)
- Application migration (all apps): Migrate remaining applications wave by wave. For each app: update metadata, test, verify.
- Provisioning cutover: Switch SCIM provisioning flows to the new platform. Verify joiners/movers/leavers are processed correctly.
- OneLogin decommission: After all apps and users are migrated and the new platform has been in production for 2+ weeks, disable OneLogin. Retain read-only access to logs for the contractual retention period.
- GDPR records update: Update your Art.30 records of processing activities and Art.28 data processing agreements to reflect the new processor.
Estimated Timeline: 8–16 weeks for a 500-employee organisation with 50–100 connected applications.
8. The sota.io Deployment Advantage
If you are deploying a self-hosted IAM platform (Keycloak, Zitadel, or Authentik) as your OneLogin replacement, the infrastructure choices matter for your GDPR compliance posture. Deploying on a US-jurisdiction cloud provider (AWS, Azure, GCP) reintroduces CLOUD Act exposure through the infrastructure layer.
sota.io is a European Platform-as-a-Service built specifically for EU-jurisdiction application hosting. Deploying your Keycloak or Authentik instance on sota.io means:
- Infrastructure jurisdiction: All compute, storage, and network in EU member state data centres
- Legal entity: EU-incorporated operator with DPA under EU GDPR
- No CLOUD Act exposure: Non-US infrastructure, non-US corporate chain
- IAM-ready: Kubernetes-native deployment, Helm chart support, persistent volume for Keycloak/PostgreSQL, automatic TLS
- Operational simplicity: Managed Kubernetes without the ops burden — the zero-ops advantage of SaaS, with the jurisdictional control of self-hosted
For organisations migrating from OneLogin who want to avoid re-introducing US infrastructure dependencies, sota.io provides the EU-compliant hosting layer for their self-hosted IAM replacement.
9. Summary: Should EU Organisations Use OneLogin?
The answer depends on your regulatory context and risk tolerance:
For unregulated organisations: OneLogin is a capable, mid-market IAM platform with good UX and a large app catalogue. The jurisdictional risk exists but may be within acceptable tolerance if identity data is not considered high-sensitivity.
For organisations subject to GDPR (all EU processors and controllers): The CLOUD Act exposure via the Francisco Partners → Quest Software → One Identity chain is a real, documented compliance risk that SCCs do not adequately mitigate. The 2017 and 2022 breach history raises Art.32 TSM adequacy concerns. A DPIA under Art.35 should be conducted before deployment or renewal.
For regulated EU entities (NIS2 essential/important entities, DORA financial entities, HIPAA-equivalent healthcare): OneLogin should not be deployed without documented justification of why EU-native alternatives were assessed and rejected. The combination of CLOUD Act exposure, breach history, and US PE ownership creates a compliance burden that is difficult to document compliantly.
For public sector and defence: OneLogin is not an appropriate IAM platform for systems processing classified, restricted, or sensitive national data. EU-native alternatives (Evidian, Keycloak on EU infrastructure) are required.
The EU-native IAM market has matured significantly in the past five years. Keycloak, Zitadel, and Authentik collectively cover the full feature set of OneLogin for organisations willing to invest in self-hosted deployment. Evidian covers the enterprise and regulated sector requirements with commercial support under EU law. The migration is operationally complex but technically achievable — and increasingly necessary as EU supervisory authorities sharpen enforcement of cross-border data transfer obligations.
sota.io is an EU-native Platform-as-a-Service. EU companies building or migrating identity infrastructure can deploy Keycloak, Zitadel, and Authentik on sota.io for full EU-jurisdiction IAM hosting without CLOUD Act exposure. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.