EU General Data Protection Regulation

GDPR-compliant identity and authentication infrastructure

Identity platforms process personal data by definition: usernames, email addresses, authentication history, session data, and sometimes sensitive attributes. We ensure Keycloak, Authentik, and Zitadel run on infrastructure that meets GDPR requirements for identity processors.

Request a DPA View compliance overview

What is the GDPR?

Any system that manages user accounts processes personal data under GDPR. Identity providers and SSO platforms are particularly sensitive: they hold authentication credentials, access histories, role assignments, and sometimes attributes that constitute special categories. Getting the legal basis right matters.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations for identity platforms

Identity providers process personal data at the foundation of your stack. These six articles govern what you must do — and how our managed infrastructure handles each one.

Art. 5 — Principles of processing

Authentication data must be collected only for authentication purposes, not shared with third parties, and deleted when no longer needed. Inactive user pruning policies and attribute minimization are part of GDPR-compliant identity management.

Art. 6 — Lawful basis

Authentication data is typically processed on the basis of contract (Art. 6(1)(b)) — the user has agreed to your terms of service. For employee SSO, legitimate interest (Art. 6(1)(f)) is appropriate. We can help document the correct basis for each use case.

Art. 17 — Right to erasure

Users have the right to request deletion of their accounts and associated data. Our managed identity platforms support full user deletion workflows — including cascade deletion of sessions, tokens, and stored attributes.

Art. 28 — Data Processor

We act as your data processor for all identity and authentication data. Our DPA covers the specific sub-processors involved in hosting your identity provider. No user data is shared beyond what you configure.

Art. 32 — Security of processing

Identity providers are high-value targets. We run managed deployments with dedicated resources per tenant, encrypted storage, TLS everywhere, and regular vulnerability assessments — reducing the attack surface that GDPR Art. 32 demands you manage.

Art. 33 — Breach notification

A breach of your identity provider affects every user with access. We monitor for unauthorized access and notify you within 72 hours of any detected incident so you can meet your supervisory authority reporting deadline.

Identity data — where security and privacy intersect

Identity systems are simultaneously security infrastructure and high-risk personal data processors. GDPR applies to every user account, every login event, every token issued.

Art. 17 deletion flows: when a user requests erasure, token revocation, session invalidation, and attribute deletion must all happen — our managed platforms support this
Art. 20 portability: users can request their identity data in a portable format — export functionality is available across all managed platforms
Art. 5(e) storage limitation: configure automated deprovisioning of inactive accounts to stay compliant without manual intervention