Trust & Availability.
Plan for failure
Trust, security, integrity, and availability are very important values to us. So that ZITADEL is available to you at all times, we have designed the design from scratch for geo-redundant operation.
Swissness/Swiss Data Region
By default, ZITADEL offers you to store the data in Switzerland. The storage of data in other regions or globally is voluntary and is recommended if there is an increased demand for availability, or if the customers are positioned internationally.
CAOS AG is an owner-operated public limited liability company based in Switzerland.
In order to win and retain the trust of our customers we rely on a very high level of transparency, be it at the level of the processes, tools or providers that we use, as well as the product development we strive for. The ZITADEL source code is therefore completely open source and may be used.
The list of all providers involved in the provision of services and which services we obtain from them are listed below:Provider declaration
Wherever possible, we believe that standards should be used. We are involved in the relevant specialist committees. We are a member of the OpenID Foundation and have good contact to the IAM section of the eCH association, as well as the FIDO alliance and its manufacturers.
In order for ZITADEL to operate as safely as possible we are dependent on purchasing services from third parties. All suppliers who supply us are carefully checked. Most providers are ISO 27001 certified to ensure that there are no problems, especially with the operational infrastructure.
High availability strategy
Whenever possible all components and providers are designed with a redundancy level of 3 to compensate for the failure of an entire data center. Customers who do not explicitly assign their data to a region also enjoy redundancy at the region level. A complete region may not be available but the ZITADEL service will still be online.
In order to ensure maximum security we follow principles when developing and operating ZITADEL. These help us to provide our customers with a safe and transparent product. A short extract of these principles can be found here:
- All communication is encrypted with TLS >1.2 with PFS
- Critical data is stored encrypted in the storage
- Passwords are stored irreversibly with a hash function (bcrypt)
- Established cryptographic functions are used
- We scan our code for vulnerabilities
- Our container images are examined for vulnerabilities
- An automatic system is used to keep dependencies up to date
- Our systems can handle operations behind a CDN/DDOS service
- Secrets are automatically rotated whenever possible (signing keys, etc.)
- Responsible disclosure
- Bug bounty
In order to achieve the best possible transparency we regularly publish which providers and services we use to offer ZITADEL. It can occur that we obtain the same services from several providers.
- IaaS Provider Switzerland (Europe-West-6)
- Source Code Management
- Code Scanning
- Dependency Management
- Security Advisory
- Issue Management
- DNS Server
- DDOS Mitigation
- Cloud Load Balancer
- PKI for TLS
- Metrics / Altering / Dashboard
- DNS Registrar
- TLD.ch Domain