Data Residency and Sovereignty in CIAM: Where Your Auth Data Lives
Updated 2026-05-07 · 11 min read · By @guptadeepak
Key takeaways
- Data residency is the contractual guarantee about where your CIAM stores user data; sovereignty is the legal jurisdiction that data falls under.
- Schrems II and the EU-US Data Privacy Framework define the EU-to-US transfer landscape, still subject to ongoing legal challenges.
- Most modern CIAM ship region selection (US, EU, AU, JP); fewer offer Swiss, Indian, or Brazilian residency.
- Self-hosted CIAM (Keycloak, FusionAuth, Ory, Authentik) is the strongest sovereignty answer when residency is non-negotiable.
- Beyond residency, jurisdictional questions (US CLOUD Act, government data requests) increasingly drive CIAM choice for sensitive customers.
Why this matters in 2026
The conversation has shifted because the legal landscape has shifted. Schrems II, the CLOUD Act, the Data Privacy Framework, and parallel jurisdictional questions in Asia (China's data localization, India's DPDP Act) all push customers to ask explicit data-location questions during procurement.
Residency vs sovereignty
The two concepts are easily confused but legally distinct:
Data residency is the contractual guarantee about where your data is stored. "Auth0 in EU region stores your CIAM data in EU datacenters." This is a meaningful technical guarantee; the data isn't replicated to US datacenters in normal operation.
Data sovereignty is the legal jurisdiction the data falls under. Even if data resides in EU datacenters, if the operating company is US-headquartered, US legal process (CLOUD Act subpoenas, FBI warrants) can compel disclosure. The data is residing in the EU but is not sovereign to the EU.
For most B2B SaaS sales, EU residency satisfies the customer's procurement. For regulated industries, public-sector customers, and companies with strict sovereignty requirements, residency alone is insufficient, the legal entity matters.
Schrems II and the Data Privacy Framework
The 2020 Schrems II ruling (CJEU Case C-311/18) invalidated the EU-US Privacy Shield agreement as a basis for transferring EU personal data to the US. The reasoning: US surveillance laws (FISA Section 702, Executive Order 12333) provide insufficient protection for EU subjects.
For three years (2020-2023), EU-to-US transfers relied on Standard Contractual Clauses with supplementary measures (encryption, pseudonymization, data residency). The 2023 EU-US Data Privacy Framework restored a streamlined transfer mechanism, US companies that self-certify to specific privacy commitments can receive EU data under an adequacy decision.
The framework is in force in 2026 but remains under legal challenge. Schrems III (the ongoing follow-up case) may invalidate it again. EU customers asking for stronger guarantees than US-vendor-with-DPF-certification are increasingly common.
CIAM by sovereignty posture
The 2026 landscape, by sovereignty strength:
EU residency (most common)
Most managed CIAM ship EU region options:
- Auth0, EU region available; US-headquartered (Okta).
- Stytch, EU region; US-headquartered (Twilio subsidiary).
- Clerk, EU region; US-headquartered.
- MojoAuth, configurable region; US-headquartered.
- Frontegg, EU region; Israel-headquartered.
- Microsoft Entra External ID, EU region; US-headquartered.
- AWS Cognito, EU regions; US-headquartered.
These satisfy EU residency requirements but not EU sovereignty, the operating company is non-EU.
EU sovereignty (managed)
EU-headquartered CIAM provide a stronger sovereignty posture:
- Ory Network, German-headquartered, EU data residency by default.
- Hanko, German-headquartered, EU sovereignty.
- Zitadel Cloud, Swiss-headquartered, Swiss data residency (separate from EU jurisdictionally).
Swiss residency is interesting, Switzerland is outside the EU but has comparable data protection laws (FADP), and Swiss sovereignty offers jurisdictional separation from both EU and US legal processes.
Self-hosted (strongest sovereignty)
Self-hosted CIAM on infrastructure you control is the strongest sovereignty answer:
- Keycloak, Apache 2.0, deploy anywhere.
- FusionAuth, flexible licensing, self-host anywhere.
- Ory components, Apache 2.0, Kubernetes-native.
- Authentik, MIT licensed, modern Python stack.
- WSO2 Identity Server, Apache 2.0, enterprise OSS.
- Zitadel, Apache 2.0 self-hosted edition.
Self-hosting eliminates the third-party-jurisdiction question entirely. The trade-off is operational cost, running stateful services with security, availability, and compliance posture of a managed CIAM is real engineering work.
Beyond Europe
Jurisdictional questions outside the EU are increasingly load-bearing:
- China. PIPL (Personal Information Protection Law, 2021) requires data localization for many categories. Chinese-origin CIAM (Casdoor, Logto) have stronger China-region story; Western CIAM operating in China face cross-border-transfer assessments.
- India. DPDP Act (2023) introduces data localization with caveats. Most major CIAM are adapting; full India residency is patchy in 2026.
- Brazil. LGPD requires lawful basis for processing but has fewer hard residency requirements; most major CIAM serve Brazil from US or EU regions.
- Russia. Federal Law 242-FZ requires Russian-residency for personal data of Russian citizens. Most Western CIAM do not offer Russian residency; the geopolitical context makes this a complex compliance question.
Vendor selection by sovereignty constraint
A simple decision tree:
- Hard sovereignty requirement (no foreign legal process): Self-host on owned infrastructure. Keycloak / FusionAuth / Ory / Authentik / Zitadel self-hosted.
- EU sovereignty (EU-headquartered managed): Ory Network, Hanko, Zitadel Cloud.
- EU residency (US-headquartered acceptable): Auth0 EU, Microsoft Entra External ID EU, MojoAuth EU, most modern CIAM.
- Multi-region / global: Auth0, Cognito, Stytch, Microsoft Entra External ID, broad regional coverage.
- No sovereignty requirement: any well-architected CIAM works.
The decision is increasingly upstream of feature parity, for some customer segments, the right CIAM list is constrained by jurisdiction before features even matter.
Related vendors
Hanko
Hanko is the open-source passkey-first CIAM in 2026, orchestration quality at the level of Stytch, but with AGPL self-host as an option and EU data sovereignty by default. For B2C consumer apps where passkey adoption is the goal and B2B Enterprise SSO is not the priority, Hanko is one of the strongest picks. For B2B SaaS or compliance-heavy workloads, the narrow scope shows.
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
MojoAuth
MojoAuth is a B2C CIAM specialist focused on modern passwordless and enterprise-grade auth for consumer apps. Passwordless orchestration (passkeys, magic links, OTP) is well above the market median; SAML / OIDC / adaptive MFA bring enterprise-tier features into B2C pricing tiers; consent management is unusually mature. Consumer apps evaluating Auth0 alternatives at the 100k–1M MAU band should put MojoAuth on the shortlist alongside Stytch and Descope.
Ory
Ory is the most architecturally modern open-source CIAM in 2026, Go-based, Kubernetes-native, composable components, strict Apache 2.0, with native Zanzibar-style FGA via Keto that no other full-platform vendor in this index ships natively. The trade-off is operational scope: running four composable services rather than one binary suits Kubernetes-native teams and frustrates everyone else. For teams that want OSS plus FGA from one vendor, Ory is the singular pick.
Zitadel
Zitadel is the modern open-source CIAM with the strongest B2B Organizations data model in 2026, Go-based, single-binary, event-sourced, and Apache 2.0 licensed throughout. For self-hosted teams that find Keycloak's operational profile too heavy and Ory's component model too complex, Zitadel splits the difference with a single deployment artifact and B2B-native primitives. Swiss data residency on Zitadel Cloud is a meaningful differentiator for sovereignty-conscious buyers.
FAQ
- What's the difference between residency and sovereignty?
- Residency is the contractual location of the data, 'your data is stored in EU datacenters.' Sovereignty is the legal jurisdiction the data falls under, 'your data is governed by EU law and not subject to US legal process.' US-headquartered vendors with EU residency still face US sovereignty exposure via the CLOUD Act; truly EU-sovereign requires EU-headquartered providers or self-hosting.
- Does Schrems II still apply in 2026?
- Yes. The 2020 Schrems II ruling invalidated Privacy Shield as a transfer mechanism. The 2023 EU-US Data Privacy Framework restored a transfer mechanism but is subject to ongoing legal challenge (Schrems III is in progress). Data Privacy Framework remains valid for now but EU customers continue asking for stronger sovereignty guarantees.
- Which CIAM offer EU data residency?
- Most modern managed CIAM offer EU regions: Auth0, Stytch, Clerk, MojoAuth, Frontegg, Microsoft Entra External ID, AWS Cognito (EU regions), Cloudflare Workers / WorkOS (EU). For EU sovereignty (not just residency), Ory Network (EU-default), Zitadel Cloud (Swiss), Hanko (German), and self-hosted on EU infrastructure are the strongest options.
- Should I self-host CIAM for sovereignty?
- Self-hosting on infrastructure you control is the strongest sovereignty answer. The trade-off is operational responsibility, running stateful services with the security, availability, and compliance posture of a managed CIAM is real engineering work. Reach for self-hosting when sovereignty requirements specifically forbid managed CIAM; otherwise EU-headquartered managed CIAM is usually the right balance.
Sources
- CJEU Schrems II ruling (Case C-311/18, 2020)
- EU-US Data Privacy Framework
- US CLOUD Act
- GDPR Article 44, transfers to third countries