What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

UAE PDPL Compliance: Identity & Access Management Requirements

The Compliance Gap That Almost Cost a Dubai Fintech Its License

Tariq Al-Rashidi, CTO of a Dubai-based payments platform, heard about the UAE Personal Data Protection Law when it was enacted in 2021. His legal team filed it as "future concern" alongside GDPR. The platform was growing fast — 80,000 active users, DIFC licensed, processing payments for merchants across the GCC.

In Q3 2025, a UAE Central Bank compliance officer asked for their data processing register as part of a routine inspection. Specifically: which third-party processors handle UAE resident personal data, and where is that data stored?

Tariq's answer: Auth0, US East region.

The compliance officer's response was not a fine — not yet. It was a remediation notice requiring documented evidence of adequate data protection safeguards for cross-border transfers within 90 days.

Tariq spent those 90 days rebuilding his authentication layer. The migration to Keycloak, deployed in AWS Bahrain (me-south-1), took eight weeks. The compliance documentation package took another two. The cost of doing it under regulatory pressure was three times what it would have cost to do it right the first time.

The UAE's Three-Layer Data Protection Framework

Understanding UAE data protection compliance requires understanding three distinct regimes that operate in parallel — and may all apply to your business depending on where you're incorporated and what sectors you operate in.

Layer 1: Federal UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)

The UAE PDPL — often called the Federal PDPL — applies to the processing of personal data of individuals in the UAE by entities operating in non-financial free zones and the mainland. It came into force on January 2, 2022, with a 12-month grace period for compliance (extended to 2023 for some provisions).

Key features:

Applies to any entity processing UAE resident personal data, regardless of where the entity is incorporated
Establishes a Data Protection Officer (DPO) requirement for large-scale processors
Requires explicit consent for sensitive data categories (health, biometrics, financial)
Restricts cross-border data transfers to countries with adequate protection
Grants data subjects rights to access, correction, erasure, and objection

UAE PDPL enforcement authority: The UAE Data Office (formerly part of the Telecommunications and Digital Government Regulatory Authority — TDRA).

Layer 2: DIFC Data Protection Law (DIFC Law No. 5 of 2020)

The Dubai International Financial Centre operates its own legal framework, including a comprehensive data protection law modeled on GDPR. DIFC Law No. 5 of 2020 applies to all entities established in the DIFC — financial services firms, fintechs, professional services, and technology companies licensed by the DIFC.

Key differences from the Federal PDPL:

More explicit lawful basis requirements (consent, legitimate interests, contractual necessity)
Stricter breach notification — 72 hours to the DIFC Commissioner, as in GDPR
More detailed processor/sub-processor chain requirements
Data Protection Impact Assessment (DPIA) mandatory for high-risk processing

DIFC enforcement authority: DIFC Commissioner of Data Protection.

Layer 3: ADGM Data Protection Regulations (Abu Dhabi Global Market)

The Abu Dhabi Global Market has its own data protection framework (ADGM Data Protection Regulations 2021) closely aligned with GDPR. Applies to all entities operating within the ADGM free zone.

ADGM enforcement authority: ADGM Registration Authority.

Which Regime Applies to You?

Company type	Applicable regime
UAE mainland company	Federal PDPL
DIFC-licensed entity	DIFC Law No. 5 of 2020
ADGM-licensed entity	ADGM Data Protection Regulations
Company with users in UAE (any jurisdiction)	Federal PDPL applies to processing UAE resident data
Company with users in DIFC-regulated activities	DIFC may also apply

Many companies, particularly fintechs and SaaS platforms, are subject to multiple regimes simultaneously. If you're DIFC-licensed and also serve mainland UAE users, both DIFC Law and the Federal PDPL apply to different aspects of your operations.

What the UAE PDPL Requires From Your IAM Stack

Across all three frameworks, the obligations that directly touch your authentication and identity layer are:

1. Lawful Basis for Processing Authentication Data

Authentication data — email addresses, phone numbers, login events, session tokens, device identifiers — is personal data. You must have a lawful basis to process it.

The Federal PDPL recognizes these lawful bases:

Consent — explicit, informed, specific
Contract performance — processing necessary to deliver the service the user signed up for
Legal obligation — required by UAE law
Vital interests — protecting the safety of the data subject
Legitimate interests — subject to balancing test

For most SaaS and consumer applications, the primary lawful basis for authentication processing is contract performance — users create accounts to use your service, and authentication is inherent in that. But any processing beyond the core authentication function (analytics, marketing, third-party sharing) requires a separate lawful basis, typically consent.

IAM implication: Your IdP must support the ability to scope token issuance to only the personal data categories covered by the applicable lawful basis.

For processing activities that rely on consent — marketing, profiling, optional data attributes — the UAE PDPL requires:

Consent obtained through a clear, affirmative action
The ability to withdraw consent at any time
Processing must stop once consent is withdrawn
Consent records must be maintained

IAM implication: Consent collection happens at the authentication layer. Your IdP must support purpose-specific consent flows, consent versioning, and consent revocation that feeds back into token issuance decisions.

3. Data Subject Rights

UAE residents have the right to:

Access their personal data
Correct inaccurate data
Erase their data (right to be forgotten)
Object to processing
Port their data to another provider

IAM implication: Your authentication data — login history, linked attributes, device records — is part of the data subject's personal data. Your IdP must support:

A self-service data export covering authentication records
User account deletion with audit trail
The ability to correct user attributes (name, email, phone)

4. Cross-Border Transfer Restrictions

The Federal PDPL restricts transfers of personal data to countries not on the UAE Data Office's adequacy list. The UAE has granted adequacy decisions for a small number of jurisdictions; the US is not among them.

This means:

If your IdP is US-hosted (Auth0, Okta, AWS Cognito on us-east-1, Firebase), you are transferring UAE resident personal data to a country without an adequacy decision
Alternatives to adequacy: Standard Contractual Clauses (SCCs) with the processor, binding corporate rules, explicit consent for the specific transfer
The safest position: deploy your IdP in a UAE or GCC region (AWS Bahrain, Azure UAE North/South, Google Cloud Qatar)

5. Data Breach Notification

Regime	Notification to Authority	Notification to Data Subjects
Federal PDPL	Within 72 hours of awareness	If breach poses significant risk
DIFC Law	Within 72 hours of awareness	Without undue delay if breach poses high risk
ADGM Regulations	Without undue delay	If breach likely results in high risk

IAM implication: Your IdP is the first system to know about credential stuffing, account takeover attempts, and authentication breaches. It must generate real-time alerts and produce the breach impact report (which accounts, what data, what timeframe) within hours.

Data Residency Options in the UAE and GCC

Cloud Provider	Region	Location	Notes
AWS	`me-south-1`	Bahrain	GCC's largest cloud region
AWS	`me-central-1`	UAE (Dubai/Abu Dhabi)	Launched 2022, growing
Azure	`UAE North`	Dubai	Part of Microsoft's Middle East pair
Azure	`UAE Central`	Abu Dhabi	Secondary region (not all services)
Google Cloud	`me-central1`	Qatar (Doha)	Available but limited service set
Huawei Cloud	`ap-southeast-2`	Bangkok (nearest)	Not UAE-local

For most UAE PDPL compliance purposes, AWS Bahrain (me-south-1) or Azure UAE North are the recommended choices. Both are established regions with full service availability including managed databases, load balancers, and container services needed to run a production Keycloak cluster.

DIFC entities should note that DIFC's own cloud infrastructure guidelines reference AWS Bahrain as a preferred region for on-shore GCC data residency.

How Current IAM Tools Perform Against UAE PDPL

Requirement	Auth0	AWS Cognito	Azure AD B2C	Firebase Auth	KeycloakPro
UAE/GCC data residency option	No	me-south-1 available	UAE North available	No GCC region	Yes — your AWS/Azure account
Purpose-specific consent flows	No	No	Partial	No	Yes
Consent audit log	No	No	No	No	Yes
Consent revocation → token block	No	No	No	No	Yes
Right-to-erasure workflow	Partial	Partial	Partial	No	Yes
User self-service data export	Partial	No	Partial	No	Yes
72-hour breach reporting support	Partial	Partial	Yes	No	Yes (your SIEM)
Cross-border transfer controls	No	Region-scoped	Region-scoped	No	Yes — fully isolated
DPO-ready audit logging	No	No	No	No	Yes

The key difference: when you deploy KeycloakPro on your AWS Bahrain account, your IAM data never leaves GCC infrastructure. Auth0 and Firebase have no GCC region. AWS Cognito and Azure AD B2C have GCC regions available, but the consent management and erasure capabilities are limited compared to what PDPL and DIFC auditors are now asking for.

Architecture: Keycloak on AWS Bahrain for UAE PDPL Compliance

A production-grade Keycloak deployment for UAE compliance typically looks like this:

[User in UAE] → [AWS CloudFront PoP (Dubai/Bahrain)]
              → [Application Load Balancer (me-south-1)]
              → [Keycloak Cluster: 2× nodes (me-south-1a, me-south-1b)]
              → [PostgreSQL RDS Multi-AZ (me-south-1)]
              → [Redis ElastiCache (me-south-1) — session store]
              → [CloudWatch Logs → S3 (me-south-1) — 180-day retention]

Everything stays in Bahrain. The KeycloakPro operations team accesses via a bastion host in me-south-1. Backup replication, if required, goes to me-central-1 (UAE) — still within the GCC boundary.

For DIFC-licensed entities, we document the full data flow, name each sub-processor, and produce the Article 10 transfer documentation required by DIFC Law. For Federal PDPL purposes, the AWS Bahrain deployment satisfies data residency requirements without requiring SCCs.

DIFC-Specific Considerations

DIFC Law No. 5 of 2020 is the strictest of the three UAE regimes, intentionally aligned with GDPR to facilitate data flows between the DIFC and EU entities.

Additional requirements that DIFC-licensed companies must address in their IAM stack:

Data Protection Impact Assessment (DPIA): Required before deploying new authentication technologies (biometrics, behavioral analytics, device fingerprinting). Your DPIA must document the processing purpose, necessity assessment, risk analysis, and mitigation measures. KeycloakPro provides a DPIA template for Keycloak deployments.

Article 10 Transfers: All transfers of personal data outside the DIFC require either adequacy, appropriate safeguards (SCCs with the DIFC Commissioner's model clauses), or explicit consent. Deploying your IdP on AWS Bahrain puts it inside the GCC rather than outside the DIFC, which simplifies the transfer analysis.

Breach Notification — 72-Hour Requirement: DIFC Law mirrors GDPR's 72-hour notification window. KeycloakPro configures automated alerting so that authentication anomalies (mass account lockouts, unusual login patterns, token replay attacks) trigger immediate notifications to your security team with enough context to assess breach scope within hours, not days.

Getting PDPL-Compliant: A Practical Roadmap

For companies currently running Auth0, Firebase, or Cognito and needing to demonstrate UAE PDPL compliance:

Phase	Week	Activity
Assessment	1	Audit current IdP: data flows, storage location, consent mechanisms, sub-processors
Infrastructure	2	Deploy Keycloak HA cluster on AWS Bahrain or Azure UAE North in your own account
Migration	3–4	Migrate user accounts, reconfigure OIDC/SAML clients, parallel run
Compliance Layer	5	Implement consent flows, purpose mapping, erasure workflow, audit log configuration
Documentation	6	Produce PDPL compliance pack: data flow diagrams, sub-processor list, consent records, DPA
Certification	7	(For DIFC entities) Submit updated sub-processor list and transfer documentation to DIFC Commissioner

The documentation package produced at Week 6 is what you hand to the UAE Data Office, the DIFC Commissioner, or an enterprise customer's legal team. It includes:

Data residency confirmation (AWS infrastructure certificate for Bahrain region)
Data flow diagram showing authentication data never leaving GCC
Consent flow screenshots and sample consent audit records
Erasure procedure document and sample audit trail
Sub-processor register (KeycloakPro, AWS, no others for the IAM layer)

Act Before the Regulator Does

The UAE Data Office has issued its first enforcement guidelines. DIFC's Commissioner has been active since 2020. The grace periods are over.

Enterprise customers in the GCC — banks, government entities, healthcare groups — are including PDPL compliance clauses in vendor contracts. A vendor questionnaire with a bad answer on data residency is now a procurement blocker, not just a compliance risk.

The companies that will pass these audits smoothly are the ones that built PDPL compliance into their authentication architecture — not the ones retrofitting it.

KeycloakPro's UAE PDPL IAM Assessment covers:

A review of your current IAM stack against the Federal PDPL, DIFC, and ADGM checklists
Data residency gap analysis — where your user data is actually stored today
Consent management gaps and remediation path
Migration estimate for your specific stack
Sample compliance documentation package

Book your free UAE PDPL IAM Assessment →