On-Prem vs. Cloud

Which components of Keeper are on-premise versus Cloud-based?

Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a model that ensures only the user is able to decrypt and access their privileged information.

The Keeper platform is built on an access layer and encryption layer. Access and authentication controls who is able to sync the encrypted ciphertext, and client-side encryption controls who is able to physically encrypt/decrypt the data.

If you are using an SSO solution and plan to integrate Keeper into your identity provider, this component is fully on-prem. Keeper SSO Connect is installed on your hardware and this system generates the encryption keys and authenticates the users in real time.

All of Keeper's user-facing applications contain on-device local encrypted storage. The applications can be locked down to only run within your network environment through role-based enforcement policies. Customers can also enforce the use of 2FA and other security policies through the Keeper Admin Console. The cloud component of the Keeper architecture is hosted with Amazon AWS with multi-zone and multi-region redundancy.


Cloud, Native or On-Premise

SSO Connect


Active Directory Bridge


Encrypted Backend API


Web Vault

Cloud with local offline storage

Desktop App

Native install with offline storage and cloud sync

Mobile App

Native install with offline storage and cloud sync