# On-Prem vs. Cloud Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a Zero Knowledge model that ensures only the user is able to decrypt and access their privileged information. The Keeper platform is built on an access layer and encryption layer. Access and authentication controls who is able to sync the encrypted ciphertext, and client-side encryption controls who is able to physically encrypt/decrypt the data. If you are using an SSO solution and plan to integrate Keeper into your identity provider, Keeper offers both on-premise and cloud versions of Keeper SSO Connectâ„¢. For on-prem tenants, Keeper SSO Connect generates the encryption keys and authenticates the users in real time. For cloud tenants, SSO Connect Cloud is fully managed by the Keeper infrastructure with device-level encryption to ensure Zero Knowledge. All of Keeper's user-facing applications contain on-device local encrypted storage. All Keeper applications can be locked down to specific IP Allow lists through role-based enforcement policies. Customers can also enforce the use of 2FA and other security policies through the Keeper Admin Console. The cloud component of the Keeper architecture is hosted with Amazon AWS with multi-zone and multi-region redundancy. Isolated data centers are available in several global locations. | **Component** | **Cloud, Native or On-Premise** | | ------------------------- | ---------------------------------------------------- | | SSO Connect | Cloud and On-premise versions available | | Encrypted Backend API | Cloud API hosted in Amazon AWS | | Web Vault | Cloud with local offline storage | | Desktop App | Native install with offline storage and cloud sync | | Mobile App | Native install with offline storage and cloud sync | | Commander CLI | Native install with cloud sync | | Browser Extensions | Native install with cloud sync | | Secrets Manager | Native SDKs in every target language with Cloud Sync | | KeeperPAM | Cloud-based with native client applications | | Keeper Connection Manager | On-premise installation | | Keeper Admin Console | Cloud-based | | Keeper Automator | Cloud and On-premise versions available | | Active Directory Bridge | On-premise installation | ### Related Articles on the Keeper Blog: * [Differences between cloud-based and on-prem password managers](https://www.keepersecurity.com/blog/2022/10/28/differences-between-cloud-based-and-on-prem-password-managers/) * [Pitfalls of on-premise password managers](https://www.keepersecurity.com/blog/2022/10/03/3-pitfalls-of-on-premise-password-managers/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://newdocs.keeper.io/en/enterprise-guide/on-prem-vs.-cloud.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.