Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Okta is one of the leading identity and access management platforms, used by enterprises worldwide for single sign on, multi factor authentication, user lifecycle management, federation and customer identity (through the Auth0 brand also operated by Okta). It is built on a hosted authentication flow that issues session cookies and OAuth/OIDC tokens. Okta tenants can be deployed in EU cells (Frankfurt, Dublin), but Okta, Inc. remains a US controller for the platform.
Okta is a global identity and access management platform operated by Okta, Inc., headquartered in San Francisco. Its Workforce Identity Cloud is used to give employees single sign on, multi factor authentication, lifecycle management and access reviews across hundreds of business applications. Its Customer Identity Cloud, which includes Auth0 acquired by Okta in 2021, secures sign in for consumer and B2B apps with social login, passwordless, brute force protection, anomaly detection and adaptive MFA. Both products are delivered through a hosted authentication flow on okta.com or auth0.com sub domains and a wide range of SDKs.
Okta collects username, password (hashed and never stored in clear text), email, phone, MFA factors (OTP secrets, WebAuthn keys), device fingerprint, IP address, User Agent, country, audit log of every authentication, session and configuration change, and any custom claim configured in the directory. On the visitor side, the hosted sign in flow sets a sid session cookie and several technical cookies for CSRF protection (DT, JSESSIONID, t). Auth0 adds its own auth0 cookie and optional anomaly detection signals.
The Okta authentication cookies are strictly necessary for the user to sign in to the requested service and are exempt from the consent requirement of Article 5(3) ePrivacy. The processing of credentials, MFA and audit logs is grounded on contract performance (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) for security and accounting retention) and legitimate interest in fraud prevention. Anomaly detection or behavioural risk scoring that goes beyond what is strictly necessary should be assessed individually. The privacy policy must list Okta or Auth0 as a processor.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No for the strictly necessary authentication cookies and security tokens. Yes for any optional features that go beyond authentication: analytics on the login page, marketing widgets, social login providers that themselves require consent, or persistent device recognition for marketing purposes. The user must always be informed that Okta or Auth0 is involved in the sign in flow.
With an EU cell (Frankfurt or Dublin) selected at tenant provisioning, persistent data stays in the EU. Okta, Inc. (USA) remains the controller of the platform and accesses data for support, security and incident response. Okta is certified under the EU US Data Privacy Framework, offers EU SCCs through the Okta Master Subscription Agreement and the Okta DPA, and publishes a regularly updated sub processor list. Auth0 follows the same regime under the Okta umbrella. For regulated industries, Okta provides FedRAMP, ISO 27001, ISO 27018, SOC 2 Type II and HIPAA attestations.
Choose an EU cell at tenant provisioning, sign the Okta DPA with the SCCs annex, list Okta, Inc. and Auth0 as recipients in the privacy policy with the transfer mechanism (DPF and SCC), configure audit log retention to the minimum that satisfies your security and legal obligations, restrict admin access via SSO and MFA, and consider customer managed keys (Bring Your Own Key) for sensitive tenants. Document the integration in the Article 30 record.
Websites using Okta must obtain user consent under GDPR regulations.
DPIA considerations
Okta processes credentials, MFA factors, audit logs and (with Auth0 hooks) optional behavioural attributes. A DPIA is recommended for customer identity deployments at scale (B2C apps with millions of users, public administration, regulated industries) and should cover the choice of cell, the EU US transfer mechanism, the retention of audit logs and the sub processor list.
Sample consent text
We use Okta to sign you in to our application. Authentication cookies and security tokens are set by Okta on your behalf. Okta is operated by Okta, Inc. (USA) with our tenant data hosted in the EU cell.
Third-party domains contacted
okta.com<tenant>.okta.com<tenant>.oktapreview.comokta-emea.comoktacdn.comauth0.com<tenant>.eu.auth0.com<tenant>.us.auth0.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sid | third party | Session | Okta authenticated session cookie set after successful sign in; strictly necessary for the authenticated experience. |
| DT | third party | 1 year | Device token used by Okta to recognise a known device during sign in and to power device based MFA policies. |
| JSESSIONID | third party | Session | Back end application server session cookie for the Okta sign in service. |
| t | third party | Session | CSRF protection token used during the Okta sign in flow. |
| proximity_<...> | third party | 30 days | Optional Okta cookie used by Okta FastPass and proximity based authentication features. |
| auth0 | third party | Session | Auth0 session cookie set on the Auth0 hosted login page (.auth0.com) for the duration of an authentication session. |
| auth0_compat | third party | Session | Compatibility session cookie used by older Auth0 SDKs when the SameSite=None policy cannot be enforced on the main auth0 cookie. |
Okta is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Okta sets sid (session cookie), DT (device token), JSESSIONID (back end session) and t (CSRF protection) on its hosted authentication domain. These cookies are strictly necessary for sign in and exempt from the consent requirement. Auth0 adds auth0 and auth0_compat session cookies.
Not for the authentication cookies and tokens themselves, since they are strictly necessary. Yes for any optional analytics or marketing widgets on the login page and for behavioural risk features that go beyond strictly necessary security.
Contract performance (Art. 6(1)(b) GDPR) for the authentication service, legal obligation (Art. 6(1)(c)) for audit log retention required by security frameworks (ISO 27001, NIS2, eIDAS), and legitimate interest (Art. 6(1)(f)) for fraud and bot prevention.
With an EU cell, persistent data stays in the EU. Okta, Inc. (USA) still has support and security access. Transfers rely on the EU US Data Privacy Framework certification, EU SCCs in the Okta DPA and a public list of sub processors.
For workforce identity on a small workforce, a lightweight DPIA usually suffices. For customer identity at scale, public administration or regulated industries, conduct a full DPIA covering the cell, transfers, audit logs and any custom risk signals.
Pick an EU cell, sign the Okta DPA, configure SSO and MFA for admin access, limit audit log retention to what your obligations require, mention Okta and Auth0 as processors in the privacy policy, and disable optional behavioural risk features that you have not assessed.
EU based alternatives: Ory (Germany), FusionAuth (open source US, but self hostable in the EU), Keycloak (open source, Red Hat), Microsoft Entra ID (with EU region) and OpenID Connect implementations on top of WSO2 or Authentik. For consumer identity, Auth0 itself is the most direct competitor to its parent Okta, with Auth0 EU regions.
List the Okta cookies (sid, DT, JSESSIONID, t) under Strictly Necessary with provider Okta, Inc. (USA), the purpose (authentication and session management), the retention (session to a few hours) and the transfer mechanism (Data Privacy Framework and SCCs).