Customer Portal & IAM — Security From Day One, Included in Every Krafteq Engagement

Both components are delivered together. The IAM provides centralised login with Keycloak — email and password, optional SSO via OIDC, MFA, roles, audit log, tenant separation, and a GDPR-compliant account lifecycle. The Customer Portal is the web interface between you and krafteq: project status, contracts, Data Processing Agreements (DPAs), tickets, releases, invoices, and backup status — all in one place. Both are active from day one, as soon as your software goes live.

The Portal and IAM are not sold separately. Both are core components of every Krafteq package — no extra charge, no separate licence. The operation of the Portal and IAM is already included in the Krafteq Cloud subscription from €250 per year per software (first year included). We deliberately do not communicate a unit price, because bundling is the point: you receive the complete productised stack, not a minimal login solution with costly extensions.

If your business uses Microsoft 365, we configure Single Sign-On via OIDC against Microsoft Entra ID. Your staff sign in with their familiar Microsoft account; on- and offboarding runs centrally through your Microsoft 365 user management. Setup typically takes a few hours on the Krafteq side and requires an OIDC app registration in your Microsoft tenant. The standard email-and-password login remains available in parallel.

Standard retention is a minimum of 30 days. Audit logs are exportable as structured data and contain login events, role changes, critical data access events, and account lifecycle actions. Longer retention periods — for example, if your own information security management system (ISMS) policy requires 12 or 24 months — are calculated transparently as an add-on within Krafteq Cloud.

The right to erasure (Art. 17 GDPR) is implemented in the IAM and in the Portal. We can delete individual accounts and associated personal data in a GDPR-compliant manner — either via self-service by you as the account owner, or upon written request. Audit log entries containing personal data are anonymised or deleted in the same operation, unless a statutory retention obligation applies.

Yes — custom branding is standard. You use the Portal under your own domain (for example, portal.yourbusiness.com) and your own logo. Colours and fonts can be adjusted. What we deliberately do not offer is a fully white-labelled portal with an independent brand and no Krafteq association — that is not compatible with the productised model.

No. The Portal is the relationship layer between your business and krafteq — not a resale tool for an independent brand. Branding (logo, domain, colours) is possible; independent IP is not. If you wish to distribute software under your own brand, that is a different engagement model and not a small-business package — please raise it with us in a free consultation.

No. Each Krafteq client is a separate, strictly isolated tenant within the IAM. Federated identity spanning multiple clients — whereby a login at client A simultaneously grants access at client B — is deliberately not supported, as it would undermine tenant separation. Within your own tenant, you can use SSO against Microsoft 365 or Google Workspace.

In that case you use the standard login with email and password, optionally with MFA. That is the default — no Microsoft account, no Google account required. Self-service password reset via confirmed email delivery is standard, so you can invite your staff without any IT effort. Should you wish to introduce SSO at a later stage, it can be configured retrospectively without any loss of data.

Each Krafteq client receives a dedicated logical tenant in Keycloak (a Realm) and a dedicated database instance or at minimum a dedicated schema. Application logic enforces tenant membership at every data layer. A user belonging to one client can never access — technically or logically — the data of another client. Audit log entries are likewise separated per tenant.