Abstract: A system and method for protecting user data using a key escrow service. The key escrow service may be hosted by a service provider to integrate Identity Access Management (IAM) solutions, such as Single-Sign-On (SSO) and/or System for Cross-domain Identity Management (SCIM), with a zero-knowledge service, such as a password manager or other service handling sensitive user data. In examples, secure enclave technology may be used to allow the service provider to host and manage the key escrow service without being able to access any cryptographic key used and/or stored within a secure enclave. Accordingly, in some aspects, the service provider may have the ability to store users' secret keys for SSO and sharing keys for SCIM in a trusted, secure storage location without breaking the zero-knowledge principles of the infrastructure.