Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
- FROM
- €5/mo
- CLOUD ACT
- NONE
Canadian-founded password manager, AgileBits Inc., now US-headquartered (Toronto + SF).
Passbolt (Luxembourg, Belvaux), Proton Pass (Switzerland, Geneva), and Psono (Germany) are the strongest European alternatives to 1Password on EU Vetted's editorial assessment. All three are EU- or Swiss-owned and hosted and ship end-to-end encryption by default (CLOUD Act exposure, Passbolt: None, Proton Pass: None, Psono: Material). For team password sharing with open-source auditability, Passbolt is the top pick. For individuals already in the Proton ecosystem, Proton Pass is the smoothest switch.
DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.
Ordered by feature parity and migration friction, which is weighted higher than feature breadth.
Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
Swiss zero-knowledge password manager (Proton AG / Proton Foundation), open-source apps + extensions, Cure53-audited, free unlimited tier.
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
All 11 alternatives, benchmarked against 1Password.
Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
Swiss zero-knowledge password manager (Proton AG / Proton Foundation), open-source apps + extensions, Cure53-audited, free unlimited tier.
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
Swiss zero-knowledge password manager (pCloud AG, Baar), client-side AES-256, free single-device tier, Luxembourg or US data residency.
Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.
Danish business password & access manager (Uniqkey A/S, Copenhagen), Danish-hosted, zero-knowledge E2E, ISO 27001, EIFO-backed, NIS2-focused.
German AGPLv3 open-source password manager (MaKleSoft, Bavaria), audited 3×, self-hostable, but hosted cloud uses Stripe + defunct Privacy Shield ref.
AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry; EU-maintained, no CLOUD Act exposure when run on EU infrastructure.
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.
German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
| Product | Hosting | Sovereignty | Cert. | Pricing | Signals | Open |
|---|---|---|---|---|---|---|
|
1Password
benchmark · US
|
— |
US-LINKED | SOC 2 no EU framework |
Freemium |
E2E
Public DPA
Sub-processors
Open source
|
|
|
Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
|
BELVAUX · LU
Luxembourg
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
SOC 2
|
Freemium
€5 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
Swiss zero-knowledge password manager (Proton AG / Proton Foundation), open-source apps + extensions, Cure53-audited, free unlimited tier.
|
GENEVA · CH
Switzerland
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€2 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
|
DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Freemium
€0 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
Swiss zero-knowledge password manager (pCloud AG, Baar), client-side AES-256, free single-device tier, Luxembourg or US data residency.
|
LU
Luxembourg
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€30 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.
|
—
Lithuania
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
SOC 2
|
Freemium
€2 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
Danish business password & access manager (Uniqkey A/S, Copenhagen), Danish-hosted, zero-knowledge E2E, ISO 27001, EIFO-backed, NIS2-focused.
|
DK
Denmark
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid |
Public DPA
Sub-processors
Open source
|
→ |
|
German AGPLv3 open-source password manager (MaKleSoft, Bavaria), audited 3×, self-hostable, but hosted cloud uses Stripe + defunct Privacy Shield ref.
|
—
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€3 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry; EU-maintained, no CLOUD Act exposure when run on EU infrastructure.
|
—
Spain
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— | Free |
Public DPA
Sub-processors
Open source
|
→ |
|
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
|
—
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— | Free |
Public DPA
Sub-processors
Open source
|
→ |
|
German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.
|
FRANKFURT · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid
€3.99 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
|
German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
|
NUREMBERG · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Freemium
€4 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
Beyond compliance: how these alternatives compare on the capabilities you actually use day to day.
| Feature | Passbolt | Proton Pass | Psono | pCloud Pass | NordPass | Uniqkey | Padloc | Vaultwarden | KeePassXC | LC-Pass | heylogin |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Passkeys | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | ||
| Autofill | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Breach monitoring | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | |
| Family sharing | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | No | No | No |
| Data export | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Devices | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | |
| Platforms | iOS Android Windows Linux | iOS macOS Windows Android Linux Web | iOS Android Web | iOS macOS Windows Android Linux Web | iOS macOS Windows Android Linux Web | iOS macOS Windows Android | iOS macOS Windows Android Linux Web | iOS macOS Windows Android Linux Web | macOS Windows Linux | Web | iOS Android Windows macOS Web |
Listed for transparency. Every product on this page is benchmarked against this baseline.
Listed for transparency. Every product on this page is benchmarked against this baseline.
Canadian-founded password manager, AgileBits Inc., now US-headquartered (Toronto + SF).
1Password is the most widely-adopted password manager for individuals, families, and small-to-mid-size teams, and it is operationally US-headquartered (AgileBits, Inc., Toronto and San Francisco) with US sub-processors and US-based venture capital. The cryptographic design (Secret Key plus zero-knowledge encryption) means the vendor cannot decrypt vault contents even when served with a US legal order, which is genuinely strong protection on its own terms. What still sends European buyers looking elsewhere is corporate ownership and vendor location rather than the cryptography, so this page checks four European alternatives against who legally owns the company, where the data physically sits, whether the vault is end-to-end encrypted, and whether the platform holds a recognised European compliance framework (ISO 27001, BSI C5, EUCS, SecNumCloud). Where EU-vendor preference is written procurement policy, the alternative search follows that policy rather than any technical compliance gap.
Before you move a single credential across: Passbolt is the strongest team-password-management pick with open-source code base and Luxembourg hosting (Luxembourg, Belvaux, EU-owned, EU-hosted, CLOUD Act exposure: None), Proton Pass is the smoothest individual-and-family alternative with the strongest privacy-flavoured ecosystem (Switzerland, Geneva, Swiss-owned, EU-hosted, CLOUD Act exposure: None), and Psono is the most self-hostable choice for organisations wanting maximum sovereignty (Germany, EU-owned, EU-hosted, open source + commercial cloud).
Most of what makes 1Password usable day to day survives the move intact:
A shorter list of things that do not yet carry over:
Moving a vault safely takes five steps, in this order.
Matching your situation to a starting pick:
Which of these four is right for you comes down to a single binding constraint, whether that is team-collaboration UX, integrated privacy ecosystem, self-hostability, or consumer bundle with cloud storage; use the comparison table above to sort by the one that applies to you.
For every product we read the public DPA, sub-processors document, hosting region declaration, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.
Reviewed by the EU Vetted editorial team · Editorial guidelines
Last verified May 2026