GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
- FROM
- —
- CLOUD ACT
- NONE
Zusammenfassung aus Eigentümerschaft und CLOUD-Act-Risiko.
German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
heylogin aus der Kategorie Passwort-Manager ist ein EU-eigener Dienst mit Germany als Hosting-Standort und ohne erkennbares CLOUD-Act-Risiko.
heylogin GmbH (Sophienstr. 40, 38118 Braunschweig; HRB 207299 Amtsgericht Braunschweig; founders Dr. Dominik Schürmann & Vincent Breitmoser, ex-TU Braunschweig) is a passwordless, zero-knowledge password manager whose vault is end-to-end encrypted (Curve25519 / XSalsa20-Poly1305 / Argon2 / age, BSI TR-02102-1 aligned) so the cloud is a pure transport/storage layer that cannot decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner (Nuremberg production + Falkenstein standby), IONOS (Frankfurt S3 backups), Myra Security (Munich, DDoS + CDN, a German CDN, not Cloudflare US), and Heinlein/mailbox.org (Berlin, transactional email); and the ISMS is ISO 27001:2022 certified with a publicly downloadable DPA and detailed sub-processor annex. The only US touchpoints are non-data: Mozilla Ventures' minority 2022 pre-seed stake, the Webflow-hosted marketing site (explicitly separated from the product on heylogin.app, holds no customer data), and user-side phone backups of the recovery seed to the user's own Google/Apple platform account. EU-owned, EU-hosted (Germany only), DPA + sub-processors public, no Cloudflare US, no CLOUD Act exposure → 5/5.
Wie stark Kundendaten US-Behörden nach dem CLOUD Act (Clarifying Lawful Overseas Use of Data Act) ausgesetzt sind.
Wo die letztliche Kontrolle über das Betreiberunternehmen liegt.
heylogin is a passwordless, zero-knowledge password manager built by heylogin GmbH in Braunschweig, Germany, a company spun out of IT-security research at TU Braunschweig by Dr. Dominik Schürmann (CEO) and Vincent Breitmoser (CTO), and originally incorporated as Confidential Technologies GmbH in 2018 before relaunching under the heylogin brand with the product's 2021 release. Its distinguishing idea is that there is no master password: the vault is unlocked and synced using the security chip in the user's smartphone (and FIDO2 keys, Touch ID, Windows Hello), with a "swipe to login" confirmation and a 1-click browser overlay that automates the actual website sign-in. The second factor is built into the vault encryption itself rather than bolted on as a separate login step.
For an EU-sovereignty audit heylogin is best-in-class. The vault is end-to-end encrypted on the device before it ever reaches the cloud (Curve25519, XSalsa20-Poly1305, Argon2 key-stretching, age for at-rest backups, aligned to BSI TR-02102-1), so the heylogin cloud is a pure transport-and-storage layer with no ability to decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner Online (production in Nuremberg, standby in Falkenstein), IONOS (S3 backups in Frankfurt), Myra Security (Munich) for DDoS protection and CDN (a German CDN rather than Cloudflare US), and Heinlein Hosting / mailbox.org (Berlin) for transactional email. The ISMS is ISO 27001:2022 certified, the DPA and a detailed sub-processor annex are publicly downloadable without a login, and all data centres are ISO 27001-certified Hetzner facilities running on renewable electricity. The only US touchpoints are non-data: a minority Mozilla Ventures pre-seed stake (2022), the Webflow-hosted marketing site that is explicitly separated from the product on heylogin.app, and user-side recovery-seed backups to the user's own Google/Apple account.
Pricing is freemium: a free Private tier for individuals; Business at €3.99/user/month billed yearly (€4.99 monthly) adding user/team management plus Entra ID, Google Workspace and CSV provisioning; and a yearly Enterprise tier (50+ seats) adding audit logs, Pwnitoring breach monitoring, optional on-premises backup and phone support. A separate Enterprise-for-MSPs tier and an EVB-IT cloud contract for European public-sector buyers are available. Best fit: German and EU SMBs, MSPs and public-sector buyers that want a passwordless, ISO 27001-certified vault with a genuinely all-German processing stack and zero CLOUD Act exposure. Buyers wanting open-source instead should compare Passbolt or Psono.
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.
Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.