German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
- FROM
- €4/Mt.
- CLOUD ACT
- NONE
Zusammenfassung aus Eigentümerschaft und CLOUD-Act-Risiko.
Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.
NordPass aus der Kategorie Passwort-Manager bietet EU-Hosting mit Lithuania als Hosting-Standort, doch ein US-Mutterkonzern oder Unterauftragsverarbeiter hinterlässt ein materielles CLOUD-Act-Risiko.
NordPass is the password manager of Nord Security, the Lithuanian cybersecurity group (Vilnius; founded 2019, also behind NordVPN, NordLayer, NordLocker, NordStellar). The product itself is genuinely strong (zero-knowledge XChaCha20 end-to-end encryption, voluntary independent audits, ISO/IEC 27001 + SOC 2 attested), but the infrastructure is hosted on AWS (a US-owned hyperscaler), which is material CLOUD Act exposure even with zero-knowledge encryption mitigating the practical risk, and the Nord Security cap-table includes US VC (General Catalyst co-led the 2022 round). Key gaps: AWS-hosted (US-owned sub-processor), US venture capital on the cap table, sub-processor list not confirmed at audit.
Wie stark Kundendaten US-Behörden nach dem CLOUD Act (Clarifying Lawful Overseas Use of Data Act) ausgesetzt sind.
Wo die letztliche Kontrolle über das Betreiberunternehmen liegt.
NordPass is the password-manager product of Nord Security, the Lithuanian cybersecurity company headquartered in Vilnius and best known for NordVPN. NordPass launched in 2019 and sits alongside NordVPN, NordLayer, NordLocker and NordStellar in the Nord Security portfolio. As a product it is well-built: zero-knowledge architecture with XChaCha20 end-to-end encryption (data encrypted on-device before it leaves), passkey support, integrated 2FA, secure sharing, data-breach scanning, and a business tier with SSO, activity logging and admin controls. The company voluntarily undergoes independent security audits and holds ISO/IEC 27001 and SOC 2 attestations, plus HIPAA alignment and FIDO Alliance compliance.
For an EU-sovereignty audit, however, NordPass is mid-table rather than top-tier, and the reason is infrastructure, not product quality. NordPass states plainly that it is "hosted on AWS": Amazon Web Services is a US-owned hyperscaler, so even with EU-region placement the data-at-rest sits with a US-incorporated processor subject to the CLOUD Act. That structural exposure is classified as material CLOUD Act exposure. The zero-knowledge encryption is a genuine and important mitigation (AWS holds only encrypted blobs Nord cannot decrypt and AWS cannot read), but it does not change the ownership classification of the infrastructure. Separately, the Nord Security ownership chain includes US venture capital: the 2022 $100M round was co-led by General Catalyst (US) alongside Novator (Iceland) and Burda (Germany); the group uses multiple legal entities across jurisdictions, so the precise NordPass operating entity should be confirmed against the Lithuanian register before the listing goes live.
Pricing is freemium: a free tier limited to one active device; Premium at roughly €1.50-2/month on longer plans; Family and Business tiers above. The NordPass pricing page did not render concrete figures to automated fetching at audit, so the EUR entry is approximate. Best fit: individuals and businesses already inside the Nord ecosystem, and buyers who prioritise audited product security and prize zero-knowledge encryption over strict hosting sovereignty. EU buyers who need a clean no-US-infrastructure posture should prefer Proton Pass (CH), Passbolt (LU, self-hostable) or Psono (DE, self-hostable).
German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.