Aller au contenu
Vérifié indépendamment · Ré-audit trimestriel
EU VETTED

heylogin

VéRIFIé
Gestionnaires de mots de passe · Germany
Fondé en 2021 · heylogin.com ↗

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

En bref

heylogin, dans la catégorie Gestionnaires de mots de passe, est un service sous contrôle européen avec Germany comme lieu d’hébergement et aucune exposition identifiée au CLOUD Act.

Notes d’évaluation

heylogin GmbH (Sophienstr. 40, 38118 Braunschweig; HRB 207299 Amtsgericht Braunschweig; founders Dr. Dominik Schürmann & Vincent Breitmoser, ex-TU Braunschweig) is a passwordless, zero-knowledge password manager whose vault is end-to-end encrypted (Curve25519 / XSalsa20-Poly1305 / Argon2 / age, BSI TR-02102-1 aligned) so the cloud is a pure transport/storage layer that cannot decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner (Nuremberg production + Falkenstein standby), IONOS (Frankfurt S3 backups), Myra Security (Munich, DDoS + CDN, a German CDN, not Cloudflare US), and Heinlein/mailbox.org (Berlin, transactional email); and the ISMS is ISO 27001:2022 certified with a publicly downloadable DPA and detailed sub-processor annex. The only US touchpoints are non-data: Mozilla Ventures' minority 2022 pre-seed stake, the Webflow-hosted marketing site (explicitly separated from the product on heylogin.app, holds no customer data), and user-side phone backups of the recovery seed to the user's own Google/Apple platform account. EU-owned, EU-hosted (Germany only), DPA + sub-processors public, no Cloudflare US, no CLOUD Act exposure → 5/5.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 aucun divulgué
Signaux vérifiés
Juridiction
  • Hébergement UE / adéquation
  • Opérateur UE / adéquation
  • Aucune exposition au CLOUD Act
Transparence
  • DPA public
  • Sous-traitants divulgués
  • Clients open source
  • Certification tierce
JUMP TO
OVERVIEW

À propos de heylogin

heylogin is a passwordless, zero-knowledge password manager built by heylogin GmbH in Braunschweig, Germany, a company spun out of IT-security research at TU Braunschweig by Dr. Dominik Schürmann (CEO) and Vincent Breitmoser (CTO), and originally incorporated as Confidential Technologies GmbH in 2018 before relaunching under the heylogin brand with the product's 2021 release. Its distinguishing idea is that there is no master password: the vault is unlocked and synced using the security chip in the user's smartphone (and FIDO2 keys, Touch ID, Windows Hello), with a "swipe to login" confirmation and a 1-click browser overlay that automates the actual website sign-in. The second factor is built into the vault encryption itself rather than bolted on as a separate login step.

For an EU-sovereignty audit heylogin is best-in-class. The vault is end-to-end encrypted on the device before it ever reaches the cloud (Curve25519, XSalsa20-Poly1305, Argon2 key-stretching, age for at-rest backups, aligned to BSI TR-02102-1), so the heylogin cloud is a pure transport-and-storage layer with no ability to decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner Online (production in Nuremberg, standby in Falkenstein), IONOS (S3 backups in Frankfurt), Myra Security (Munich) for DDoS protection and CDN (a German CDN rather than Cloudflare US), and Heinlein Hosting / mailbox.org (Berlin) for transactional email. The ISMS is ISO 27001:2022 certified, the DPA and a detailed sub-processor annex are publicly downloadable without a login, and all data centres are ISO 27001-certified Hetzner facilities running on renewable electricity. The only US touchpoints are non-data: a minority Mozilla Ventures pre-seed stake (2022), the Webflow-hosted marketing site that is explicitly separated from the product on heylogin.app, and user-side recovery-seed backups to the user's own Google/Apple account.

Pricing is freemium: a free Private tier for individuals; Business at €3.99/user/month billed yearly (€4.99 monthly) adding user/team management plus Entra ID, Google Workspace and CSV provisioning; and a yearly Enterprise tier (50+ seats) adding audit logs, Pwnitoring breach monitoring, optional on-premises backup and phone support. A separate Enterprise-for-MSPs tier and an EVB-IT cloud contract for European public-sector buyers are available. Best fit: German and EU SMBs, MSPs and public-sector buyers that want a passwordless, ISO 27001-certified vault with a genuinely all-German processing stack and zero CLOUD Act exposure. Buyers wanting open-source instead should compare Passbolt or Psono.

SUB-PROCESSORS

Carte des sous-traitants · aucun divulgué

Source ↗
L'éditeur déclare zéro sous-traitant. Tout le traitement des données se fait en interne.
CERTIFICATIONS

Référentiels & certifications

ISO/IEC 27001
ACTIVE
FEATURES

Matrice de fonctionnalités

Passkeys Non
Remplissage auto Oui
Surveillance des fuites Oui
Partage familial Non
Export des données Oui
Appareils Illimité
Plateformes iOS Android Windows macOS Web
INTéGRATION & ACCèS
REST API No
SSO (SAML / OIDC) Yes
CONFORMITé & GOUVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Tarifs & paliers

FREEMIUM
à partir de €4/mois
Voir la page tarifs ↗
PUBLIC DOCUMENTS

Documents publics

  • Contrat de sous-traitance (DPA)
    www.heylogin.com/en…
    Ouvrir ↗
  • Liste des sous-traitants
    www.heylogin.com/en…
    Ouvrir ↗
  • Conditions d'utilisation
    www.heylogin.com/en…
    Ouvrir ↗
ALTERNATIVES

Alternatives dans cette catégorie

KeePassXC
Germany · Fondé en 2016
SOUVERAIN UE

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

DPA public Sous-traitants Open source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
SOUVERAIN UE

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

DPA public Sous-traitants Open source
FROM
€3.99/mois
CLOUD ACT
NONE
NordPass
Lithuania · Fondé en 2019
HéBERGé UE

Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.

DPA public Sous-traitants Open source
FROM
€2/mois
CLOUD ACT
MATERIAL