Aller au contenu
Vérifié indépendamment · Ré-audit trimestriel
EU VETTED

NordPass

VéRIFIé
Gestionnaires de mots de passe · Lithuania
Fondé en 2019 · nordpass.com ↗

Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.

En bref

NordPass, dans la catégorie Gestionnaires de mots de passe, propose un hébergement dans l’UE avec Lithuania comme lieu d’hébergement, mais une maison mère ou un sous-traitant américain laisse une exposition matérielle au CLOUD Act.

Notes d’évaluation

NordPass is the password manager of Nord Security, the Lithuanian cybersecurity group (Vilnius; founded 2019, also behind NordVPN, NordLayer, NordLocker, NordStellar). The product itself is genuinely strong (zero-knowledge XChaCha20 end-to-end encryption, voluntary independent audits, ISO/IEC 27001 + SOC 2 attested), but the infrastructure is hosted on AWS (a US-owned hyperscaler), which is material CLOUD Act exposure even with zero-knowledge encryption mitigating the practical risk, and the Nord Security cap-table includes US VC (General Catalyst co-led the 2022 round). Key gaps: AWS-hosted (US-owned sub-processor), US venture capital on the cap table, sub-processor list not confirmed at audit.

CLOUD ACT
OWNERSHIP
SUB-PROCS
non divulgué
Signaux vérifiés
Juridiction
  • Hébergement UE / adéquation
  • Opérateur UE / adéquation
  • Aucune exposition au CLOUD Act
Transparence
  • DPA public
  • Sous-traitants divulgués
  • Clients open source
  • Certification tierce
JUMP TO
OVERVIEW

À propos de NordPass

NordPass is the password-manager product of Nord Security, the Lithuanian cybersecurity company headquartered in Vilnius and best known for NordVPN. NordPass launched in 2019 and sits alongside NordVPN, NordLayer, NordLocker and NordStellar in the Nord Security portfolio. As a product it is well-built: zero-knowledge architecture with XChaCha20 end-to-end encryption (data encrypted on-device before it leaves), passkey support, integrated 2FA, secure sharing, data-breach scanning, and a business tier with SSO, activity logging and admin controls. The company voluntarily undergoes independent security audits and holds ISO/IEC 27001 and SOC 2 attestations, plus HIPAA alignment and FIDO Alliance compliance.

For an EU-sovereignty audit, however, NordPass is mid-table rather than top-tier, and the reason is infrastructure, not product quality. NordPass states plainly that it is "hosted on AWS": Amazon Web Services is a US-owned hyperscaler, so even with EU-region placement the data-at-rest sits with a US-incorporated processor subject to the CLOUD Act. That structural exposure is classified as material CLOUD Act exposure. The zero-knowledge encryption is a genuine and important mitigation (AWS holds only encrypted blobs Nord cannot decrypt and AWS cannot read), but it does not change the ownership classification of the infrastructure. Separately, the Nord Security ownership chain includes US venture capital: the 2022 $100M round was co-led by General Catalyst (US) alongside Novator (Iceland) and Burda (Germany); the group uses multiple legal entities across jurisdictions, so the precise NordPass operating entity should be confirmed against the Lithuanian register before the listing goes live.

Pricing is freemium: a free tier limited to one active device; Premium at roughly €1.50-2/month on longer plans; Family and Business tiers above. The NordPass pricing page did not render concrete figures to automated fetching at audit, so the EUR entry is approximate. Best fit: individuals and businesses already inside the Nord ecosystem, and buyers who prioritise audited product security and prize zero-knowledge encryption over strict hosting sovereignty. EU buyers who need a clean no-US-infrastructure posture should prefer Proton Pass (CH), Passbolt (LU, self-hostable) or Psono (DE, self-hostable).

SUB-PROCESSORS

Carte des sous-traitants · non divulgué

L'éditeur ne publie pas de liste de sous-traitants. La conformité Schrems II et l'exposition au CLOUD Act ne peuvent pas être vérifiées indépendamment sans elle.
CERTIFICATIONS

Référentiels & certifications

ISO/IEC 27001
ACTIVE
SOC 2
ACTIVE
Information · cadre US
FEATURES

Matrice de fonctionnalités

Passkeys Oui
Remplissage auto Oui
Surveillance des fuites Oui
Partage familial Oui
Export des données Oui
Appareils Illimité
Plateformes iOS macOS Windows Android Linux Web
INTéGRATION & ACCèS
REST API No
SSO (SAML / OIDC) Yes
CONFORMITé & GOUVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Tarifs & paliers

FREEMIUM
à partir de €2/mois
Voir la page tarifs ↗
PUBLIC DOCUMENTS

Documents publics

L'éditeur ne publie pas de liste de sous-traitants. La conformité Schrems II et l'exposition au CLOUD Act ne peuvent pas être vérifiées indépendamment sans elle.
  • Contrat de sous-traitance (DPA)
    business.nordsec.com/legal…
    Ouvrir ↗
  • Liste des sous-traitants
    — manquant
    manquant
  • Conditions d'utilisation
    my.nordaccount.com/legal…
    Ouvrir ↗
ALTERNATIVES

Alternatives dans cette catégorie

heylogin
Germany · Fondé en 2021
SOUVERAIN UE

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

DPA public Sous-traitants Open source
FROM
€4/mois
CLOUD ACT
NONE
KeePassXC
Germany · Fondé en 2016
SOUVERAIN UE

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

DPA public Sous-traitants Open source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
SOUVERAIN UE

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

DPA public Sous-traitants Open source
FROM
€3.99/mois
CLOUD ACT
NONE