Password managers without US sub-processors
European password managers verified to run with no US sub-processors — compared on ownership, hosting region, CLOUD Act exposure and sub-processor chain.
The password managers listed here operate with no US sub-processors in the data path — an EU/EEA/Switzerland operator with no US parent and no US-incorporated processor, or software you run entirely yourself. Passbolt (Luxembourg — open-source, SOC 2 Type II, EU-hosted) and Uniqkey (Denmark, Copenhagen — Danish-hosted business access management) are the strongest managed team options; Psono (Germany) is the self-hostable open-source alternative, and KeePassXC (offline desktop) plus Vaultwarden (self-hosted, Bitwarden-compatible) remove the cloud operator entirely. Vault contents are end-to-end encrypted in all of them — the jurisdictional bar on this page concerns the account, metadata and service layer that encryption does not cover.
Password managers without US sub-processors, as listed on this page, means one of two things: a managed service whose operating company is incorporated in the EU, EEA or Switzerland, holds no US parent, and routes no customer data through a US-incorporated processor — or software that runs entirely under your own control, offline or self-hosted, so that no third-party operator exists in the first place. Both routes clear the same bar; they get there differently, and the listing marks which is which.
This category rewards strictness unusually well. Credentials are the keys to everything else an organisation runs, and the password manager's own service layer — accounts, metadata, sharing structures, the update channel — concentrates trust even when vault contents are end-to-end encrypted. The European field here is genuinely strong: open-source team products from Luxembourg and Germany, a Danish business access platform, and mature offline and self-hosted options. Every entry is sourced to the vendor's public documentation and re-verified quarterly.
The CLOUD Act extends US government reach to data held by any company subject to US jurisdiction, regardless of server location. Password managers are a special case in two directions at once. In one direction, end-to-end encryption genuinely limits what any operator could disclose — vault contents are unreadable without the user's master password, whoever holds the ciphertext. In the other, the service layer around the vault is more sensitive than in most SaaS: account identities map your organisation's people, vault metadata shows what exists and when it is used, team-sharing structures mirror your permission model, and the client-update channel can technically deliver whatever its controller ships.
That second direction is why jurisdiction still matters after encryption. A US-incorporated operator can be compelled to produce what it holds — metadata, account data — and is itself the supply chain for the clients that handle plaintext locally. The tools on this page either place that operator in an EU/EEA/Swiss jurisdiction with no US parent, or remove the operator entirely by putting the server, or the encrypted file itself, in your hands. Each listing records ownership, hosting and the sub-processor chain as separate, evidenced signals.
-
KeePassXC
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016) — no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
Public DPA Sub-processors Open sourceEU-SOVEREIGN0 sub-procs Open ↗ -
Passbolt
Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
Public DPA Sub-processors Open sourceEU-SOVEREIGNLU · 0 sub-procs Open ↗ -
Psono
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Uniqkey
Danish business password & access manager (Uniqkey A/S, Copenhagen), Danish-hosted, zero-knowledge E2E, ISO 27001, EIFO-backed, NIS2-focused.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDK · 0 sub-procs Open ↗ -
Vaultwarden
AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry — EU-maintained, no CLOUD Act exposure when run on EU infrastructure.
Public DPA Sub-processors Open sourceEU-SOVEREIGN0 sub-procs Open ↗
| Compare | Sovereignty | Cert. | Pricing | Signals | Open | ||
|---|---|---|---|---|---|---|---|
|
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016) — no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
|
—
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— | Free |
Public DPA
Sub-processors
Open source
|
→ | |
|
Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.
|
BELVAUX · LU
Luxembourg
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
SOC 2
|
Freemium
€5 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
|
DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€0 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
Danish business password & access manager (Uniqkey A/S, Copenhagen), Danish-hosted, zero-knowledge E2E, ISO 27001, EIFO-backed, NIS2-focused.
|
DK
Denmark
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid |
Public DPA
Sub-processors
Open source
|
→ | |
|
AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry — EU-maintained, no CLOUD Act exposure when run on EU infrastructure.
|
—
Spain
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— | Free |
Public DPA
Sub-processors
Open source
|
→ |
Start with the operating model your team can sustain. Managed European services (Passbolt cloud, Uniqkey) suit teams that want SSO, provisioning and support with no operations burden — compare them on audit posture (SOC 2, pentest publication), browser-extension quality and per-seat price. Self-hosted servers (Psono, Passbolt CE, Vaultwarden) suit teams with existing EU infrastructure and the discipline to patch and back up; they reduce the jurisdictional question to your own hosting choice. Offline managers (KeePassXC) fit individuals and small technical teams that can live without built-in sync, or that sync the encrypted database through storage they already trust.
For regulated buyers, treat the password manager's operator like any other processor: any US incorporation in the chain is typically a veto, and the self-hosted and offline routes are often the shortest path through procurement. For SMBs, the binding constraints are onboarding friction and recovery flows — check how each product handles a forgotten master password and offboarding before committing. Use the sort and filter controls on the listing above to narrow by hosting country, open-source licence or pricing.
Switching from a US categories.password_managers tool?
Side-by-side European alternatives — same hosting, ownership and CLOUD Act checks — for the most-replaced categories.password_managers tools.
Frequently asked questions
Password vaults are end-to-end encrypted — why does US jurisdiction still matter?
What counts as 'no US sub-processors' on this page?
Do offline and self-hosted password managers have sub-processors at all?
How do these relate to Bitwarden, 1Password or LastPass?
Can I import my existing vault?
How we verified every listing here.
For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.