Skip to content
Independently verified · Quarterly re-audit
EU VETTED

CryptPad

VERIFIED
Docs & wikis · France
Founded 2014 · cryptpad.org ↗

Paris-based E2E-encrypted open-source collaboration suite (CryptPad by XWiki SAS), NLnet/NGI-EU-funded; zero-knowledge architecture.

In short

CryptPad, in the Docs & wikis category, is an EU-owned service with France as its hosting location and no identified CLOUD Act exposure.

Assessment notes

CryptPad is the end-to-end encrypted open-source collaboration suite developed by XWiki SAS (Paris, France; making open-source software since 2004). Funded by NLnet PET, NGI TRUST, NGI DAPSI, NGI Zero Commons Fund (European Commission's Next Generation Internet programme) plus CryptPad.fr subscribers and Open Collective donations, making this one of the most clearly EU-publicly-funded sovereign-tech projects in the directory. Zero-knowledge encryption means even XWiki cannot read customer documents; full source on GitHub; self-hostable on EU infrastructure. Signals: EU-owned (French SAS), EU-hosted, EU public funding lineage, end-to-end encrypted (zero-knowledge), no CLOUD Act exposure, no US-VC, no US legal entity. Gap: no publicly accessible DPA. The DPA is reachable only inside a customer account for paid Organisation-Plan holders; no public sub-processors list.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About CryptPad

CryptPad is the canonical end-to-end-encrypted open-source collaboration suite, actively developed by a team at XWiki SAS, a Paris-based French company that has been building open-source software since 2004. The platform delivers a Google Docs / Notion / Microsoft Office Online alternative built around zero-knowledge encryption: documents are encrypted on the user's device before any data leaves it, and XWiki itself has no ability to read customer documents. The product surface covers rich text, code, slides, forms, kanban, calendar, polls, whiteboard, sheet, and team drives: a complete office-suite-grade feature set running entirely E2E.

Funding architecture is the structurally interesting story. CryptPad is funded by NLnet PET, NGI TRUST, NGI DAPSI, and the NGI Zero Commons Fund, the European Commission's Next Generation Internet (NGI) programme that channels EU public-research money into European-sovereign open-source infrastructure. Additional funding comes from CryptPad.fr subscribers and Open Collective donations. This combination (EU public funding + community subscriptions) gives CryptPad a structurally different cap table from any US-VC-funded competitor: no exit pressure, no dilution risk, no acquisition rumours, and explicit alignment with the European Commission's sovereign-tech agenda.

Pricing for CryptPad.fr (the managed cloud) is freemium with paid storage tiers; the entire codebase is open source on GitHub (cryptpad/cryptpad) and self-hostable for organisations wanting full control. Best fit: privacy-maximalist EU teams, journalists and activists, EU public-sector and education buyers (where NLnet / NGI funding lineage is itself a procurement signal), and any organisation that wants a full office suite where the vendor structurally cannot read the documents.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications · none listed

We checked the vendor's website and standard certification body registries. No active certifications found at the time of last audit (2026-05-18).
FEATURES

Capability matrix

Self-hostable Yes
Real-time collaboration Yes
Databases / tables Yes
Version history Yes
Granular permissions Yes
Offline mode No
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
ALTERNATIVES

Alternatives in this category

Anytype
Germany · Founded 2019
EU-SOVEREIGN

Berlin-based local-first peer-to-peer E2E-encrypted knowledge OS (Anytype, 2019); Any Source Available License; data lives on user device.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
BookStack
United Kingdom · Founded 2015
EU-BASED

UK solo-dev MIT-licensed self-hosted wiki + documentation platform (Dan Brown, 2015); no SaaS, no vendor counterparty risk.

Public DPA Sub-processors Open source
FROM
€0/mo
CLOUD ACT
NONE
Collabora Online
United Kingdom · Founded 2012
EU-BASED

Cambridge-based LibreOffice Online (MPL-2.0/LGPL) by Collabora Productivity Ltd: free CODE dev edition + €3/user/mo Business; self-hostable on EU infra.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR