Skip to content
Independently verified · Quarterly re-audit
EU VETTED

heylogin

VERIFIED
Password managers · Germany
Founded 2021 · heylogin.com ↗

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

In short

heylogin, in the Password managers category, is an EU-owned service with Germany as its hosting location and no identified CLOUD Act exposure.

Assessment notes

heylogin GmbH (Sophienstr. 40, 38118 Braunschweig; HRB 207299 Amtsgericht Braunschweig; founders Dr. Dominik Schürmann & Vincent Breitmoser, ex-TU Braunschweig) is a passwordless, zero-knowledge password manager whose vault is end-to-end encrypted (Curve25519 / XSalsa20-Poly1305 / Argon2 / age, BSI TR-02102-1 aligned) so the cloud is a pure transport/storage layer that cannot decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner (Nuremberg production + Falkenstein standby), IONOS (Frankfurt S3 backups), Myra Security (Munich, DDoS + CDN, a German CDN, not Cloudflare US), and Heinlein/mailbox.org (Berlin, transactional email); and the ISMS is ISO 27001:2022 certified with a publicly downloadable DPA and detailed sub-processor annex. The only US touchpoints are non-data: Mozilla Ventures' minority 2022 pre-seed stake, the Webflow-hosted marketing site (explicitly separated from the product on heylogin.app, holds no customer data), and user-side phone backups of the recovery seed to the user's own Google/Apple platform account. EU-owned, EU-hosted (Germany only), DPA + sub-processors public, no Cloudflare US, no CLOUD Act exposure → 5/5.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About heylogin

heylogin is a passwordless, zero-knowledge password manager built by heylogin GmbH in Braunschweig, Germany, a company spun out of IT-security research at TU Braunschweig by Dr. Dominik Schürmann (CEO) and Vincent Breitmoser (CTO), and originally incorporated as Confidential Technologies GmbH in 2018 before relaunching under the heylogin brand with the product's 2021 release. Its distinguishing idea is that there is no master password: the vault is unlocked and synced using the security chip in the user's smartphone (and FIDO2 keys, Touch ID, Windows Hello), with a "swipe to login" confirmation and a 1-click browser overlay that automates the actual website sign-in. The second factor is built into the vault encryption itself rather than bolted on as a separate login step.

For an EU-sovereignty audit heylogin is best-in-class. The vault is end-to-end encrypted on the device before it ever reaches the cloud (Curve25519, XSalsa20-Poly1305, Argon2 key-stretching, age for at-rest backups, aligned to BSI TR-02102-1), so the heylogin cloud is a pure transport-and-storage layer with no ability to decrypt customer data. Every sub-processor is German with no third-country transfer: Hetzner Online (production in Nuremberg, standby in Falkenstein), IONOS (S3 backups in Frankfurt), Myra Security (Munich) for DDoS protection and CDN (a German CDN rather than Cloudflare US), and Heinlein Hosting / mailbox.org (Berlin) for transactional email. The ISMS is ISO 27001:2022 certified, the DPA and a detailed sub-processor annex are publicly downloadable without a login, and all data centres are ISO 27001-certified Hetzner facilities running on renewable electricity. The only US touchpoints are non-data: a minority Mozilla Ventures pre-seed stake (2022), the Webflow-hosted marketing site that is explicitly separated from the product on heylogin.app, and user-side recovery-seed backups to the user's own Google/Apple account.

Pricing is freemium: a free Private tier for individuals; Business at €3.99/user/month billed yearly (€4.99 monthly) adding user/team management plus Entra ID, Google Workspace and CSV provisioning; and a yearly Enterprise tier (50+ seats) adding audit logs, Pwnitoring breach monitoring, optional on-premises backup and phone support. A separate Enterprise-for-MSPs tier and an EVB-IT cloud contract for European public-sector buyers are available. Best fit: German and EU SMBs, MSPs and public-sector buyers that want a passwordless, ISO 27001-certified vault with a genuinely all-German processing stack and zero CLOUD Act exposure. Buyers wanting open-source instead should compare Passbolt or Psono.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
FEATURES

Capability matrix

Passkeys No
Autofill Yes
Breach monitoring Yes
Family sharing No
Data export Yes
Devices Unlimited
Platforms iOS Android Windows macOS Web
INTEGRATION & ACCESS
REST API No
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

FREEMIUM
from €4/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

  • Data Processing Addendum (DPA)
    www.heylogin.com/en…
    Open ↗
  • Sub-processors list
    www.heylogin.com/en…
    Open ↗
  • Terms of Service
    www.heylogin.com/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

KeePassXC
Germany · Founded 2016
EU-SOVEREIGN

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
EU-SOVEREIGN

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

Public DPA Sub-processors Open source
FROM
€3.99/mo
CLOUD ACT
NONE
NordPass
Lithuania · Founded 2019
EU-HOSTED

Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
€2/mo
CLOUD ACT
MATERIAL