Skip to content
Independently verified · Quarterly re-audit
EU VETTED

NordPass

VERIFIED
Password managers · Lithuania
Founded 2019 · nordpass.com ↗

Lithuanian password manager by Nord Security, zero-knowledge XChaCha20, ISO 27001 + SOC 2, but hosted on AWS (US): material CLOUD Act exposure.

In short

NordPass, in the Password managers category, offers EU hosting with Lithuania as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

NordPass is the password manager of Nord Security, the Lithuanian cybersecurity group (Vilnius; founded 2019, also behind NordVPN, NordLayer, NordLocker, NordStellar). The product itself is genuinely strong (zero-knowledge XChaCha20 end-to-end encryption, voluntary independent audits, ISO/IEC 27001 + SOC 2 attested), but the infrastructure is hosted on AWS (a US-owned hyperscaler), which is material CLOUD Act exposure even with zero-knowledge encryption mitigating the practical risk, and the Nord Security cap-table includes US VC (General Catalyst co-led the 2022 round). Key gaps: AWS-hosted (US-owned sub-processor), US venture capital on the cap table, sub-processor list not confirmed at audit.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About NordPass

NordPass is the password-manager product of Nord Security, the Lithuanian cybersecurity company headquartered in Vilnius and best known for NordVPN. NordPass launched in 2019 and sits alongside NordVPN, NordLayer, NordLocker and NordStellar in the Nord Security portfolio. As a product it is well-built: zero-knowledge architecture with XChaCha20 end-to-end encryption (data encrypted on-device before it leaves), passkey support, integrated 2FA, secure sharing, data-breach scanning, and a business tier with SSO, activity logging and admin controls. The company voluntarily undergoes independent security audits and holds ISO/IEC 27001 and SOC 2 attestations, plus HIPAA alignment and FIDO Alliance compliance.

For an EU-sovereignty audit, however, NordPass is mid-table rather than top-tier, and the reason is infrastructure, not product quality. NordPass states plainly that it is "hosted on AWS": Amazon Web Services is a US-owned hyperscaler, so even with EU-region placement the data-at-rest sits with a US-incorporated processor subject to the CLOUD Act. That structural exposure is classified as material CLOUD Act exposure. The zero-knowledge encryption is a genuine and important mitigation (AWS holds only encrypted blobs Nord cannot decrypt and AWS cannot read), but it does not change the ownership classification of the infrastructure. Separately, the Nord Security ownership chain includes US venture capital: the 2022 $100M round was co-led by General Catalyst (US) alongside Novator (Iceland) and Burda (Germany); the group uses multiple legal entities across jurisdictions, so the precise NordPass operating entity should be confirmed against the Lithuanian register before the listing goes live.

Pricing is freemium: a free tier limited to one active device; Premium at roughly €1.50-2/month on longer plans; Family and Business tiers above. The NordPass pricing page did not render concrete figures to automated fetching at audit, so the EUR entry is approximate. Best fit: individuals and businesses already inside the Nord ecosystem, and buyers who prioritise audited product security and prize zero-knowledge encryption over strict hosting sovereignty. EU buyers who need a clean no-US-infrastructure posture should prefer Proton Pass (CH), Passbolt (LU, self-hostable) or Psono (DE, self-hostable).

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

Passkeys Yes
Autofill Yes
Breach monitoring Yes
Family sharing Yes
Data export Yes
Devices Unlimited
Platforms iOS macOS Windows Android Linux Web
INTEGRATION & ACCESS
REST API No
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

FREEMIUM
from €2/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    business.nordsec.com/legal…
    Open ↗
  • Sub-processors list
    — missing
    missing
  • Terms of Service
    my.nordaccount.com/legal…
    Open ↗
ALTERNATIVES

Alternatives in this category

heylogin
Germany · Founded 2021
EU-SOVEREIGN

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
€4/mo
CLOUD ACT
NONE
KeePassXC
Germany · Founded 2016
EU-SOVEREIGN

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
EU-SOVEREIGN

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

Public DPA Sub-processors Open source
FROM
€3.99/mo
CLOUD ACT
NONE