Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Passbolt

VERIFIED
Password managers · Luxembourg
Founded 2017 · passbolt.com ↗

Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.

In short

Passbolt, in the Password managers category, is an EU-owned service with Luxembourg as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Passbolt SA (9 Avenue du Blues, L-4368 Belvaux, Luxembourg; incorporated 2017, concept since 2011) is a fully AGPLv3 open-source team password manager (even the paid Business tier is open source) built around OpenPGP end-to-end encryption, self-hostable by default with Cloud as a managed alternative, and audited by independent third parties several times a year with all reports public; SOC 2 Type II attested. Customer base includes the Luxembourg government IT body and France's Ministry of the Interior. Founder team active; investors are Luxembourg / EU (Luxinnovation, Scalefund, Yeast); €11M raised across 2020 (€3M) and 2024 (€8M); 30+ remote-first team. EU-owned, EU-hosted (Luxembourg), with no CLOUD Act exposure.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Passbolt

Passbolt is one of the cleanest open-source password-manager listings in this directory. The legal entity is Passbolt SA at 9 Avenue du Blues, L-4368 Belvaux, Luxembourg, incorporated as a formal company in 2017 after the concept originated within a Luxembourg digital agency in 2011. The product was conceived as a collaborative successor to KeePass, with a focus on team credentials sharing, RBAC, audit logging, and OpenPGP-based end-to-end encryption (1:1 keys per credential). Customer references include the Luxembourg government IT body and the French Ministry of the Interior. These are strong public-sector procurement signals that, combined with the open-source licensing, make Passbolt a natural fit for EU sovereign-procurement workflows.

Compliance and transparency posture is best-in-class. Both the Community (free) edition AND the paid Business + Enterprise editions are released under the GNU Affero General Public License v3 (AGPLv3). Buyers can fork the codebase, run audits internally, and never face vendor lock-in. The company commissions independent third-party audits multiple times per year with all reports public, including SOC 2 Type II attestation. Encryption is OpenPGP with 1:1 per-credential keys; no server operator (including Passbolt's own Cloud team) can decrypt customer vaults. Self-host deployment supports Docker, Kubernetes (Helm), and native installation on Ubuntu, Rocky Linux, and openSUSE. That gives full flexibility to run on Hetzner, OVHcloud, Scaleway, IONOS, STACKIT, or any other EU GPU / VPS infrastructure.

Pricing is open-source-friendly and procurement-grade. Community Edition is free under AGPLv3 with unlimited users, core feature set, browser extensions, API, role-based access, with community support only. Business is €4.50 per user per month billed annually (10-user minimum) and adds tags, LDAP provisioning, SSO (Microsoft, Google, OpenID), account recovery, audit logs, and a packaged VM appliance with next-business-day email support. Enterprise is custom with 4-hour SLA, white-glove migration, custom development, and disaster-recovery consulting. Non-profits qualify for special pricing. Best fit: EU public-sector buyers, regulated industries (finance, defence, healthcare), teams that need SAML / LDAP SSO with audit-log compliance, and any procurement-grade buyer who wants AGPLv3 source-availability plus SOC 2 Type II attestation on a Luxembourg-incorporated open-source vendor.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications

SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

Passkeys No
Autofill Yes
Breach monitoring Yes
Family sharing Yes
Data export Yes
Devices Unlimited
Platforms iOS Android Windows Linux
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
from €5/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

  • Data Processing Addendum (DPA)
    www.passbolt.com/terms…
    Open ↗
  • Sub-processors list
    www.passbolt.com/terms…
    Open ↗
  • Terms of Service
    www.passbolt.com/legal…
    Open ↗
ALTERNATIVES

Alternatives in this category

heylogin
Germany · Founded 2021
EU-SOVEREIGN

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
€4/mo
CLOUD ACT
NONE
KeePassXC
Germany · Founded 2016
EU-SOVEREIGN

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
EU-SOVEREIGN

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

Public DPA Sub-processors Open source
FROM
€3.99/mo
CLOUD ACT
NONE