German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
- FROM
- €4/mo
- CLOUD ACT
- NONE
A single roll-up of ownership and CLOUD Act exposure.
German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.
Psono, in the Password managers category, offers EU hosting with Germany as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.
Psono is an Apache-2.0 open-source team password manager developed by esaqa GmbH (Tiergartenstr. 13, 91247 Vorra, Germany; CEO Sascha Pfeiffer): fully self-hostable on the customer's own infrastructure, multi-level encryption (client-side + SSL + storage), SAML / LDAP / audit-log / compliance-policy features, free for up to 10 users on the business feature set, ISO 27001 certified (trust centre at trust.esaqa.com) with a public sub-processor register, and audited by Cure53 in 2026; for self-hosting buyers on EU infrastructure (Hetzner / OVHcloud / Scaleway) EU-owned, self-hosted, with no CLOUD Act exposure and structurally minimal vendor-counterparty risk. The hosted SaaS, however, runs on Google Cloud (Ireland) fronted by Cloudflare with US payment/support sub-processors (Stripe, Paddle, Sentry, Freshworks), so the directory rates default CLOUD Act exposure as material and reserves the clean posture for the self-hosted route.
How exposed customer data is to US authorities under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).
Where ultimate control over the operating company sits.
Exposure depends on how you run this product.
Vendor-operated: the sub-processors below apply.
How exposed customer data is to US authorities under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).
Deploy on your own EU infrastructure and you control hosting and every sub-processor.
How exposed customer data is to US authorities under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).
Psono is a German open-source team password manager built and operated by esaqa GmbH (Tiergartenstr. 13, 91247 Vorra, Germany; CEO Sascha Pfeiffer). The entire product, spanning server, web client, browser extensions, and mobile apps (Flutter), is published under the permissive Apache 2.0 licence and lives on GitHub. The product reports more than 2 million downloads and is engineered for the enterprise team-credentials use-case: SAML and LDAP single-sign-on, granular role-based access controls, audit logging, compliance policies (mandatory password complexity / rotation / 2FA), shared groups, recovery codes, and a YubiKey / FIDO2 / TOTP second-factor stack. Encryption is multi-layered: client-side encryption-at-rest, TLS in transit, and additional server-side storage encryption, so server operators (including Psono's own SaaS team) cannot read customer vaults.
For procurement-grade EU buyers Psono is one of the cleanest listings in this directory. The legal entity is a German GmbH with full HRB transparency, founder-controlled, no PE / VC / parent on record. Apache 2.0 licensing means there is no vendor lock-in (a customer can fork the codebase if Psono ever changes posture), and the 2026 Cure53 audit plus ISO 27001 certification (trust centre at trust.esaqa.com, with a publicly maintained sub-processor register) provide independent third-party validation of the security and compliance architecture, matching the standard set by Proton / Mullvad / IVPN in the VPN category. Self-hosting on EU infrastructure (Hetzner, OVHcloud, Scaleway, IONOS, STACKIT) gives an EU-owned, self-hosted posture with no CLOUD Act exposure and zero vendor-counterparty risk.
Pricing is freemium with an unusually generous free tier: all business features are free for up to 10 users, including SAML, LDAP, audit logs, and compliance policies, a tier that competitive open-source competitors (Bitwarden, Vaultwarden) gate behind paid plans. Paid tiers scale by user count and offer managed SaaS hosting for buyers who prefer not to self-host, though that hosted path runs on Google Cloud (Ireland) behind Cloudflare with US payment and support sub-processors, which is why the directory rates the default offering at material CLOUD Act exposure and treats self-hosting as the procurement-grade route. Apps for macOS, Windows, Linux, iOS, Android, plus Chrome / Firefox / Safari extensions, plus a Docker Hub-published server image for self-host. Best fit: German and EU SMBs and enterprises that need SAML/LDAP team-credentials management, regulated buyers needing audit-log compliance, and any procurement-grade buyer who wants the structural cleanliness of self-host plus Apache-2.0 open source.
Push notifications for iPhones and iPads
DDoS protection, CDN and DNS
Ticketing to handle customer support requests
Hosting (servers, databases, network) for the managed SaaS; US-owned hyperscaler
Error reporting
Credit cards and payments
Transactional email (registration, share, invoice) and email marketing
Credit cards and payments (US-resident billing entity)
Hosting (servers, databases, network) for the managed SaaS
| Vendor | Country | Purpose | Owner |
|---|---|---|---|
| Apple | United States | Push notifications for iPhones and iPads | US |
| Cloudflare | United States | DDoS protection, CDN and DNS | US |
| Freshworks Inc. | United States | Ticketing to handle customer support requests | US |
| Google Cloud EMEA Limited | Ireland | Hosting (servers, databases, network) for the managed SaaS; US-owned hyperscaler | US |
| Sentry Inc. | United States | Error reporting | US |
| Stripe Inc. | United States | Credit cards and payments | US |
| Brevo (Sendinblue) | France | Transactional email (registration, share, invoice) and email marketing | EU |
| Paddle.com Inc. | United States | Credit cards and payments (US-resident billing entity) | US |
| Scaleway, S.A.S | France | Hosting (servers, databases, network) for the managed SaaS | EU |
German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.
GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.
German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.