Psono

Psono is a German open-source team password manager built and operated by **esaqa GmbH** (Tiergartenstr. 13, 91247 Vorra, Germany; CEO Sascha Pfeiffer). The entire product — server, web client, browser extensions, and mobile apps (Flutter) — is published under the permissive **Apache 2.0** licence and lives on GitHub. The product reports more than 2 million downloads and is engineered for the enterprise team-credentials use-case: SAML and LDAP single-sign-on, granular role-based access controls, audit logging, compliance policies (mandatory password complexity / rotation / 2FA), shared groups, recovery codes, and a YubiKey / FIDO2 / TOTP second-factor stack. Encryption is multi-layered: client-side encryption-at-rest, TLS in transit, and additional server-side storage encryption — so server operators (including Psono's own SaaS team) cannot read customer vaults. For procurement-grade EU buyers Psono is one of the cleanest listings in this directory. The legal entity is a German GmbH with full HRB transparency, founder-controlled, no PE / VC / parent on record. Apache 2.0 licensing means there is no vendor lock-in — a customer can fork the codebase if Psono ever changes posture — and the **2026 Cure53 audit** provides independent third-party validation of the security architecture, matching the standard set by Proton / Mullvad / IVPN in the VPN category. Self-hosting on EU infrastructure (Hetzner, OVHcloud, Scaleway, IONOS, STACKIT) gives a full 5/5 / none posture with no CLOUD Act exposure and zero vendor-counterparty risk. Pricing is freemium with an unusually generous free tier: **all business features are free for up to 10 users**, including SAML, LDAP, audit logs, and compliance policies — a tier that competitive open-source competitors (Bitwarden, Vaultwarden) gate behind paid plans. Paid tiers scale by user count and offer SaaS hosting on Psono's own infrastructure for buyers who prefer not to self-host. Apps for macOS, Windows, Linux, iOS, Android, plus Chrome / Firefox / Safari extensions, plus a Docker Hub-published server image for self-host. Best fit: German and EU SMBs and enterprises that need SAML/LDAP team-credentials management, regulated buyers needing audit-log compliance, and any procurement-grade buyer who wants the structural cleanliness of self-host plus Apache-2.0 open source.