BeyondTrust EU Alternative 2026: Password Safe, Privileged Remote Access, and Francisco Partners' US Ownership Under the CLOUD Act
Post #2 in the sota.io EU Privileged Access Management (PAM) Series
BeyondTrust is the second-largest Privileged Access Management (PAM) vendor by market share — and its ownership structure places every privileged credential, every remote session recording, and every endpoint privilege event firmly within reach of the US CLOUD Act (18 U.S.C. §2713).
BeyondTrust Corporation is incorporated in Delaware and owned by Francisco Partners, a San Francisco-based private equity firm. Under the CLOUD Act, any US-incorporated entity is a "US person" compelled to produce stored communications and data upon a qualified US government request — regardless of where that data physically resides, regardless of EU-based processing agreements, and without notifying your organisation or requiring an EU court order.
For European organisations, this is not an abstract legal risk. In December 2024, a state-sponsored threat actor compromised BeyondTrust's Remote Support SaaS platform, gaining access to US Treasury Department systems — demonstrating that PAM vendors themselves are high-value targets whose cloud infrastructure can become the attack vector. The same infrastructure that attackers breached to reach US government data is the infrastructure processing your organisation's privileged credentials under CLOUD Act jurisdiction.
This guide scores BeyondTrust's GDPR risk at 17/25, identifies five concrete GDPR exposure vectors, and presents EU-native alternatives that eliminate the jurisdictional problem.
BeyondTrust's Corporate Structure
| Entity | Role | Jurisdiction |
|---|---|---|
| BeyondTrust Corporation | Operating company | Delaware / Johns Creek, Georgia |
| Francisco Partners | Beneficial owner | San Francisco, California |
| BeyondTrust Ltd. | UK/EMEA sales entity | England & Wales |
| BeyondTrust GmbH | DACH sales/support | Germany |
The critical point for CLOUD Act analysis is BeyondTrust Corporation in Delaware — this is the legal entity that operates Password Safe, Privileged Remote Access (PRA), Endpoint Privilege Management (EPM), and Identity Security Insights. The German GmbH and UK Ltd are sales and support entities; they do not control the cloud infrastructure or hold the data processing agreements for cloud-delivered products.
Francisco Partners acquired Bomgar Corporation in 2018 and merged it with the original BeyondTrust (then known for its PowerBroker suite). The resulting entity took the BeyondTrust name. Francisco Partners is a US private equity firm with no EU data protection obligations under GDPR — a governance gap that DPOs should flag when conducting DPIA assessments.
CLOUD Act Score: 17/25
| Risk Factor | Score | Rationale |
|---|---|---|
| Delaware incorporation | 4/4 | BeyondTrust Corporation = US person under 18 U.S.C. §2711; CLOUD Act compulsion applies unconditionally |
| US PE beneficial ownership | 3/4 | Francisco Partners (San Francisco) owns 100%; ultimate beneficial owner is a US entity outside GDPR's territorial scope |
| Cloud vault infrastructure (Password Safe Cloud) | 3/4 | Privileged credentials stored in BeyondTrust's US-controlled cloud; CLOUD Act compulsion reaches stored data regardless of EU region label |
| Session recordings (PRA) | 2/4 | Full keystroke-level session recordings constitute personal data under GDPR Art.4(1); stored on US-controlled SaaS servers |
| EPM telemetry | 2/4 | Endpoint Privilege Management logs application launch events, elevation attempts, blocked executables per user per endpoint — personal data profile |
| US government contracts | 2/4 | BeyondTrust holds FedRAMP-authorized status; federal contractor relationships reinforce US-law-enforcement cooperation norms |
| Identity Security Insights | 1/4 | Behavioural analytics SaaS processed in US; who accessed what, when, from which IP |
| Total | 17/25 |
A score of 17/25 places BeyondTrust below CyberArk (19/25) and AWS (21/25) in this series, but well above the threshold where GDPR Art.44–46 standard contractual clauses provide meaningful protection. SCCs do not override the CLOUD Act; they govern data transfers between processors, not compulsion orders from US law enforcement.
Five GDPR Exposure Vectors
1. Password Safe Cloud: Vault Contents Under US Jurisdiction
Password Safe is BeyondTrust's credential vault — the product that stores SSH private keys, database passwords, Windows service account credentials, and API tokens. When deployed as BeyondTrust Cloud (SaaS), all vault contents are stored on infrastructure operated by BeyondTrust Corporation (Delaware).
Under the CLOUD Act, a US federal prosecutor can serve a 2703(d) order on BeyondTrust Corporation requiring it to produce vault contents. This is not hypothetical. The US DOJ has used CLOUD Act mechanisms to obtain cloud-stored data from US SaaS providers in criminal investigations since 2018.
For EU financial services organisations subject to DORA (Regulation (EU) 2022/2554), this creates a specific compliance tension: DORA Art.9(4)(d) requires controls over privileged access, but using a US-jurisdictioned PAM cloud means those controls can be circumvented by US law enforcement without your knowledge.
Mitigation (self-hosted): BeyondTrust Password Safe is available as an on-premises or EU-hosted IaaS deployment. Self-hosting on EU infrastructure (Hetzner, OVHcloud, Scaleway) eliminates the CLOUD Act vector — the Delaware corporation no longer controls the data. However, self-hosted deployment requires maintaining the application stack, patching, and HA configuration in-house.
2. Privileged Remote Access: Session Recordings as Personal Data
BeyondTrust's Privileged Remote Access (PRA) product — formerly the Bomgar appliance — records full sessions for every privileged remote connection: keystrokes, screen content, clipboard transfers, file transfers, and audio (if enabled). These recordings are GDPR personal data under Art.4(1) because they capture identifiable human actions tied to named user accounts.
In the December 2024 breach, attackers obtained an API key for BeyondTrust's Remote Support SaaS and used it to reset application passwords and access customer systems. The US Treasury Department confirmed attackers accessed unclassified documents via this vector. This incident demonstrates that BeyondTrust's cloud infrastructure is a high-value target precisely because of the richness of data it holds — which is the same data subject to CLOUD Act compulsion.
EU organisations using PRA Cloud should assess whether session recordings qualify as "sensitive categories of data" under GDPR Art.9 when they capture access to systems containing health, financial, or biometric data. If so, Art.9(2) conditions apply, and US-jurisdiction cloud storage creates a near-impossible compliance position.
Mitigation: PRA is available as a hardware appliance (B200/B400 series) or virtual appliance deployed on-premises or in EU IaaS. Appliance deployments remove BeyondTrust Corporation from the data path entirely for session storage.
3. Endpoint Privilege Management: Per-User Privilege Telemetry
BeyondTrust EPM (formerly PowerBroker for Windows/Mac/Unix) enforces least privilege on endpoints by blocking, elevating, or auditing application launches and privilege escalation attempts. When EPM is deployed with cloud analytics (Cloud Insights), it streams per-event telemetry to BeyondTrust's US-operated analytics platform.
This telemetry constitutes a detailed personal data record: which user launched which application, from which endpoint, at what time, whether elevation was granted or blocked, and what specific executable was invoked. At enterprise scale across tens of thousands of endpoints, this is systematic monitoring data with significant GDPR implications under the ePrivacy Directive and GDPR Art.88 (employment data).
The CLOUD Act exposure here is to structured analytics data — US law enforcement could compel BeyondTrust to produce all elevation events for a named user, effectively obtaining a detailed record of that person's work activity without notifying the employer or the employee.
Mitigation: EPM can be deployed with on-premises analytics (BeyondInsight on-prem). This requires the BeyondInsight server to be hosted on EU-controlled infrastructure, with no telemetry routed to BeyondTrust's SaaS platform.
4. Identity Security Insights: Behavioural Profiling in US SaaS
Identity Security Insights is BeyondTrust's newest product layer — a behavioural analytics engine that analyses privileged access patterns across Password Safe, PRA, EPM, and third-party directory services. It generates risk scores for individual privileged users based on access patterns, anomaly detection, and peer-group comparison.
These risk scores are derived from personal data and are themselves personal data under GDPR Art.4(1) (a conclusion about an identified individual's behaviour). When computed in US-hosted SaaS, the input data (access logs), computation, and output (risk scores) all fall under BeyondTrust Corporation's CLOUD Act obligations.
GDPR Art.22 (automated decision-making) may also apply if Identity Security Insights risk scores feed into automated access revocation or step-up authentication. EU organisations should review whether the SaaS deployment satisfies Art.22(2)(b) (contractual necessity with human review) or whether self-hosted deployment is required for compliance.
5. Francisco Partners: PE Ownership and the GDPR Accountability Gap
Francisco Partners (FP) is the beneficial owner of BeyondTrust Corporation. FP is a San Francisco-based private equity firm; it is not subject to GDPR and has no EU data protection obligations.
This creates a governance gap: when BeyondTrust processes EU personal data, the regulatory accountability chain ends at BeyondTrust Corporation (Delaware) — a company whose ultimate controlling owner has no EU legal obligations. PE ownership structures frequently involve data sharing between portfolio companies for commercial analytics purposes. BeyondTrust's privacy policy should be reviewed for whether Francisco Partners has rights to aggregated or anonymised usage data from BeyondTrust Cloud customers.
For EU organisations conducting DPIA assessments under GDPR Art.35, the Francisco Partners ownership structure should be explicitly documented as a risk factor, particularly where the DPA (data processing agreement) with BeyondTrust does not address the PE owner's data access rights.
EU-Native PAM Alternatives
Wallix Bastion — Best Overall EU-Native PAM
| Factor | Detail |
|---|---|
| Vendor | Wallix SAS (Paris, France) |
| CLOUD Act Score | 0/25 |
| Certifications | ANSSI CSPN, BSI C5 audited, Common Criteria EAL3+ |
| Deployment | SaaS (EU data centres) or self-hosted |
| Edition | Wallix Bastion Community (free) + Enterprise |
Wallix is French-incorporated with no US parent, no US PE ownership, and no US-operated cloud infrastructure. Wallix Bastion provides session management, credential vaulting, access controls, and SIEM integration — the full PAM feature set. The ANSSI certification (France's national cybersecurity authority) and BSI C5 audit (Germany's Federal Office for Information Security) make Wallix the natural choice for organisations requiring formal third-party certification under DORA or NIS2.
Wallix Bastion Community Edition is available free for up to 5 privileged accounts — suitable for smaller organisations or proof-of-concept deployments. Enterprise licensing is comparable to BeyondTrust mid-market pricing.
DORA relevance: For financial services organisations subject to DORA Art.9, Wallix Bastion's ANSSI certification satisfies the "appropriate security measures" standard while eliminating US-jurisdiction cloud exposure.
PrivX CE — Cloud-Native Identity-Centric PAM
| Factor | Detail |
|---|---|
| Vendor | SSH Communications Security Oyj (Helsinki, Finland) |
| CLOUD Act Score | 1/25 |
| Deployment | SaaS (EU) or self-hosted |
| Edition | PrivX CE (community) + Enterprise |
| Architecture | Certificate-based, no persistent credentials in vault |
SSH Communications Security (SSH.COM) is Finnish-listed (Nasdaq Helsinki) with no US-parent relationship. PrivX takes a different architectural approach to PAM: rather than vaulting static credentials, it issues short-lived certificates for each privileged session. This eliminates the credential-sprawl risk that makes traditional PAM vaults high-value CLOUD Act targets — there are no long-lived credentials to compel.
PrivX CE is free for up to 10 targets with unlimited users. The certificate-based architecture maps well to Kubernetes, cloud-native infrastructure, and zero-trust network designs where ephemeral credentials are architecturally preferred.
Teleport Community — Open-Source PAM for Cloud Infrastructure
| Factor | Detail |
|---|---|
| Vendor | Gravitational Inc. (Delaware) — but fully self-hosted |
| CLOUD Act Score (self-hosted EU) | 0/25 |
| Deployment | Self-hosted only (CE) |
| Edition | Community Edition (free, open-source) |
| Protocols | SSH, Kubernetes, databases, RDP, applications |
Teleport is Delaware-incorporated, which would normally trigger CLOUD Act exposure. However, Teleport Community Edition is self-hosted — Gravitational does not operate the infrastructure. When deployed on EU servers (Hetzner, OVHcloud, Scaleway), the CLOUD Act cannot compel a European IaaS provider on behalf of a US corporate entity that never held the data.
Teleport provides session recording, audit logging, RBAC, and just-in-time access for SSH, Kubernetes, and database targets. It is the closest EU-deployable equivalent to BeyondTrust's Privileged Remote Access for cloud-native infrastructure. The trade-off is operational complexity: self-hosting Teleport requires maintaining the auth service, proxy, and node components.
OpenBao — Self-Hosted Vault (HashiCorp Fork)
| Factor | Detail |
|---|---|
| Vendor | OpenBao Project (CNCF Sandbox) — IBM Vault fork |
| CLOUD Act Score | 0/25 |
| Deployment | Self-hosted only |
| Edition | Open source (MPL-2.0) |
| Focus | Secrets management, PKI, dynamic credentials |
OpenBao is a CNCF-incubating fork of HashiCorp Vault (created after HashiCorp's BSL license change). When self-hosted on EU infrastructure, it has zero US-jurisdiction exposure. OpenBao covers the secrets management and dynamic credential generation use cases that overlap with BeyondTrust Password Safe's vault capabilities.
OpenBao does not provide session recording or privileged remote access — it is a secrets management tool, not a full PAM suite. For organisations whose primary BeyondTrust use case is credential vaulting rather than session management, OpenBao + Teleport together covers the full PAM scope at 0/25 CLOUD Act risk.
Migration Path: BeyondTrust Cloud → EU-Native PAM
Week 1–2: Credential Export and Inventory
- Export Password Safe managed accounts to CSV (BeyondTrust Admin Console → Managed Accounts → Export)
- Catalogue all privileged account types: Windows local admin, service accounts, SSH keys, database credentials, API tokens
- Document all PRA jump items (remote access targets)
- Review EPM policy sets for portability
Week 3–4: EU-Native Deployment
- Deploy Wallix Bastion or PrivX CE on EU IaaS (Hetzner CCX13 €26/mo, OVHcloud Advance-4 €35/mo)
- Import managed accounts from CSV export
- Configure LDAP/AD integration for user provisioning
- Set up session recording storage on EU-controlled object storage (Hetzner Object Storage €0.0115/GB)
Week 5–6: Parallel Run
- Run BeyondTrust and EU-native PAM in parallel
- Migrate jump items / remote access targets to new system
- Test session recording, credential checkout, approval workflows
- Validate SIEM integration (BeyondInsight → EU-SIEM)
Week 7–8: Cut-Over
- Update IT runbooks to reference new PAM URLs and endpoints
- Revoke BeyondTrust Cloud access, cancel subscription
- Archive BeyondTrust session recordings locally for retention period compliance
- Update DPIA documentation to reflect eliminated US-jurisdiction processing
Cost comparison (100 privileged accounts):
| Platform | Annual Cost | CLOUD Act Risk |
|---|---|---|
| BeyondTrust Cloud (Password Safe + PRA) | ~€40,000–€80,000 | 17/25 |
| Wallix Bastion Enterprise | ~€15,000–€30,000 | 0/25 |
| PrivX Enterprise | ~€12,000–€25,000 | 1/25 |
| Teleport Enterprise | ~€8,000–€20,000 + infra | 0/25 (self-hosted) |
| Wallix Bastion Community (free tier) | €0 + infra | 0/25 |
The December 2024 BeyondTrust Breach: A Supply Chain Warning
On 8 January 2025, the US Treasury Department disclosed that a state-sponsored threat actor (attributed to China's Salt Typhoon group) compromised BeyondTrust's Remote Support SaaS in December 2024. The attackers obtained an API key for BeyondTrust's cloud platform, used it to override application passwords, and accessed Treasury workstations.
This incident is directly relevant to EU organisations' CLOUD Act risk assessment for two reasons:
-
The attack vector was BeyondTrust's cloud infrastructure, not the customer's own systems. This demonstrates that US-hosted PAM SaaS creates a third-party supply chain risk that extends beyond normal vendor trust assessments.
-
The compellability risk and the breach risk are correlated: the same cloud infrastructure that the US government can compel BeyondTrust to provide access to under the CLOUD Act is the infrastructure that state-sponsored attackers targeted. EU organisations storing privileged credentials in US PAM clouds face both vectors simultaneously.
Under NIS2 Art.21(2)(d), EU entities in scope must take "supply chain security" measures. A PAM vendor whose US-hosted cloud was breached by a state-sponsored actor in 2024 warrants explicit documentation in your supply chain risk register.
Regulatory Checklist
| Regulation | Requirement | BeyondTrust Cloud | Wallix Bastion (EU) |
|---|---|---|---|
| GDPR Art.44 | Lawful transfer mechanism to third country | SCCs required (inadequate alone) | Not required (EU processing) |
| GDPR Art.28 | DPA with processor | Available | Available |
| DORA Art.9(4)(d) | PAM controls for financial entities | Compliant (controls exist, jurisdiction risk remains) | Compliant + no jurisdiction risk |
| NIS2 Art.21(2)(d) | Supply chain security | Supply chain risk: 2024 breach | No US supply chain exposure |
| NIS2 Art.21(2)(i) | Access control policies | Compliant | Compliant |
| EUCS High Level | Sovereignty requirements | Fails (US person controls data) | Passes (EU sovereign) |
Summary
BeyondTrust Corporation's Delaware incorporation and Francisco Partners PE ownership place all BeyondTrust Cloud data — Password Safe vault contents, PRA session recordings, EPM telemetry, Identity Security Insights profiles — under CLOUD Act compulsion authority. The 17/25 score reflects five concrete GDPR exposure vectors that cannot be remediated by standard contractual clauses alone.
The 2024 breach of BeyondTrust Remote Support SaaS adds a supply chain security dimension to the standard jurisdictional analysis: EU organisations using BeyondTrust Cloud face both the legal compellability risk and the demonstrated operational risk of US-hosted PAM infrastructure being targeted by advanced threat actors.
EU-native alternatives — Wallix Bastion (ANSSI/BSI certified, 0/25), PrivX CE (Finnish-listed, 1/25), Teleport CE (self-hosted, 0/25) — provide equivalent PAM functionality with no US-jurisdiction exposure, often at lower total cost of ownership.
For organisations subject to DORA, NIS2, or preparing for EUCS High Level certification, migrating privileged access management to EU-sovereign infrastructure is both a compliance obligation and a supply chain security improvement.
sota.io runs entirely on EU infrastructure. No US cloud providers, no CLOUD Act exposure. Start your free trial — deploy in minutes on servers that answer to European law.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.