CyberArk PAM EU Alternative 2026: Privileged Session Recordings, Admin Credentials, and CLOUD Act Exposure Under US Jurisdiction

Post #1 in the sota.io EU Privileged Access Management (PAM) Series

CyberArk is the world's largest Privileged Access Management (PAM) vendor — and every privileged session recording, vault-stored credential, and admin access event you entrust to CyberArk SaaS flows through a corporate structure that sits squarely within reach of the US CLOUD Act (18 U.S.C. §2713).

This matters more for PAM than for almost any other enterprise software category. Your PAM system stores the literal keys to your kingdom: database passwords, SSH private keys, API tokens, service account credentials, and full video recordings of every privileged session your administrators conduct. Under GDPR Art.4(1), those session recordings are personal data. Under the CLOUD Act, a US law enforcement agency can compel CyberArk Inc. to produce them — without notifying your organization, without requiring a mutual legal assistance treaty, and without an EU court order.

This guide covers CyberArk's corporate structure, scores the GDPR risk at 19/25, identifies five concrete risks under GDPR Art.28/44/46, and presents EU-native alternatives that eliminate the jurisdictional exposure.

CyberArk's Corporate Structure: Israel Parent, US Operating Entity

CyberArk's dual-entity structure is the starting point for any GDPR analysis:

The critical fact: CyberArk Software Inc. is a US person under 18 U.S.C. §2713 (CLOUD Act). This means US law enforcement can serve CyberArk Software Inc. with a legal order compelling disclosure of data stored anywhere in the world — including data stored in the EU.

CyberArk's GDPR Data Processing Agreements reference CyberArk UK Ltd. as the EU-based processor for marketing contacts but route actual product data (vault credentials, session recordings, telemetry) through CyberArk Software Inc.'s infrastructure. The Standard Contractual Clauses (SCCs) under GDPR Art.46(2)(c) that CyberArk offers do not eliminate the CLOUD Act risk — they are contractual instruments that cannot override US statutory obligations.

CLOUD Act Risk Score: 19 / 25

Using the sota.io GDPR Risk Matrix (25-point scale assessing US nexus, data sensitivity, transfer mechanism adequacy, and statutory compellability):

For comparison: IBM QRadar scored 20/25, Microsoft Sentinel ~19/25, Splunk 20/25.

Five Concrete GDPR Risks

Risk 1: Privileged Session Recordings Are Personal Data

CyberArk Privileged Session Manager (PSM) records all privileged sessions — including full video capture, keystroke logging, and command auditing — for every administrator connecting to databases, servers, and cloud consoles. Under GDPR Art.4(1), a recording of a person operating a system is personal data linked to that person. These recordings are stored in the CyberArk Vault, which under SaaS deployment is CyberArk Software Inc.'s infrastructure.

CLOUD Act consequence: The US DOJ can compel CyberArk to produce session recordings containing footage of your EU administrators, their working patterns, and all commands they executed — without a court order meeting EU standards and without informing your organization in advance.

GDPR risk: GDPR Art.44 prohibits transfers of personal data to third countries (here: US via CLOUD Act) without an adequate transfer mechanism. SCCs do not prevent compelled disclosure; they merely require CyberArk to notify the data exporter — which may arrive after the data has already been transferred.

Risk 2: The Vault Is the Crown Jewels

CyberArk Enterprise Password Vault (EPV) and Digital Vault are the primary storage locations for your organization's privileged credentials: production database passwords, root SSH keys, cloud provider API keys (AWS/GCP/Azure root access), service account credentials, and certificate private keys. In a CLOUD Act scenario, an order compelling CyberArk to produce vault contents is effectively an order granting US law enforcement indirect access to every system those credentials protect.

GDPR Art.32 implication: Storing all privileged credentials with a single US-controlled provider creates a structural concentration risk — a single CLOUD Act order could compromise the security of your entire EU infrastructure.

Risk 3: CyberArk Identity SaaS — SSO Tokens Under US Control

CyberArk Identity (formerly Idaptive) provides SSO, adaptive MFA, and user behaviour analytics. Authentication events, session tokens, device fingerprints, and risk scores for every user logging into enterprise applications flow through CyberArk Identity's SaaS infrastructure. Under NIS2 Art.21(2)(i), identity and access management is a mandatory security measure for essential entities — but implementing it via a US-controlled SaaS means authentication metadata is compellable.

Risk 4: CyberArk Secrets Hub — Developer Credentials Sync

CyberArk Secrets Hub synchronises secrets between CyberArk Vault and cloud-native secrets stores (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager). This creates a bi-directional flow where CyberArk Software Inc. acts as the orchestration layer. Even if individual secrets are also stored in EU-region cloud services, the synchronisation metadata, access audit logs, and policy configurations flow through CyberArk's US infrastructure.

Risk 5: Vendor-Assisted Investigations

CyberArk's security research team (Project Sentry, Red Team researchers) regularly works with US federal agencies on cyber threat investigations. This creates a structural pathway — not just a theoretical one — through which CyberArk's US entity may receive or respond to US law enforcement requests involving customer infrastructure data.

GDPR Art.28 Due Diligence Requirements

Under GDPR Art.28, you must conduct due diligence on CyberArk as a processor. Key questions your DPA with CyberArk should address — and the realistic answers:

NIS2 Art.21(2)(i): Access Control as a Mandatory Measure

NIS2 Directive (EU) 2022/2555, Art.21(2)(i) requires essential and important entities to implement access control policies and asset management as part of the mandatory security measures. For most medium-to-large essential entities, this means deploying a PAM solution.

The irony for NIS2 compliance: implementing PAM with a CLOUD Act-exposed US vendor to satisfy NIS2 Art.21(2)(i) simultaneously creates a NIS2 Art.21(2)(d) supply chain risk — since NIS2 Art.21(2)(d) requires appropriate security measures in the supply chain, including ICT service providers.

BSI Grundschutz (OPS.1.1.3 — Privileged Access Management) and ANSSI's Recommandations de sécurité pour l'administration des systèmes both recommend PAM solutions with EU data residency for governmental and critical infrastructure entities in Germany and France respectively.

EU-Native Alternatives to CyberArk

Wallix Bastion (0/25 CLOUD Act Risk)

Legal entity: Wallix Group SA, 10 rue Thierry Le Luron, Paris 17e, France. Listed on Euronext Growth Paris (ALLIX). No US parent, no US subsidiary, no CLOUD Act nexus.

CLOUD Act score: 0/25. Wallix is 100% French. Your privileged session recordings, credential vaults, and access logs are under French and EU jurisdiction only. Wallix does not have a US operating entity that can receive CLOUD Act orders.

Certifications:

• ANSSI CSPN (French National Agency for Information Security) certified
• BSI C5-type-II (German Federal Office for Information Security)
• Qualified for French government and critical infrastructure (IGI 1300)
• NIS2 and DORA compliant by design (built to EU regulatory requirements)

Products matching CyberArk capabilities:

• Wallix Bastion: Privileged session management (equivalent to CyberArk PSM)
• Wallix Password Manager: Credential vaulting (equivalent to CyberArk EPV)
• WALLIX Access Manager: Web-based access gateway
• WALLIX Authenticator: MFA for privileged accounts

Pricing: Enterprise licensing, available via Hetzner Cloud Marketplace and OVHcloud. Starts ~€30/user/month for SME.

Deployment on sota.io: Wallix Bastion Community Edition can be deployed as a containerized workload on sota.io (git-push deploy, Docker Compose). Your vault data never leaves the EU.

PrivX Community Edition — SSH Communications Security (1/25 CLOUD Act Risk)

Legal entity: SSH Communications Security Oyj, Keilaranta 18, 02150 Espoo, Finland. NASDAQ Helsinki (SSH1V). Finnish company under Finnish jurisdiction. EU member state.

CLOUD Act score: ~1/25. SSH Communications Security has no US parent. It has a US sales entity (SSH Communications Security Corp. Waltham MA) for North American sales, but operational data and product infrastructure are Finnish. The minor US nexus via the sales subsidiary pushes the score to 1/25 rather than 0/25.

PrivX features:

• Zero-standing-privilege (ZSP) model: credentials issued just-in-time, expire immediately after use
• SSH/RDP/Kubernetes kubectl session management
• API access control for DevOps workflows
• No persistent credentials stored in vault (by design — eliminates vault breach risk)

Particularly strong for: Kubernetes, cloud-native environments, DevOps/SRE teams

Teleport Open Source (0/25 CLOUD Act on self-hosted)

Legal entity for commercial: Gravitational Inc. San Francisco CA (US). However, Teleport Community Edition is Apache 2.0 licensed.

Self-hosted deployment: When you deploy Teleport CE on your own infrastructure (Hetzner, OVHcloud, Scaleway), there is no data flow to Gravitational Inc.'s servers. Session recordings, audit logs, and credentials are stored entirely on your infrastructure in the EU. CLOUD Act score for self-hosted CE: 0/25.

Do not use: Teleport Cloud (the SaaS offering) — this routes through Gravitational's US infrastructure and reintroduces CLOUD Act risk.

Teleport CE capabilities:

• SSH server access management
• Kubernetes access control
• Database access (PostgreSQL, MySQL, MongoDB) with session recording
• Application access (internal HTTP services)

Limitations vs CyberArk: No Windows RDP recording (requires Teleport Enterprise), no SAP/mainframe connectors. Suitable for cloud-native and Linux-heavy environments.

OpenBao — Community Fork of HashiCorp Vault (0/25 CLOUD Act)

In August 2023, HashiCorp changed Vault's license from MPL 2.0 to the Business Source License (BSL), restricting commercial use. IBM acquired HashiCorp in June 2024 for $6.4B — making HashiCorp Vault a product of IBM Corp. Armonk NY (CLOUD Act score: 20/25 via IBM parent).

OpenBao is the Linux Foundation-hosted community fork of HashiCorp Vault, maintained under Mozilla Public License 2.0. It is fully compatible with Vault's API and deployment patterns. When deployed on EU infrastructure (Hetzner, OVHcloud, sota.io), OpenBao has 0/25 CLOUD Act exposure.

Use case: Secret management, PKI, dynamic credentials for databases and cloud providers. Excellent DevOps-level alternative to CyberArk Secrets Hub.

EU PAM Decision Matrix

Migration Considerations

From CyberArk SaaS to Wallix Bastion

The primary migration challenge is exporting credentials from CyberArk's proprietary vault format. CyberArk provides export utilities via their REST API (GET /AIMWebService/api/Accounts). A typical migration:

1. Credential export: Export all accounts via CyberArk REST API → CSV/JSON → import into Wallix Password Manager
2. Session policy migration: Recreate CyberArk PSM connection components in Wallix Bastion as access policies
3. Integration update: Update applications using CyberArk Application Access Manager (AAM) to use Wallix API or HashiCorp-compatible secrets API
4. Parallel operation: 4-6 week dual-running period during cutover

Python: Assessing Your CyberArk PAM Jurisdiction Risk

from dataclasses import dataclass, field
from enum import Enum
from typing import List

class CloudActRisk(Enum):
    CRITICAL = "critical"   # 18-25: direct US nexus
    HIGH = "high"           # 12-17: indirect US exposure
    MEDIUM = "medium"       # 6-11: limited US nexus
    LOW = "low"             # 0-5: EU-native or self-hosted

@dataclass
class PAMDeploymentRisk:
    vendor: str
    deployment_type: str  # "saas", "on-prem", "hybrid"
    us_entity: bool
    session_recordings_us_hosted: bool
    credentials_us_hosted: bool
    eu_data_residency_guarantee: bool
    scc_offered: bool
    cloud_act_score: int = field(default=0)
    gdpr_risks: List[str] = field(default_factory=list)

    def assess(self) -> CloudActRisk:
        score = 0
        risks = []

        if self.us_entity:
            score += 4
            risks.append("US person under 18 USC §2713 — full CLOUD Act compellability")

        if self.session_recordings_us_hosted:
            score += 4
            risks.append("Session recordings (GDPR Art.4(1) personal data) US-hosted — Art.44 transfer risk")

        if self.credentials_us_hosted:
            score += 4
            risks.append("Privileged credentials US-hosted — indirect access to all protected systems")

        if not self.eu_data_residency_guarantee:
            score += 3
            risks.append("No EU data residency guarantee — default US-primary infrastructure")

        if self.deployment_type == "saas" and self.us_entity:
            score += 4
            risks.append("SaaS + US entity: data compellable regardless of EU server location")

        self.cloud_act_score = min(score, 25)
        self.gdpr_risks = risks

        if self.cloud_act_score >= 18:
            return CloudActRisk.CRITICAL
        elif self.cloud_act_score >= 12:
            return CloudActRisk.HIGH
        elif self.cloud_act_score >= 6:
            return CloudActRisk.MEDIUM
        return CloudActRisk.LOW


# Assessment
cyberark_saas = PAMDeploymentRisk(
    vendor="CyberArk Software Inc.",
    deployment_type="saas",
    us_entity=True,
    session_recordings_us_hosted=True,
    credentials_us_hosted=True,
    eu_data_residency_guarantee=False,
    scc_offered=True,
)
risk = cyberark_saas.assess()
print(f"CyberArk SaaS CLOUD Act Risk: {risk.value.upper()} ({cyberark_saas.cloud_act_score}/25)")
for r in cyberark_saas.gdpr_risks:
    print(f"  ⚠ {r}")

wallix = PAMDeploymentRisk(
    vendor="Wallix Bastion (Wallix Group SA)",
    deployment_type="saas",
    us_entity=False,
    session_recordings_us_hosted=False,
    credentials_us_hosted=False,
    eu_data_residency_guarantee=True,
    scc_offered=False,
)
wallix.assess()
print(f"\nWallix Bastion CLOUD Act Risk: LOW ({wallix.cloud_act_score}/25) ✅")
print("  EU-native: French company, no US nexus, ANSSI + BSI C5 certified")

Output:

CyberArk SaaS CLOUD Act Risk: CRITICAL (19/25)
  ⚠ US person under 18 USC §2713 — full CLOUD Act compellability
  ⚠ Session recordings (GDPR Art.4(1) personal data) US-hosted — Art.44 transfer risk
  ⚠ Privileged credentials US-hosted — indirect access to all protected systems
  ⚠ No EU data residency guarantee — default US-primary infrastructure
  ⚠ SaaS + US entity: data compellable regardless of EU server location

Wallix Bastion CLOUD Act Risk: LOW (0/25) ✅
  EU-native: French company, no US nexus, ANSSI + BSI C5 certified

NIS2 + DORA Compliance Checklist for PAM

For EU essential entities and financial institutions implementing PAM under NIS2 Art.21(2)(i) and DORA Art.9(4)(d):

• PAM vendor is EU-incorporated with no US parent (CLOUD Act nexus eliminated)
• Session recordings stored exclusively in EU-jurisdiction infrastructure
• Privileged credentials vault does not synchronize to US-controlled systems
• Vendor has BSI C5 or ANSSI CSPN certification (or equivalent EU security certification)
• Data Processing Agreement covers ALL processing activities including session recordings
• Transfer Impact Assessment (TIA) conducted under GDPR Art.46 — documented finding that SCCs are insufficient if vendor has US entity
• Just-in-time (JIT) privilege elevation implemented (reduces standing credentials volume)
• Privileged session recording retention policy aligned with GDPR Art.5(1)(e) storage limitation
• Audit log integrity protection (cryptographic signing) — prevents tampering prior to regulatory investigation
• Annual penetration test of PAM infrastructure (NIS2 Art.21(2)(f))

The Infrastructure Layer: Deploying EU-Native PAM on sota.io

If you deploy Wallix Bastion CE, Teleport CE, or OpenBao on sota.io, the infrastructure layer adds zero CLOUD Act exposure:

• sota.io is an EU-native managed PaaS built on Hetzner (Gunzenhausen, Germany)
• No US parent, no CLOUD Act nexus (Hetzner AG = German AG)
• Git-push deployment of containerized PAM workloads
• PostgreSQL 17 included for Teleport/OpenBao backend storage
• Private network isolation for PAM vaults (no public internet exposure required)

Your PAM stack: Wallix/Teleport/OpenBao on sota.io = 0/25 CLOUD Act at both the application and infrastructure layer.

Summary

CyberArk is the market-leading PAM vendor — and scores 19/25 on the GDPR CLOUD Act Risk Matrix, placing it in the "Critical" tier. For EU organizations under NIS2 Art.21(2)(i) and DORA Art.9(4)(d), implementing PAM is mandatory — but implementing it with a US-controlled vendor means the tool designed to protect your privileged access itself represents an unresolved CLOUD Act transfer risk.

The EU-native alternatives are mature:

• Wallix Bastion — the only major PAM vendor with French/EU incorporation, ANSSI CSPN + BSI C5 certified, NIS2/DORA compliant by design
• PrivX CE — Finnish company, zero-standing-privilege architecture, strong for cloud-native teams
• Teleport CE — Apache 2.0, self-hosted, excellent for DevOps/Kubernetes environments
• OpenBao — community fork of HashiCorp Vault (post-IBM acquisition), Mozilla 2.0, zero CLOUD Act on EU infrastructure

Next in the EU PAM Series: BeyondTrust EU Alternative 2026 — Francisco Partners private equity, Atlanta GA, CLOUD Act 17/25, and why your Remote Support and Secure Remote Access sessions are personal data under GDPR Art.4(1).