Dashlane EU Alternative 2026: The French-Founded Password Manager That Moved to Delaware

Post #3 in the sota.io EU Password Manager Compliance Series

Dashlane began as a Parisian startup in 2009. Its founders were French. Its first office was in Paris. For years, Dashlane marketed itself as a European-sensibility product — minimal, elegant, privacy-conscious.

In 2019, Dashlane quietly relocated its parent company to New York City. The entity that operates Dashlane today — Dashlane, Inc. — is incorporated in Delaware, headquartered in New York, and fully subject to US federal law, including the CLOUD Act.

This matters for EU organisations. The French roots are real history. The Delaware incorporation is the current legal reality.

This guide explains the legal geography of Dashlane in 2026, what it means under GDPR Article 44, and which EU-based alternatives provide jurisdiction that stays within Europe.

Who Controls Dashlane in 2026?

Dashlane was co-founded by Emmanuel Schalit and Bernard Liautaud. The company operated from Paris under Dashlane SAS, a French simplified joint-stock company. Dashlane SAS remains active as a French subsidiary — but it is not the controlling entity.

The corporate structure that matters in 2026:

• Dashlane, Inc. — Delaware C-Corp, headquartered in New York City — parent company and primary operator
• Dashlane SAS — Paris, France — European subsidiary (engineering and operations)
• Infrastructure: Amazon Web Services (AWS) — primarily us-east-1 (N. Virginia) and eu-central-1 (Frankfurt)
• Key investors: Rho Capital Partners (New York), FirstMark Capital (New York), Bessemer Venture Partners (US VC), Alkeon Capital (New York hedge fund)

Dashlane raised approximately $237 million in total funding before pivoting from consumer to B2B around 2020. In 2022, it was reported to be exploring strategic options including acquisition discussions. As of 2026, it operates as a private US-incorporated company with a European engineering base.

The entity you sign a contract with — and that holds your organisation's vault data — is the Delaware-incorporated US parent.

CLOUD Act: How Dashlane's Delaware Incorporation Creates Federal Jurisdiction

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) allows US federal law enforcement — the FBI, DEA, and other federal agencies — to compel US-incorporated companies to disclose data stored anywhere in the world, including on servers physically located in EU member states.

The key legal test is corporate control, not data location. Because Dashlane, Inc. is incorporated in Delaware and registered in New York, it falls under US federal jurisdiction. If a federal court issues a warrant under CLOUD Act Section 103(a), Dashlane's Delaware parent is legally required to disclose vault contents — including vault data stored on its Frankfurt AWS servers — without first notifying the affected EU customer or organisation.

The Dashlane-specific exposure path:

1. Dashlane, Inc. (Delaware) receives a CLOUD Act warrant from a US federal court
2. The warrant covers data held by Dashlane's infrastructure, including eu-central-1 (Frankfurt)
3. Dashlane must comply, or seek to challenge the warrant in US court (not in EU court, not under EU law)
4. The EU customer is not notified during this process (gag orders are standard in CLOUD Act warrants)
5. The EU customer cannot invoke GDPR Art. 44 protections against this access — CLOUD Act compliance is a legal obligation under US law, not a GDPR violation from Dashlane's perspective

What Dashlane's privacy policy says: Dashlane's Privacy Policy notes that it may be required to disclose information "in response to lawful requests by public authorities, including to meet national security or law enforcement requirements." This is the CLOUD Act disclosure clause, written to signal compliance without specifying the mechanism.

Why the Frankfurt Servers Do Not Solve the Problem

Dashlane's enterprise product advertises EU data residency. Data can be configured to remain in the eu-central-1 (Frankfurt) AWS region. This is a genuine feature that prevents data from physically leaving the EU.

Physical residency does not determine legal jurisdiction.

Two separate CLOUD Act exposure paths exist for Dashlane Frankfurt data:

Path 1 — Via Dashlane, Inc.: The warrant is served on the Delaware parent. The parent has administrative access to its own infrastructure, including Frankfurt servers. The parent must comply with the warrant and can access Frankfurt-stored data.

Path 2 — Via AWS: Even if Dashlane's corporate access could be restricted, AWS itself is a US corporation (Amazon.com, Inc., Delaware). AWS Ireland Limited and AWS Germany are subsidiaries of the US parent. US courts have held that CLOUD Act warrants can reach data held by foreign subsidiaries when the US parent has the technical capability to access it — which AWS does, via its global control plane.

The EU Court of Justice addressed a structurally similar argument in the Schrems II ruling (C-311/18, 2020): data transfer adequacy cannot be guaranteed when the receiving country's national security apparatus can access data through mechanisms outside the data subject's control. While Schrems II targeted the US Privacy Shield, the CJEU's reasoning about structural inaccessibility to legal redress applies equally to CLOUD Act access via US-incorporated processors.

Dashlane's Zero-Knowledge Architecture: Security vs. Legal Jurisdiction

Dashlane's security architecture is genuinely well-designed. Its zero-knowledge model means that Dashlane does not hold decryption keys for vault contents. Passwords are encrypted locally using AES-256 before they reach Dashlane's servers. Master passwords are never transmitted.

What zero-knowledge protects against: Dashlane employees and insiders cannot read your vault contents. Data breaches of Dashlane's servers reveal only encrypted blobs, not passwords.

What zero-knowledge does not protect against: A CLOUD Act warrant for encrypted vault data. Law enforcement agencies understand zero-knowledge architecture. A CLOUD Act warrant directed at Dashlane would typically request:

• The encrypted vault blob (to be decrypted by the target, under court order)
• Metadata: IP addresses, login timestamps, device fingerprints, email addresses, vault access logs
• The master password hash (for offline brute-force attempts if computing resources permit)
• Account creation date, billing address, payment information

For enterprise threat models — where the concern is state-level adversaries or highly resourced law enforcement — zero-knowledge encryption is a meaningful partial mitigation. But it is not jurisdictional isolation. The encrypted data is still US-subject.

GDPR Article 44 and Third-Country Transfers

Under GDPR Article 44, personal data may only be transferred to a third country (outside the EEA) if adequate protection is ensured. For US recipients, this currently requires one of:

• EU-US Data Privacy Framework (DPF): Dashlane, Inc. is certified under the EU-US Data Privacy Framework (as of 2024). DPF certification allows transatlantic data transfers.
• Standard Contractual Clauses (SCCs): Dashlane includes SCCs in its DPA for enterprise customers.
• Binding Corporate Rules (BCRs): Not applicable (Dashlane is not large enough to have BCRs).

The problem with DPF as the sole safeguard for Dashlane:

The EU-US Data Privacy Framework was challenged before the CJEU by NOYB in August 2023. The case (C-446/23) is pending as of 2026, with an opinion expected. The DPF was designed specifically to address the Schrems II concerns — but NOYB argues it still does not provide adequate redress for EU citizens against FISA Section 702 surveillance, which is the primary mechanism enabling NSA access to cloud data.

If the CJEU invalidates the DPF (as it did with Privacy Shield in Schrems II), organisations relying solely on DPF for Dashlane data flows would face an immediate compliance gap — the same situation that occurred overnight when Schrems II invalidated the Privacy Shield in July 2020.

SCC limitations for password managers: SCCs are contractual obligations. They require Dashlane to notify EU customers of CLOUD Act warrants where legally possible. However, CLOUD Act warrants typically include gag orders that make notification legally impossible. The SCC obligation exists; the practical ability to fulfil it does not.

What EU DPAs Have Said About US Password Manager Providers

No EU DPA has issued a formal decision specifically targeting Dashlane. However, the pattern of DPA enforcement on US-based SaaS tools provides strong indicators:

CNIL (France — Dashlane's home DPA): In 2022, CNIL issued guidance that Google Analytics was incompatible with GDPR due to US data transfers under FISA 702. The legal reasoning — that adequacy of protection cannot be guaranteed when US intelligence services have structural access — applies equally to any US-incorporated SaaS provider processing EU personal data.

DSB (Austria), IMY (Sweden), Datatilsynet (Denmark): These DPAs ruled Google Analytics illegal in 2022. The enforcement pattern (starting with analytics, moving toward broader SaaS) suggests that US-incorporated processors handling sensitive business data — including enterprise password managers — are in the enforcement pipeline.

BfDI (Germany): The German Federal Commissioner for Data Protection has consistently held that transfers to the US require supplementary measures beyond SCCs when FISA 702 access is possible. For a Delaware-incorporated entity like Dashlane Inc., BfDI guidance would treat standard SCC coverage as insufficient without additional technical safeguards.

EU Alternatives: Password Managers Without US Jurisdiction

The following alternatives are incorporated in EU or Swiss jurisdiction, with no US parent exposure.

Passbolt — Luxembourg, AGPL-3.0, Team-First

Passbolt SA is incorporated in Luxembourg (EU member state). The product is 100% open-source under AGPL-3.0 and designed specifically for team password sharing — the enterprise use case where Dashlane competes.

Corporate structure:

• Passbolt SA — Luxembourg — parent and operator
• No US investors disclosed in Luxembourg company filings
• Founder-led (Kevin Muller, CEO — French-Luxembourg)

Deployment options:

• Self-hosted on your own EU infrastructure (Hetzner, OVHcloud, Scaleway, Ionos)
• Passbolt Cloud — hosted by Passbolt SA on EU servers
• Docker and Kubernetes deployment supported

GDPR posture:

• No CLOUD Act exposure (Luxembourg corporate domicile)
• Self-hosted option = zero data leaves your EU infrastructure
• Open-source = auditable end-to-end
• GPG-based encryption model (public/private key per user)

Limitations:

• No mobile app as polished as Dashlane (web extension is primary interface)
• Self-hosted option requires sysadmin capability
• Cloud version is more expensive per seat than Dashlane Business at equivalent scale

Best for: Engineering teams, IT departments, organisations with sysadmin capacity who prioritise auditability over consumer-grade polish.

Proton Pass — Switzerland, Proton AG Umbrella

Proton AG is incorporated in Geneva, Switzerland. Switzerland is not an EU member but holds an EU adequacy decision (Article 45 GDPR) and — critically — is outside US jurisdiction. No CLOUD Act. No FISA 702. Swiss law does not compel disclosure to foreign governments without formal MLAT proceedings, which are significantly slower and more transparent than CLOUD Act warrants.

Proton Pass was launched in April 2023 as part of the Proton ecosystem (ProtonMail, ProtonVPN, ProtonDrive).

Corporate structure:

• Proton AG — Geneva, Switzerland — parent
• Proton Foundation — Geneva — ownership structure (non-profit-adjacent)
• No US investors; primary funding from MIT endowment and European sources at founding

Infrastructure:

• Proton-owned data centres in Geneva and Zurich
• No AWS, Azure, or Google Cloud (vertically integrated infrastructure)

GDPR posture:

• Swiss adequacy decision (Article 45) — transfer is lawful without additional safeguards
• No CLOUD Act
• Swiss Federal Act on Data Protection (FADP, revised 2023) — broadly GDPR-equivalent
• End-to-end encrypted; Proton cannot decrypt vault contents
• Proton Pass on F-Droid (no Google Play dependency for mobile)

Limitations:

• Newer product than Dashlane — some enterprise admin features still maturing (bulk import, directory sync)
• Swiss jurisdiction (not EU) — some public sector procurement specifications require EU-domiciled providers

Best for: Privacy-first teams, SMEs, organisations comfortable with Swiss jurisdiction, Proton ecosystem users.

Self-Hosted Vaultwarden — Your Infrastructure, Your Jurisdiction

Vaultwarden (formerly Bitwarden_rs) is an unofficial, community-maintained server implementation of the Bitwarden API, written in Rust. It is MIT-licensed and can be deployed on any server — including your own EU infrastructure.

What Vaultwarden provides:

• Full Bitwarden client compatibility (browser extensions, mobile apps, desktop apps)
• All premium Bitwarden features (TOTP, file attachments, emergency access) without Bitwarden Premium subscription
• Deployment on EU infrastructure under your full control

Jurisdiction:

• If you deploy Vaultwarden on Hetzner (Germany), OVHcloud (France), or another EU-native provider, the data controller is you — under German or French law respectively
• No US corporate parent
• No CLOUD Act
• You control the encryption keys (unlike Dashlane and most SaaS providers)

Trade-offs:

• You are responsible for backups, updates, uptime, and security patching
• No vendor support (community forums only)
• Bitwarden Inc. (Florida) develops the client applications — but client apps connect to your self-hosted server, not to Bitwarden's infrastructure
• Requires Docker/Podman and a reverse proxy (nginx, Caddy)

Best for: Technical teams, small-to-medium engineering organisations with existing infrastructure, organisations with a hard requirement for data ownership.

Padloc — German GmbH, EU-Incorporated

Padloc GmbH is incorporated in Germany (EU member state, BayLDA jurisdiction). Padloc is a smaller provider but fully EU-native.

Corporate structure:

• Padloc GmbH — Germany
• Founder: Martin Kleinschrodt (German)
• Open-source core (AGPL)

GDPR posture:

• German Datenschutzrecht applies (BDSG + GDPR)
• BayLDA supervisory authority
• No US parent, no CLOUD Act exposure

Limitations:

• Smaller ecosystem than Passbolt or Proton Pass
• Enterprise features still developing

Best for: German organisations requiring German-DPA-supervised processor.

KeePassXC — Community Open-Source, No Corporate Backend

KeePassXC is a community fork of KeePass, maintained by KeePassXC Team (international contributors, no corporate entity). The database is a local file — there is no backend server, no cloud sync, no corporate entity.

GDPR posture:

• No data is transmitted anywhere
• Vault is a local .kdbx file
• Sync via your choice of EU cloud storage (Nextcloud on Hetzner, Seafile self-hosted, etc.)

Limitations:

• No built-in sync (you manage sync separately)
• No native mobile app (KeePassDX on Android, Strongbox on iOS — separate community apps)
• No SLA, no support, no vendor

Best for: Individual developers, small teams with high technical capability, organisations that want absolute zero-dependency on any cloud provider.

Migration from Dashlane to an EU Alternative

Dashlane supports export in CSV format. The export is accessible from Settings → Security dashboard → Export data.

Migration path to Passbolt (self-hosted):

1. Export Dashlane vault as CSV (Settings → Export data → CSV)
2. Passbolt supports CSV import from popular formats; a custom field mapping may be required
3. Deploy Passbolt via Docker: git clone https://github.com/passbolt/passbolt_docker && docker compose up
4. Enable LDAP/SCIM sync for Active Directory or Google Workspace provisioning

Migration path to Proton Pass:

1. Export from Dashlane as CSV
2. Proton Pass Import: Settings → Import → Dashlane (native Dashlane CSV support)
3. Proton Pass Business includes admin dashboard, user provisioning, and audit logs

Migration path to Vaultwarden:

1. Deploy Vaultwarden: docker pull vaultwarden/server:latest
2. Configure with PostgreSQL backend and reverse proxy (Caddy recommended)
3. Export from Dashlane as CSV → Import via Bitwarden web vault (which connects to your Vaultwarden instance)
4. Bitwarden Import: Settings → Import data → Dashlane (CSV) format

Decision Framework: Which Alternative Fits Which Organisation

Summary: Dashlane's Delaware Reality and the Path Forward

Dashlane's French origins are genuine. The engineering team in Paris is real. But the parent company that controls vault data, signs enterprise contracts, and holds Delaware incorporation is Dashlane, Inc. — a US corporation subject to the CLOUD Act.

For EU organisations with GDPR obligations — especially those handling employee credentials, client access, or systems that could be subpoenaed in US legal proceedings — Dashlane's Delaware status creates an inherent compliance tension that no privacy policy, DPA, or SCC can fully resolve while CLOUD Act remains in force.

The EU-native alternatives — Passbolt in Luxembourg, Proton Pass in Switzerland, Vaultwarden self-hosted in your EU infrastructure — provide the jurisdictional clarity that GDPR Article 44 requires. The migration paths are mature. The enterprise feature sets are production-ready.

The question for each organisation is not whether to use a password manager. It is whether the password manager's legal address is in a jurisdiction that EU law can actually reach.

This guide is part of the sota.io EU Password Manager Compliance Series. Previous posts covered LastPass (LogMeIn → GoTo, Delaware C-Corp) and 1Password (AgileBits, Canada / Five Eyes).