Delinea EU Alternative 2026: Secret Server Cloud, Francisco Partners' PE Ownership, and CLOUD Act Jurisdiction Over Privileged Access Data
Post #3 in the sota.io EU Privileged Access Management (PAM) Series
Delinea is the third-largest Privileged Access Management (PAM) vendor by market share — formed from the January 2021 merger of Thycotic and Centrify, two US-headquartered PAM companies, both backed by Francisco Partners, the same San Francisco private equity firm that owns BeyondTrust. The Delinea brand launched in March 2022.
Delinea Inc. is incorporated in Delaware. Under the CLOUD Act (18 U.S.C. §2713), any US-incorporated entity is a "US person" obligated to produce stored data upon a qualified US government request — regardless of where that data physically resides, regardless of EU Standard Contractual Clauses, and without notifying your organisation or requiring an EU court order.
For European organisations running Secret Server Cloud, Connection Manager, or Privilege Manager, this creates a concrete GDPR compliance problem: every privileged credential stored in the cloud vault, every session recording capturing admin activity, and every endpoint privilege event logged by Privilege Manager exists within US CLOUD Act jurisdiction. CLOUD Act score: 16/25.
This guide identifies five concrete GDPR exposure vectors and presents EU-native PAM alternatives that eliminate the jurisdictional problem entirely.
Delinea's Corporate Structure
| Entity | Role | Jurisdiction |
|---|---|---|
| Delinea Inc. | Operating company | Delaware / Redwood City, California |
| Francisco Partners | Beneficial owner (PE) | San Francisco, California |
| Thycotic Software Ltd. (legacy) | UK/EMEA entity | England & Wales |
| Centrify (legacy EMEA operations) | Absorbed into Delinea EMEA | Various EU entities |
The critical point for CLOUD Act analysis is Delinea Inc. in Delaware — this is the legal entity that operates Secret Server (vault), Connection Manager (session management), Privilege Manager (EPM), Server PAM, DevOps Secrets Vault, and the Delinea Platform SaaS. European subsidiary entities handle sales and support, not cloud infrastructure or data processing agreements.
Francisco Partners took Thycotic private in 2018, then engineered the Thycotic-Centrify merger. Centrify was itself backed by Accel Partners, JP Morgan, and Mayfield Fund — all US institutional investors. The resulting Delinea Inc. carries the combined CLOUD Act exposure of both predecessor companies: Thycotic's Secret Server cloud deployments and Centrify's identity-centric PAM (formerly Centrify Zero Trust Privilege) have been consolidated under a single Delaware entity.
Francisco Partners is a US private equity firm with no EU GDPR data protection obligations. Under GDPR Art.26, Delinea and Francisco Partners are not co-controllers — Francisco Partners operates as an investor outside GDPR's territorial scope. This governance gap means investment-motivated data access decisions are not subject to GDPR restrictions.
CLOUD Act Score: 16/25
| Risk Factor | Score | Rationale |
|---|---|---|
| Delaware incorporation | 4/4 | Delinea Inc. = US person under 18 U.S.C. §2711; CLOUD Act compulsion applies unconditionally |
| US PE beneficial ownership (Francisco Partners) | 3/4 | Francisco Partners (San Francisco) controls Delinea; ultimate beneficial owner outside GDPR territorial scope |
| Secret Server Cloud vault | 3/4 | Privileged credentials, SSH keys, API tokens stored in Delinea-controlled cloud infrastructure under US jurisdiction |
| Connection Manager session recordings | 2/4 | Full session recordings capture admin activity = personal data (GDPR Art.4(1)); stored on US-controlled SaaS |
| Privilege Manager endpoint telemetry | 2/4 | Application launch events, elevation attempts, blocked executables — personal behavioural data per user per endpoint |
| DevOps Secrets Vault | 1/4 | CI/CD pipeline secrets and service account credentials stored in US-jurisdiction cloud |
| Delinea Platform (unified SaaS) | 1/4 | New unified cloud platform consolidates all product data streams under single US-controlled control plane |
| Total | 16/25 |
Comparator: CyberArk scores 19/25 (direct PRISM cooperation, FedRAMP High), BeyondTrust scores 17/25 (FedRAMP authorization, December 2024 breach via Remote Support SaaS). Delinea's 16/25 reflects similar structural exposure without publicly documented PRISM ties or high-profile breach incidents — but the same CLOUD Act compulsion applies unconditionally.
Five GDPR Exposure Vectors
1. Secret Server Cloud — Vault Data Under US Jurisdiction
Secret Server is Delinea's flagship product — a privileged credential vault used by over 300,000 enterprise users worldwide. The cloud-hosted version (Secret Server Cloud) stores SSH keys, Windows admin passwords, database credentials, API tokens, service account credentials, and PAM workflow data in Delinea's US-controlled cloud infrastructure.
Under CLOUD Act §2713, the US DOJ or federal law enforcement can compel Delinea to produce any data stored in Secret Server Cloud, including credential secrets, without requiring an EU court order. A National Security Letter (NSL) under 18 U.S.C. §2709 can additionally prohibit Delinea from notifying your organisation that access has occurred.
GDPR implications:
- Art.44: Transfer of personal data (admin identity, credential access logs) to US jurisdiction without adequate protection
- Art.5(1)(f): Integrity and confidentiality principle — credentials accessible to US authorities undermine security guarantees
- Art.32: Appropriate technical measures cannot be guaranteed when the vault operator is subject to compelled disclosure
Self-hosted Secret Server (on-premises or on EU-resident VPS) mitigates this specific risk, but requires infrastructure management and removes Delinea's cloud HA guarantees.
2. Connection Manager — Session Recordings as Personal Data
Connection Manager provides privileged session management and recording — the ability to capture, replay, and audit privileged sessions initiated by IT administrators. Each recorded session contains video-level detail of admin activity: terminal commands, GUI interactions, files accessed, configurations changed, systems touched.
Under GDPR Art.4(1), session recordings qualify as personal data — they directly identify the individual administrator and detail their behavioural patterns. Under Recital 26, there is no anonymisation exception: the recording is inherently linked to a specific person.
When these recordings are stored in Delinea's cloud infrastructure:
- The data is subject to US CLOUD Act compulsion
- Delinea cannot guarantee that US authorities won't access these recordings
- Your DPIA (required under GDPR Art.35 for systematic monitoring of employees) cannot document adequate technical safeguards
Connection Manager also integrates with Delinea Platform for centralised audit analytics — meaning session metadata flows to the unified US-controlled SaaS control plane even when recordings are nominally stored locally.
3. Privilege Manager — Endpoint Behavioural Profiling Under US Jurisdiction
Privilege Manager provides Endpoint Privilege Management (EPM) — controlling which applications standard user accounts can elevate to privileged status on Windows and macOS endpoints. Every elevation event, every blocked application launch, every application control policy evaluation generates a telemetry record that includes: user identity, endpoint name, application path, timestamp, and elevation outcome.
Aggregated across a corporate endpoint fleet, Privilege Manager telemetry constitutes a personal data profile of each administrator's and privileged user's system interaction patterns. Under GDPR Art.4(1), this is personal data. Under GDPR Art.9 read-across, behavioural monitoring data may require heightened protection where it reveals work patterns associated with specific individuals.
Privilege Manager reports and analytics are processed through Delinea's US-controlled cloud platform. The DOJ can compel production of this telemetry alongside Secret Server vault data in a single CLOUD Act request targeting Delinea Inc.
4. Delinea Platform — Unified SaaS Control Plane
Delinea's strategic direction is consolidating Secret Server, Connection Manager, Privilege Manager, Server PAM, and DevOps Secrets Vault into the Delinea Platform — a unified cloud SaaS platform launched in 2023. The Platform provides centralised identity intelligence, risk analytics, and policy management across all PAM products.
The Delinea Platform is US-hosted. It serves as the control plane for the consolidated product suite, meaning:
- Identity analytics correlating privileged user behaviour across all PAM products are processed in the US
- Policy configuration and enforcement decisions are controlled from the US-jurisdiction control plane
- Cross-product audit trails (who accessed what vault secret, then opened what session, then elevated what endpoint privilege) are consolidated in the US
This consolidation amplifies CLOUD Act exposure: a single legal request to Delinea Inc. can compel production of the entire cross-product privilege activity profile for any individual user.
5. Francisco Partners PE Governance — No Binding EU Data Obligations
Delinea is not a publicly listed company — it is private equity-owned by Francisco Partners. Unlike public companies with SEC disclosure obligations and shareholder-elected boards, PE-owned companies are governed by their investor's priorities.
Francisco Partners is not subject to GDPR's territorial scope (Art.3). There is no binding legal instrument requiring Francisco Partners to comply with EU data protection principles when making governance decisions about Delinea's operations.
Under GDPR Art.26, a DPA (Data Protection Authority) investigation into Delinea would find:
- The ultimate decision-maker (Francisco Partners board) is outside EU jurisdiction
- Binding Corporate Rules (BCRs) — which would extend GDPR protections to US parent entities — have not been published for the Francisco Partners portfolio
- The EU GDPR representative (Art.27) is a European legal entity, but does not control the US parent's behaviour
This PE governance gap means that if Francisco Partners decides to monetise Delinea's customer data, restructure its data processing architecture, or sell Delinea to a third party (including another US entity), GDPR cannot intervene at the ownership level.
EU-Native PAM Alternatives
Wallix Bastion — 0/25 (Gold Standard for EU Compliance)
Wallix Group SA (Paris, France; Euronext: ALLIX) is a French-incorporated, EU-listed PAM vendor. Wallix Bastion provides:
- Privileged session management and recording (stored on EU infrastructure)
- Password vault with secrets rotation
- Access control and just-in-time access
- Endpoint privilege management via Wallix Trustelem
CLOUD Act risk: 0/25 — no US parent, no US institutional investor with control rights, no US cloud infrastructure dependency.
Certifications:
- ANSSI CSPN (French National Cybersecurity Agency, Niveau Standard)
- BSI C5 (German Federal Office for Information Security, Type 2 attestation)
- NIS2 Art.21(2) and DORA Art.9(4)(d) compliant PAM controls documented
- Listed in ANSSI's Catalogue of Qualified Security Solutions
Wallix serves 1,900+ organisations across EU member states, including French government ministries and critical infrastructure operators. For organisations under NIS2 Essential Entity classification, Wallix Bastion removes the DPIA burden of documenting CLOUD Act mitigation — there is none.
Pricing: Enterprise licensing; contact for quote. Typically €15,000-80,000/year for mid-enterprise deployments.
PrivX Community Edition — 1/25 (Finnish, Open Core)
SSH Communications Security Oyj (Helsinki, Finland; Nasdaq Helsinki: SSH1V) provides PrivX as an open-core PAM platform. PrivX CE covers:
- Zero-standing-privileges (ZSP) just-in-time privileged access
- Session recording and audit trail
- Secrets vault with rotation
- Role-based access control with MFA
CLOUD Act risk: 1/25 — Finnish company (outside US jurisdiction), EU-hosted infrastructure. The 1/25 reflects minor US cloud dependency for optional cloud-hosted PrivX instances; self-hosted PrivX CE scores 0/25.
PrivX takes a fundamentally different architectural approach than Delinea: it eliminates permanent privileged credentials (no persistent SSH keys or passwords stored in the vault) in favour of short-lived certificates issued just-in-time. This eliminates an entire category of CLOUD Act exposure — no long-lived credentials to compel disclosure of.
Pricing: PrivX CE is free for up to 20 target servers. Enterprise from €500/month.
Teleport Community Edition — 0/25 (Apache 2.0, Self-Hosted)
Gravitational Inc. (San Francisco, CA) develops Teleport under Apache 2.0 license. While the company is US-based, self-hosted Teleport CE on EU-resident infrastructure scores 0/25 — the CLOUD Act cannot compel production of data that Gravitational does not hold or control.
Teleport provides:
- Certificate-based access to SSH, Kubernetes, databases, and web applications
- Session recording with full audit trails
- Role-based access control and hardware token MFA
- Secrets-free access (no stored credentials — same ZSP approach as PrivX)
Self-hosted Teleport CE eliminates US jurisdiction: your EU VPS or on-premises server holds all data. The US vendor provides software only; it has no access to your deployment.
Teleport Cloud (managed SaaS) scores differently — Gravitational Inc. controls the data, reintroducing CLOUD Act exposure. Use self-hosted CE for EU compliance.
Pricing: Teleport CE free and open source. Teleport Enterprise from $15,000/year.
OpenBao — 0/25 (Linux Foundation, Mozilla 2.0)
OpenBao is a community fork of HashiCorp Vault, maintained under the Linux Foundation umbrella, following HashiCorp's acquisition by IBM in 2024. OpenBao uses the Mozilla Public License 2.0.
Why this matters: HashiCorp Vault, post-IBM acquisition, is now a US-corporation-controlled product (IBM Corp., Armonk, NY — CLOUD Act score 20/25). OpenBao eliminates this dependency by continuing the open-source development path under a foundation governance model.
OpenBao provides:
- Secrets management (dynamic credentials, static secrets, PKI, SSH certificate authority)
- Identity-based access (AppRole, Kubernetes Auth, AWS/GCP auth methods)
- Transit encryption as a service
- Compatible with Vault API (migration path from HashiCorp Vault)
Self-hosted OpenBao on EU infrastructure: 0/25. No US entity controls the software or the data.
Pricing: Free and open source.
Risk Matrix: Delinea vs EU-Native PAM
| Dimension | Delinea | Wallix Bastion | PrivX CE | Teleport CE | OpenBao |
|---|---|---|---|---|---|
| CLOUD Act Score | 16/25 | 0/25 | 1/25 | 0/25 | 0/25 |
| Jurisdiction | US (Delaware) | EU (France) | EU (Finland) | EU (self-hosted) | EU (self-hosted) |
| NIS2 Art.21(2)(i) | ⚠️ DPIA required | ✅ Certified | ✅ Compliant | ✅ Compliant | ✅ Compliant |
| DORA Art.9(4)(d) | ⚠️ DPIA required | ✅ C5 attested | ✅ Compliant | ✅ Compliant | ✅ Compliant |
| ANSSI/BSI Cert | ❌ None published | ✅ ANSSI + BSI C5 | ✅ Finnish NCSC | ❌ CE only | ❌ CE only |
| Session Recording | US jurisdiction | EU on-prem | EU on-prem | EU on-prem | N/A (vault only) |
| Vault Data | US jurisdiction | EU on-prem | EU on-prem | N/A (no static creds) | EU on-prem |
| Endpoint EPM | US telemetry | ✅ EU-resident | ❌ Limited | ❌ Limited | ❌ N/A |
| Market maturity | High (enterprise) | High (EU gov) | Medium (enterprise) | High (cloud-native) | Medium (DevOps) |
Compliance Implications: NIS2 and DORA
NIS2 Directive (Art.21(2)(i)) requires essential entities and important entities to implement PAM controls as part of their supply chain security obligations. Using a US-jurisdiction PAM vendor creates a documented compliance gap:
- DPIA obligation (GDPR Art.35): Systematic monitoring of administrator activity using a US-controlled platform triggers mandatory DPIA
- Third-country transfer (GDPR Art.44-49): Vault data and session recordings transferred to US jurisdiction require SCCs with supplementary measures
- NIS2 Art.21(2)(j) supply chain risk: US government compelled access to your PAM system is a documented supply chain risk under the NIS2 framework
- NIS2 Art.23 incident reporting: A CLOUD Act demand targeting your PAM vendor may not trigger NIS2 Art.23 breach notification obligations — you may never know it happened
DORA (Digital Operational Resilience Act, Art.9(4)(d)): Financial entities subject to DORA must ensure ICT third-party arrangements do not create unacceptable concentration risk. A US-jurisdiction PAM vendor holding privileged access to your entire EU financial infrastructure creates a documented third-party concentration risk that competent authorities (ECB, national banking supervisors) are increasingly questioning.
Practical path: DPOs at NIS2 Essential Entities and DORA-in-scope financial institutions are increasingly requiring vendors to demonstrate EUCS Level 2+ certification or equivalent EU-jurisdiction hosting guarantees. Delinea holds no EUCS certification. Wallix Bastion holds ANSSI CSPN and BSI C5 attestation — the closest EU equivalents available today.
Migration Guide: Delinea → Wallix Bastion
Phase 1: Inventory (Weeks 1-2)
# Export Secret Server vault inventory
# Use Delinea REST API to enumerate all secrets
curl -H "Authorization: Bearer $TOKEN" \
"https://your-instance.secretservercloud.com/api/v1/secrets?filter.includeRestricted=true" \
| jq '.records[] | {id, name, folderId, secretTemplateId}' > secret_inventory.json
# Count secrets by template type
jq -r '.secretTemplateId' secret_inventory.json | sort | uniq -c | sort -rn
Document:
- Total secret count (typical enterprise: 500-50,000 secrets)
- Secret templates (Windows account, SSH key, database, API key, custom)
- Folder structure and access control groups
- Integration points (CI/CD pipelines, automation scripts, monitoring tools)
Phase 2: Parallel Deployment (Weeks 3-6)
Deploy Wallix Bastion on EU-resident infrastructure:
# Wallix Bastion on Hetzner (Germany, 0/25)
# Recommended: CX41 (4 vCPU, 8GB RAM) for up to 500 concurrent sessions
# https://www.hetzner.com/cloud
# Pull Wallix Bastion installer (license required)
# Contact: sales@wallix.com for EU-compliant trial
# Wallix Bastion OVA deployment on VMware/KVM alternative:
# Or Wallix Bastion Appliance for hardware deployments
Phase 3: Secret Migration (Weeks 7-10)
#!/usr/bin/env python3
"""
Migrate secrets from Delinea Secret Server to Wallix Bastion.
Requires: Delinea REST API access + Wallix Bastion API access.
"""
import requests
import json
# Delinea Secret Server configuration
DELINEA_BASE_URL = "https://your-instance.secretservercloud.com"
DELINEA_TOKEN = "your-delinea-token"
# Wallix Bastion configuration
WALLIX_BASE_URL = "https://your-wallix-instance.company.eu"
WALLIX_USER = "admin"
WALLIX_PASSWORD = "your-wallix-password"
def get_delinea_secrets(folder_id=None):
"""Fetch secrets from Delinea Secret Server."""
params = {"filter.includeRestricted": "true"}
if folder_id:
params["filter.folderId"] = folder_id
resp = requests.get(
f"{DELINEA_BASE_URL}/api/v1/secrets",
headers={"Authorization": f"Bearer {DELINEA_TOKEN}"},
params=params
)
return resp.json()["records"]
def create_wallix_account(target, username, password, description=""):
"""Create a privileged account in Wallix Bastion."""
payload = {
"account_name": username,
"account_type": "password",
"description": description,
"credentials": {"password": password}
}
resp = requests.post(
f"{WALLIX_BASE_URL}/api/targets/{target}/accounts",
auth=(WALLIX_USER, WALLIX_PASSWORD),
json=payload,
verify=True # Always verify SSL in production
)
return resp.json()
def migrate_windows_secrets(secrets):
"""Migrate Windows domain account secrets."""
migrated = 0
for secret in secrets:
if secret.get("secretTemplateId") == 6003: # Windows Account template
# Fetch full secret including credentials
detail = requests.get(
f"{DELINEA_BASE_URL}/api/v1/secrets/{secret['id']}",
headers={"Authorization": f"Bearer {DELINEA_TOKEN}"}
).json()
username = next(
(f["itemValue"] for f in detail["items"] if f["fieldName"] == "Username"), ""
)
password = next(
(f["itemValue"] for f in detail["items"] if f["fieldName"] == "Password"), ""
)
if username and password:
create_wallix_account(
target=detail["name"],
username=username,
password=password,
description=f"Migrated from Delinea Secret Server: {secret['name']}"
)
migrated += 1
return migrated
if __name__ == "__main__":
print("Starting Delinea → Wallix migration...")
secrets = get_delinea_secrets()
print(f"Found {len(secrets)} secrets")
migrated = migrate_windows_secrets(secrets)
print(f"Migrated {migrated} Windows account secrets")
print("Review Wallix Bastion dashboard to verify migration completeness.")
Phase 4: Connection Manager → Wallix Session Manager (Weeks 11-12)
Wallix Session Manager replaces Delinea Connection Manager. Key mapping:
| Delinea Connection Manager | Wallix Session Manager |
|---|---|
| Session Policies | Session Policies |
| Target Account Mapping | Target Account Mapping |
| Session Recordings | Session Recordings (EU-resident storage) |
| Live Session Monitoring | Live Session Monitoring |
| RDP/SSH/VNC proxy | RDP/SSH/SFTP/Telnet proxy |
Wallix recordings are stored locally on the Bastion appliance — no US cloud involvement.
Phase 5: Privilege Manager → Wallix Trustelem EPM (Weeks 13-16)
Wallix Trustelem provides endpoint privilege management for Windows and macOS. Migration:
- Export Privilege Manager application control rules to CSV
- Import into Trustelem policy format (Wallix provides migration tooling)
- Deploy Trustelem agent to endpoints (replaces Privilege Manager agent)
- Verify elevation rules and blocked application policies match
Cost Comparison: Delinea vs Wallix Bastion
| Component | Delinea (Cloud) | Wallix Bastion (EU On-Prem) |
|---|---|---|
| PAM vault (500 secrets) | ~€18,000/year | ~€15,000/year |
| Session management (50 concurrent) | Included | Included |
| EPM (1,000 endpoints) | ~€8,000/year | ~€6,000/year |
| Infrastructure | Delinea cloud (US) | Hetzner CX41 €37/month |
| Support | Enterprise SLA | EU-based support |
| Total (3 years) | ~€78,000 | ~€64,000 |
Note: Wallix infrastructure costs are indicative; Wallix enterprise licensing contact required.
DPIA savings: EU-resident PAM eliminates mandatory DPIA (GDPR Art.35) and SCCs (Art.46) for privileged access management. DPO and legal costs for maintaining CLOUD Act supplementary measures typically exceed the infrastructure cost differential.
Decision Framework: When to Migrate from Delinea
| Scenario | Recommendation |
|---|---|
| NIS2 Essential Entity (energy, transport, health, banking) | Migrate to Wallix Bastion — ANSSI/BSI certification required by competent authorities |
| DORA-in-scope financial institution | Migrate to Wallix Bastion — ECB guidance on third-party concentration risk |
| GDPR DPO cannot justify SCCs + supplementary measures | Migrate to Wallix or PrivX CE |
| Self-hosted Secret Server already deployed | Add Wallix or OpenBao as parallel vault; migrate by folder/team |
| Startup / SME, DevOps-focused secrets | OpenBao or Teleport CE (lower complexity, open source) |
| Public sector (French/German/Dutch government) | Wallix Bastion (ANSSI/BSI certified, preferred EU government vendor) |
| Current Delinea contract >18 months remaining | Plan migration; implement parallel EU deployment; migrate at contract renewal |
Summary
Delinea Inc. is a Delaware-incorporated PAM vendor owned by Francisco Partners PE (San Francisco). Under the CLOUD Act, every privileged credential stored in Secret Server Cloud, every session recording in Connection Manager, every endpoint event logged by Privilege Manager, and all analytics in the Delinea Platform are subject to US government compulsion without EU court oversight.
CLOUD Act score: 16/25. Five concrete GDPR exposure vectors: Secret Server Cloud vault (Art.44 transfer), session recordings as personal data (Art.5(1)(f) + Art.32), endpoint telemetry profiling (Art.4(1)), Delinea Platform unified SaaS (control plane US), Francisco Partners PE governance gap (Art.26 co-controller absence).
EU-native alternatives eliminate these risks entirely:
- Wallix Bastion (0/25): Production-ready enterprise PAM, ANSSI CSPN + BSI C5 certified, NIS2/DORA certified, 1,900+ EU organisations
- PrivX CE (1/25): Zero-standing-privileges architecture, Finnish company, self-hosted 0/25
- Teleport CE (0/25): Open source, self-hosted, eliminates static credential storage entirely
- OpenBao (0/25): Linux Foundation HashiCorp Vault fork, Mozilla 2.0, 100% open source
For NIS2 essential entities and DORA-in-scope financial institutions, EU-resident PAM is no longer a preference — it is becoming a de facto regulatory expectation as competent authorities scrutinise third-country vendor relationships under Art.21(2)(i) and DORA Art.9.
Next in the EU PAM Series: HashiCorp Vault EU Alternative 2026 — IBM's 2024 acquisition moves HashiCorp Vault from startup independence to CLOUD Act 20/25 exposure, and why OpenBao emerged as the EU-compliant successor.
Previously: BeyondTrust EU Alternative 2026 — Francisco Partners' other PAM investment and the December 2024 US Treasury breach.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.