EU Password Manager Comparison 2026: GDPR Risk Scores for LastPass, 1Password, Dashlane, Keeper, and NordPass
Post #6 in the sota.io EU Password Manager Series
Choosing a password manager for an EU organisation in 2026 means navigating a landscape where five of the most widely deployed enterprise products come from jurisdictions that are legally incompatible with GDPR's third-country transfer restrictions — or carry structural risks that zero-knowledge encryption alone cannot eliminate.
Over the past five posts in this series, we have examined each of the major vendors individually: LastPass's catastrophic breach history and GoTo/LogMeIn Delaware parentage; 1Password's Five Eyes exposure as a Canadian company under PIPEDA; Dashlane's 2019 relocation from Paris to New York; Keeper Security's FedRAMP authorisation and what it means for European users; and NordPass's unusual position as an EU-registered company with offshore ownership in Panama and Cyprus.
This final post distils those findings into a structured GDPR risk score for each vendor across five compliance dimensions, presents the EU-native alternatives that clear each dimension cleanly, and offers a five-question decision framework for security teams that need to justify their choice to a DPO, auditors, or regulators.
Why Jurisdiction Matters More Than Encryption
Before the comparison table, a necessary clarification that comes up in almost every conversation with enterprise security teams: zero-knowledge encryption does not eliminate GDPR transfer risk.
A common argument runs as follows: "If the vendor never has access to plaintext data because the vault is encrypted client-side with a key derived from the master password, the jurisdiction of the company is irrelevant — they cannot hand over what they cannot read."
This argument has two flaws.
Flaw 1: Metadata is not encrypted. Even with end-to-end encrypted vault contents, password manager vendors can observe login timestamps, IP addresses, device identifiers, vault item counts, URL metadata (which sites you have credentials for), team and group membership structure, and billing information. Under the US CLOUD Act, a valid National Security Letter or court order can compel production of this metadata. Under GDPR Article 4(1), metadata that identifies a natural person is personal data. Transfer of that metadata to US law enforcement authorities without GDPR-compatible safeguards is a third-country transfer violation.
Flaw 2: Key derivation infrastructure can be subpoenaed. The zero-knowledge property depends on the server never receiving the master password or derived encryption key. But key derivation configuration, account recovery infrastructure, and emergency access workflows are all server-side components that can be modified or audited under legal compulsion. A vendor cannot prove to regulators that its architecture has never been covertly modified in response to a secret court order.
This is why EU data protection authorities have not accepted zero-knowledge architecture as a complete answer to CLOUD Act transfer questions. The Irish Data Protection Commission, the CNIL, and the EDPB have all taken the position that the controlling legal factor is the nationality and jurisdiction of the data processor — not the technical architecture it claims to use.
With that framing established, here is how each vendor scores.
The GDPR Risk Scoring Framework
We score each vendor across five dimensions on a scale of 0–2 (0 = high risk, 1 = medium risk, 2 = low risk / compliant):
| Dimension | What it measures |
|---|---|
| D1 — US CLOUD Act Exposure | Is the vendor or its parent a US company subject to 18 U.S.C. §2523? |
| D2 — Five Eyes / Allied Intelligence | Is the vendor subject to intelligence-sharing arrangements with the US? |
| D3 — Offshore / Opacity Risk | Does the ownership structure involve offshore holding entities with limited transparency? |
| D4 — EU Data Residency | Can EU customers contractually guarantee their vault data stays on EU infrastructure? |
| D5 — Open Source / Auditability | Is the client-side code auditable? Can zero-knowledge claims be independently verified? |
Maximum score: 10/10. Higher is better (lower risk).
Vendor Profiles and Risk Scores
LastPass
Corporate structure: LastPass USA, LLC is a Delaware limited liability company, wholly owned by GoTo Technologies USA, Inc. (formerly LogMeIn), which is itself owned by Francisco Partners and Permira — US private equity firms. The entire corporate chain is US-domiciled.
GDPR history: LastPass suffered two catastrophic security incidents in 2022. The August 2022 incident resulted in the theft of source code and technical information. The November 2022 incident — enabled by the first breach — resulted in the exfiltration of encrypted password vaults along with associated unencrypted metadata including website URLs, usernames (but not passwords), company names, billing addresses, telephone numbers, and IP addresses.
The metadata exfiltrated in the November 2022 breach is precisely the category of personal data that GDPR protects. The Irish DPC opened an investigation. In 2023, LastPass disclosed that an employee's personal home computer — used to access corporate systems — had been compromised by a keylogger, which was the initial attack vector. The incident represented a failure of insider threat controls, endpoint security, and privileged access management.
Risk Score:
| Dimension | Score | Rationale |
|---|---|---|
| D1 — US CLOUD Act | 0/2 | Delaware LLC, GoTo/LogMeIn parent, direct CLOUD Act jurisdiction |
| D2 — Five Eyes | 0/2 | US domicile is itself Five Eyes membership |
| D3 — Offshore Risk | 2/2 | Francisco Partners / Permira PE — US private equity, transparent ownership |
| D4 — EU Data Residency | 1/2 | EU data residency option available but US-controlled infrastructure |
| D5 — Open Source | 0/2 | Proprietary, not auditable by third parties |
| Total | 3/10 | HIGH RISK — not recommended for GDPR-regulated data |
The 2022 breach permanently damaged LastPass's enterprise credibility in the EU. Multiple EU data protection authorities have investigated the incident. Organisations that have not yet migrated away from LastPass should treat the migration as a P0 compliance action.
1Password
Corporate structure: 1Password is built by AgileBits Inc., a corporation incorporated under the laws of Ontario, Canada. AgileBits has no US parent company. In 2019, AgileBits raised USD 200 million from Accel, a US venture capital firm based in Palo Alto. In 2021, it raised USD 620 million in a Series C led by ICONIQ Growth, another US firm.
Five Eyes analysis: Canada is a founding member of the Five Eyes intelligence alliance. The five members — the United States, United Kingdom, Canada, Australia, and New Zealand — operate under binding signals intelligence sharing agreements, primarily through the UKUSA Agreement and its successor frameworks. The legal mechanism that matters for GDPR is the combination of Canada's national security legislation (the Security of Information Act, the Communications Security Establishment Act, and the Canadian Security Intelligence Service Act) with the mutual legal assistance treaty (MLAT) between Canada and the United States.
The European Commission's adequacy decision for Canada (covering PIPEDA) was granted in 2001. The adequacy decision has not been renewed under the modern GDPR framework. The EDPB has noted in multiple opinions that adequacy decisions need to account for national security access to data — the same standard that caused Schrems II to invalidate Privacy Shield for US transfers. A challenge to the Canada adequacy decision on national security grounds remains a live legal risk.
Risk Score:
| Dimension | Score | Rationale |
|---|---|---|
| D1 — US CLOUD Act | 1/2 | No US parent — CLOUD Act does not directly apply to AgileBits Ontario. Indirect risk via US VC equity stakes. |
| D2 — Five Eyes | 1/2 | Canada is Five Eyes — intelligence sharing risk with US. Not equivalent to direct CLOUD Act but not clean. |
| D3 — Offshore Risk | 2/2 | Ontario corporation, no offshore holding structures |
| D4 — EU Data Residency | 1/2 | EU data residency option available; infrastructure on EU-region AWS |
| D5 — Open Source | 0/2 | Proprietary client code, not independently auditable |
| Total | 5/10 | MEDIUM-HIGH RISK — Five Eyes exposure is a documented compliance concern |
1Password is meaningfully better than LastPass on pure legal risk, but the Five Eyes question is not one that most EU DPOs can dismiss without documentation. Organisations processing Art.9 special-category data (health records, biometrics, trade union membership, political opinions) should treat the Five Eyes exposure as disqualifying.
Dashlane
Corporate structure: Dashlane was founded in Paris in 2009 by Emmanuel Schalit and Alexis Fogel, originally as Dashlane SAS, a French société par actions simplifiée. In 2019, Dashlane relocated its parent company to the United States, reincorporating as Dashlane Inc., a Delaware C-Corp, with headquarters in New York.
The French entity (Dashlane SAS) continues to exist as a European subsidiary, primarily for employment and EU contracting purposes. For GDPR data transfer analysis, the controlling entity is the US parent — Dashlane Inc. — which qualifies as a US Person under the CLOUD Act.
The "French origins" trap: Dashlane is frequently described in media coverage and vendor comparison sites as a French password manager. This characterisation was accurate before 2019. It is misleading today. The parent company that controls product direction, holds intellectual property, and enters into enterprise contracts is a Delaware corporation subject to US law. The fact that the product was founded in France does not change the jurisdictional analysis.
Risk Score:
| Dimension | Score | Rationale |
|---|---|---|
| D1 — US CLOUD Act | 0/2 | Delaware C-Corp, New York HQ — direct CLOUD Act jurisdiction |
| D2 — Five Eyes | 0/2 | US domicile is Five Eyes membership |
| D3 — Offshore Risk | 2/2 | Straightforward US corporate structure, no offshore complexity |
| D4 — EU Data Residency | 1/2 | EU data residency via AWS EU; controlled by US parent |
| D5 — Open Source | 0/2 | Proprietary |
| Total | 3/10 | HIGH RISK — French origins are misleading; US parent is controlling entity |
Dashlane's risk profile is essentially equivalent to LastPass at the jurisdictional level. The primary difference is the absence of a major security breach — Dashlane's technical security record is better. But the legal risk from the Delaware parent is the same category of risk that caused EU DPAs to rule against Google Analytics, Mailchimp, and Meta's standard contractual clauses.
Keeper Security
Corporate structure: Keeper Security, Inc. is a Delaware C-Corp headquartered in Chicago, Illinois. Keeper was founded in 2011 by Craig Lurey and Darren Guccione. It is a private company with investment from TDF Ventures and Insight Partners, a US private equity and venture capital firm.
FedRAMP and CLOUD Act: Keeper has achieved FedRAMP Moderate Authority to Operate (ATO), meaning it is authorised for use by US government agencies. FedRAMP authorisation is relevant to EU organisations for a counterintuitive reason: it requires the vendor to cooperate with US government security reviews, incident response, and access requirements. A FedRAMP-authorised system is, by design, accessible and auditable by US federal agencies. That is the point of FedRAMP — it provides US government assurance.
For EU organisations, FedRAMP authorisation amplifies the CLOUD Act concern rather than resolving it. An organisation's vault data being processed on a system that US federal agencies can audit and access on demand is precisely the jurisdictional risk that GDPR Article 44 is designed to prevent.
Risk Score:
| Dimension | Score | Rationale |
|---|---|---|
| D1 — US CLOUD Act | 0/2 | Delaware C-Corp, Chicago HQ — direct CLOUD Act jurisdiction |
| D2 — Five Eyes | 0/2 | US domicile |
| D3 — Offshore Risk | 2/2 | Standard US PE-backed structure, no offshore opacity |
| D4 — EU Data Residency | 1/2 | EU region available; FedRAMP infrastructure is US-controlled by design |
| D5 — Open Source | 0/2 | Proprietary |
| Total | 3/10 | HIGH RISK — FedRAMP amplifies rather than mitigates CLOUD Act exposure |
Keeper performs well on security architecture (zero-knowledge is independently verified) and has a clean breach history compared to LastPass. But the FedRAMP authorisation — marketed as a security credential — is simultaneously evidence that the system is designed for US government accessibility. EU security teams should understand what FedRAMP means before citing it as a compliance justification.
NordPass
Corporate structure: NordPass is operated by Nord Security UAB, a Lithuanian private limited liability company (uždaroji akcinė bendrovė). Nord Security has no US parent company and no direct CLOUD Act nexus. The operating entity is EU-registered and subject to GDPR directly, with the Lithuanian VDAI (Valstybinė duomenų apsaugos inspekcija) as the lead supervisory authority.
The offshore complexity: Nord Security's ownership chain runs through Tefincom S.A. (Panama) and a Cyprus-based intermediate holding structure. Tesonet, the Lithuanian technology group that incubated Nord Security, itself has complex ownership. Panama and Cyprus are jurisdictions used for offshore asset protection — they have limited transparency obligations and neither is subject to GDPR.
The GDPR-relevant question is whether the offshore ownership structure creates a data governance gap. The answer depends on interpretation: the processing entity (Nord Security UAB Lithuania) is unambiguously EU-registered and GDPR-bound. The ownership chain runs through jurisdictions with no equivalent data governance obligations. For organisations evaluating supply chain transparency under DORA Article 28 or NIS2 Article 21, the offshore holding structure represents a documentation burden even if it does not create direct CLOUD Act risk.
General Atlantic investment (2022): US private equity firm General Atlantic acquired an equity stake in Nord Security in 2022. General Atlantic is a Delaware-headquartered firm. An equity stake by a US investor does not automatically make Nord Security UAB a "US Person" under the CLOUD Act. The CLOUD Act applies to electronic communication service providers and remote computing service providers that are US persons — Nord Security UAB as a Lithuanian entity is not a US person by virtue of US PE investment alone. The risk is indirect: potential future acquisition or corporate restructuring that could bring the entity under US jurisdiction.
Risk Score:
| Dimension | Score | Rationale |
|---|---|---|
| D1 — US CLOUD Act | 2/2 | No US parent. General Atlantic equity stake ≠ US person status. No direct CLOUD Act nexus. |
| D2 — Five Eyes | 2/2 | Lithuania is not a Five Eyes member. EU member state with VDAI DPA oversight. |
| D3 — Offshore Risk | 0/2 | Panama (Tefincom S.A.) + Cyprus holding. Opaque ownership. DORA Art.28 documentation burden. |
| D4 — EU Data Residency | 2/2 | EU data centres (Germany, Netherlands). VDAI as lead DPA. DPA available. |
| D5 — Open Source | 1/2 | Client-side code not open source, but independent security audits published. |
| Total | 7/10 | MEDIUM-LOW RISK — EU registration is genuine but offshore ownership requires due diligence |
NordPass is meaningfully better than the four US/Five Eyes vendors on jurisdictional grounds. The offshore ownership structure is a genuine compliance consideration, not a disqualifier — but it requires documentation work that some compliance teams will not want to take on when cleaner alternatives exist.
The GDPR Risk Score Summary
| Vendor | D1 CLOUD Act | D2 Five Eyes | D3 Offshore | D4 EU Residency | D5 Open Source | Total |
|---|---|---|---|---|---|---|
| LastPass | 0 | 0 | 2 | 1 | 0 | 3/10 |
| Dashlane | 0 | 0 | 2 | 1 | 0 | 3/10 |
| Keeper | 0 | 0 | 2 | 1 | 0 | 3/10 |
| 1Password | 1 | 1 | 2 | 1 | 0 | 5/10 |
| NordPass | 2 | 2 | 0 | 2 | 1 | 7/10 |
Three of the five most widely deployed enterprise password managers score 3/10 on GDPR risk. The other two score 5/10 and 7/10. None scores 10/10.
If your threat model requires a 10/10 GDPR risk score — meaning a vendor with no CLOUD Act exposure, no Five Eyes membership, no offshore holding opacity, contractual EU data residency, and fully auditable open-source clients — none of the five major vendors delivers. You need an EU-native alternative.
EU-Native Alternatives That Score 10/10
Passbolt
Corporate: Passbolt SA, Luxembourg société anonyme. No US parent. No offshore holding. EU domicile with CNPD (Commission nationale pour la protection des données) as lead DPA.
Architecture: Open-source, AGPL-3.0 licensed. Client code is fully auditable. Server component is also open source. Zero-knowledge with GPG key pair per user — vault items are PGP-encrypted to each user's public key. No central encryption key exists.
Deployment: Available as cloud-hosted (Luxembourg EU infrastructure), self-hosted on your own infrastructure (Docker, DEB, RPM packages), or enterprise on-premises. Self-hosted removes all third-party processing from the risk picture.
GDPR score: 10/10 — Luxembourg SA, no CLOUD Act, AGPL open-source, EU residency, no offshore.
Best for: Teams that need open-source auditability and are comfortable with GPG-based key management. Developer and engineering teams. Organisations that want to self-host.
Proton Pass
Corporate: Proton AG, a Swiss corporation. Switzerland has an adequacy decision from the European Commission under GDPR Article 45 — Swiss law is considered to provide essentially equivalent protection. Proton was founded at CERN and has no US parent, no US investment from US government-accessible sources, and no offshore holding structure.
Architecture: End-to-end encrypted using Proton's established cryptography stack. Client apps are open source (Apache 2.0). Part of the wider Proton ecosystem (ProtonMail, ProtonVPN, ProtonDrive) with shared infrastructure in Swiss data centres.
Important limitation: Switzerland is not an EU member state. The adequacy decision means that transfers to Proton are not restricted transfers under GDPR Article 44 — no SCCs or BCRs required. But Proton is not subject to GDPR directly; it is subject to Swiss nFADP (the Swiss Federal Act on Data Protection, revised 2023), which is structurally similar but not identical.
GDPR score: 9/10 — Swiss adequacy is strong but not EU-native. Proton is the best non-EU option for most EU organisations.
Best for: Organisations that want a polished consumer-grade UX with strong encryption heritage. Integration with Proton email and VPN ecosystems. Individuals and SMEs.
Vaultwarden (self-hosted Bitwarden)
Architecture: Vaultwarden is an unofficial, open-source implementation of the Bitwarden server API written in Rust. It is fully compatible with all official Bitwarden clients (browser extensions, mobile apps, desktop apps, CLI). Self-hosting Vaultwarden means your vault data never leaves your infrastructure.
GDPR analysis: When self-hosted on EU infrastructure, Vaultwarden involves no third-party data processor at all for vault data. The GDPR Article 28 data processor relationship only arises if you use a hosting provider — in which case the hosting provider is the processor, not a US password manager vendor.
Important caveats: Vaultwarden is a community project, not a company. It does not have a corporate DPA, enterprise support SLA, or formal security programme. For organisations that need vendor-provided security audit reports, SOC 2, or ISO 27001 certification, Vaultwarden does not provide these.
GDPR score: 10/10 (when self-hosted on EU infrastructure) — Zero third-party processor relationship for vault data.
Best for: Technical teams comfortable with self-hosting. Organisations with existing Hetzner/OVHcloud/Scaleway infrastructure. Cost-sensitive deployments.
KeePassXC (fully offline)
Architecture: KeePassXC is an open-source, cross-platform, locally-stored password manager. The .kdbx database file is encrypted with AES-256 and stored wherever you choose — on local disk, network share, or synced via an EU-controlled storage service. There is no server component, no API, no SaaS relationship.
GDPR analysis: KeePassXC involves no data processing by any third party. The risk is entirely in how you synchronise the database file. If you sync via Dropbox or iDrive (US companies), you reintroduce CLOUD Act exposure for the encrypted file. If you sync via Nextcloud (self-hosted), SFTP to your own server, or a EU-native storage provider, the risk is eliminated.
GDPR score: 10/10 (with EU-controlled sync) — No processor relationship, fully auditable open-source code.
Best for: Individuals, small teams, and organisations that need maximum control and minimum attack surface. Offline-capable deployments. Air-gapped environments.
Padloc
Corporate: Padloc GmbH, Germany. German GmbH, BayLDA (Bavarian State Office for Data Protection Supervision) as DPA. No US parent.
Architecture: Open-source (AGPL-3.0). Self-hostable. Cloud-hosted option on EU infrastructure. Simpler feature set than Passbolt or Bitwarden, but fully auditable.
GDPR score: 10/10 — German GmbH, AGPL open-source, no CLOUD Act.
Best for: SMEs that want a simpler alternative to Passbolt with German data protection standing.
The Full Comparison: All Nine Options
| Product | Corp. Domicile | CLOUD Act | Five Eyes | Open Source | Self-Hostable | GDPR Score |
|---|---|---|---|---|---|---|
| LastPass | Delaware, US | ✗ Direct | ✗ US | ✗ | ✗ | 3/10 |
| Dashlane | Delaware, US | ✗ Direct | ✗ US | ✗ | ✗ | 3/10 |
| Keeper | Delaware, US | ✗ Direct | ✗ US | ✗ | ✗ | 3/10 |
| 1Password | Ontario, CA | ✗ Indirect | ✗ Five Eyes | ✗ | ✗ | 5/10 |
| NordPass | Lithuania, EU | ✓ No nexus | ✓ Not Five Eyes | Partial | ✗ | 7/10 |
| Proton Pass | Switzerland | ✓ No nexus | ✓ Not Five Eyes | ✓ Apache-2 | ✗ | 9/10 |
| Passbolt | Luxembourg, EU | ✓ | ✓ | ✓ AGPL | ✓ | 10/10 |
| Vaultwarden | Community/self | ✓ | ✓ | ✓ AGPL | ✓ | 10/10 |
| KeePassXC | Community/offline | ✓ | ✓ | ✓ GPL | ✓ (local) | 10/10 |
Five Questions to Determine Your Required Score
Not every EU organisation needs a 10/10 vendor. The right threshold depends on what data you are protecting and what your regulatory exposure is.
Question 1: Do you process GDPR Article 9 special-category data through your password manager?
Art.9 covers health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, and data concerning sex life or sexual orientation. If your password manager vault contains credentials to systems that process Art.9 data — for example, credentials to your HR system, healthcare application, or identity provider — the jurisdiction question is elevated. Required score: 8/10 minimum, EU-native strongly preferred.
Question 2: Are you subject to DORA (Digital Operational Resilience Act)?
DORA applies to financial entities (banks, insurance, investment firms, payment institutions, crypto-asset service providers) and their ICT third-party providers. DORA Article 28 requires documented due diligence on critical ICT service providers. A password manager that holds credentials to your core banking or trading systems is likely a critical ICT provider. DORA's supply chain transparency requirements make NordPass's offshore holding structure a documentation challenge. Required score: 8/10 minimum.
Question 3: Are you subject to NIS2 Directive obligations?
NIS2 applies to essential and important entities across 18 sectors (energy, transport, banking, healthcare, digital infrastructure, cloud computing, managed services, and more). NIS2 Article 21 requires supply chain security measures including evaluation of your service providers' security practices. An insecure or US-jurisdictioned password manager creates a documented NIS2 supply chain risk. Required score: 7/10 minimum.
Question 4: Do you need to pass ISO 27001 or SOC 2 audits?
If your customers require ISO 27001 certification or SOC 2 reports, your auditors will ask about the jurisdiction and security posture of your password manager. A vendor with a major breach history (LastPass) or an unresolved regulatory investigation creates audit findings. Required score: 7/10 minimum; prefer vendors with their own certification.
Question 5: Do your customers contractually require EU-only data processing?
Some EU enterprise contracts — particularly in government, defence, healthcare, and regulated financial services — include clauses requiring that no personal data be processed by US-owned or US-controlled vendors. If you have signed such contracts, LastPass, Dashlane, Keeper, and 1Password are contractually non-compliant regardless of their technical architecture. Required score: 8/10 minimum.
Migration Guide: Moving from US Vendors to EU-Native Alternatives
Migrating from LastPass
LastPass supports CSV export from Account Settings → Advanced → Export. The export includes site name, URL, username, password, notes, and folder structure.
Passbolt import: Passbolt has a native LastPass CSV importer available in the browser extension under Import. Map the LastPass CSV columns to Passbolt's resource fields. Passwords encrypted to each recipient's GPG public key during import.
Bitwarden/Vaultwarden import: Bitwarden provides a dedicated LastPass importer (Tools → Import Data → LastPass). Handles folder hierarchy and secure notes. After importing to Bitwarden cloud, you can export from Bitwarden and re-import to a self-hosted Vaultwarden instance.
Steps:
- Export LastPass CSV (Account Settings → Export)
- Enable 2FA on your new vault before populating it
- Import CSV to Passbolt or Vaultwarden
- Verify critical credentials are correct before revoking LastPass access
- Revoke team member access to LastPass progressively as teams migrate
- Rotate all credentials after confirmed migration (LastPass breach means some credentials may be compromised)
Migrating from 1Password
1Password exports in 1PUX format (preferred) or CSV. 1PUX preserves password history, TOTP secrets, SSH keys, credit cards, and custom field types that CSV cannot represent.
Bitwarden/Vaultwarden import: Bitwarden provides a native 1Password 1PUX importer. SSH keys import as secure notes.
Passbolt limitation: Passbolt's import handles standard username/password resources well but has limited support for TOTP secrets and custom field types in the current version. Evaluate carefully if you rely heavily on TOTP autofill from 1Password.
Migrating from Dashlane or Keeper
Both support CSV export. Standard username/password/URL credential types migrate cleanly to any EU-native alternative. The primary migration consideration is TOTP secrets — verify that your new vault's importer handles TOTP correctly before decommissioning the source system.
Rotating Credentials Post-Migration
Password migration is only complete when the migrated credentials have been rotated. Exporting a credential list and importing it to a new vault does not remove the old vault's access risk — credentials are still valid. A structured rotation programme should:
- Prioritise privileged access credentials (admin accounts, API keys, service accounts)
- Rotate customer-facing authentication credentials
- Rotate internal system credentials
- Document each rotation in your change management system
For organisations migrating from LastPass specifically, credential rotation is a mandatory security action — not just a migration best practice — given the vault data theft in the November 2022 breach.
GDPR Art.17 Right to Erasure and Vault Data
One frequently overlooked compliance consideration: when a team member leaves your organisation, GDPR Article 17 may require you to erase their personal data from your password manager system.
What constitutes personal data in a password manager? The obvious data is the user's own credentials — username, email, and vault items they have personally created. Less obvious: the access logs showing which shared credentials the departing user accessed, the IP addresses and device identifiers from their session history, and any notes fields containing personal information.
Vendor compliance:
- LastPass: Data Subject Access Request (DSAR) and erasure requests processed via privacy@lastpass.com. No automated erasure mechanism.
- 1Password: DSAR via 1Password's privacy team. Vault deletion removes encrypted data; metadata retention periods not published.
- Dashlane: GDPR erasure requests via dpo@dashlane.com. French origins mean French DPA (CNIL) investigation history.
- Keeper: Erasure via account deletion. Enterprise admins can force-delete user accounts.
- NordPass: DSAR via Nord Security's DPO (privacy@nordsecurity.com). VDAI as supervisory authority.
For Passbolt and Vaultwarden (self-hosted), erasure is a local administrative action — delete the user account, their GPG public key, and any vault items they alone controlled. Complete erasure is simpler in self-hosted environments because you control the database directly.
The Procurement Decision Framework
For security and procurement teams that need to document the decision for regulators, DPOs, or audit committees:
Scenario A: Small to medium EU business, no sectoral regulation Recommended: NordPass (best UX, EU registered, acceptable GDPR risk for most use cases) or Proton Pass (Swiss adequacy, open source, strong encryption heritage).
Scenario B: Financial services or insurance (DORA applies) Recommended: Passbolt (EU SA, open source, self-hosted option, DORA supply chain documentation is straightforward). Requires GPG familiarity in the IT team. Vaultwarden is an acceptable alternative if your team can manage self-hosted infrastructure.
Scenario C: Healthcare, social services, or Art.9 data processing Recommended: Vaultwarden (self-hosted on EU infrastructure) or KeePassXC (offline). The processing of Art.9 data requires the highest standard of data controller assurance — zero third-party processor relationships is the only position that eliminates the Art.28 due diligence burden entirely.
Scenario D: Government or defence (EU-only contractual requirement) Recommended: Passbolt (self-hosted) or KeePassXC. LastPass, Dashlane, Keeper, and 1Password are contractually non-compliant for most EU government procurement requirements.
Scenario E: Developer and engineering teams (technical users, need CLI and API) Recommended: Passbolt (has a REST API, CLI tool, and browser extension; integrates with CI/CD pipelines) or Vaultwarden with the official Bitwarden CLI.
Practical Recommendation for Most EU Organisations
If you are an EU organisation currently using LastPass, Dashlane, or Keeper: migrate. The jurisdictional risk is not theoretical — it is the same category of risk that EU DPAs have already acted against for US analytics, email marketing, and CRM tools. The precedents are established. Password managers will follow.
If you are currently using 1Password: the risk is lower but not zero. If your organisation processes Art.9 data, is regulated under DORA or NIS2, or has contractual EU-only requirements, you should migrate.
If you are currently using NordPass: document the offshore holding structure for DORA/NIS2 purposes and maintain a migration plan in case the ownership structure changes (e.g., General Atlantic acquisition that brings a US parent into the corporate chain).
The migration that delivers the most complete compliance posture is to Passbolt or Vaultwarden — both open source, both self-hostable, both EU-native. The infrastructure operational cost is real but manageable, and the compliance certainty is absolute.
Summary: The EU Password Manager Series
This series has covered the six most important decisions EU security teams face when evaluating password management infrastructure:
- LastPass — GoTo/LogMeIn Delaware parent, two major breaches, CLOUD Act. Replace immediately.
- 1Password — Canadian Five Eyes member, no US parent but intelligence sharing risk. Review if processing Art.9 data.
- Dashlane — French origins, US Delaware parent since 2019. CLOUD Act applies. French branding is not French jurisdiction.
- Keeper Security — FedRAMP authorisation amplifies rather than mitigates US government access design.
- NordPass — EU-registered, no CLOUD Act, but offshore holding in Panama/Cyprus requires documentation.
- This post — GDPR Risk Scores, EU-native alternatives, and the decision framework.
The common thread across all five US/Five Eyes vendors: technical security excellence does not substitute for jurisdictional compliance. Zero-knowledge encryption is a security feature. It is not a GDPR legal basis.
sota.io is an EU-native managed PaaS built on Hetzner infrastructure in Germany. No US parent company. No CLOUD Act exposure. If you are migrating your team to EU-compliant infrastructure — not just your password manager — explore sota.io.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.