HashiCorp Vault EU Alternative 2026: IBM CLOUD Act 20/25 and Secrets Management Under GDPR
Post #4 in the sota.io EU Privileged Access Management Series
In June 2024, IBM completed its $6.4 billion acquisition of HashiCorp. For European development and platform engineering teams relying on HashiCorp Vault to manage secrets — API keys, database credentials, TLS certificates, dynamic cloud credentials — that acquisition fundamentally altered the legal landscape. IBM Corporation is a New York-headquartered, NYSE-listed Delaware C-Corp: a US person fully subject to the CLOUD Act.
Vault is not a standard SaaS application. It is the keystore at the centre of your infrastructure. Every secret your application reads, every dynamic database credential your Vault cluster issues, every audit event logged when a developer rotates a password — all of this is within IBM's legal sphere, and therefore within reach of US law enforcement compulsion orders.
This post covers what changed after the IBM acquisition, the specific CLOUD Act exposure for HCP Vault (the managed cloud offering), and the EU-native alternatives that give you equivalent functionality without US jurisdiction over your secrets.
HashiCorp Vault: What It Is and Why It Matters Under GDPR
HashiCorp Vault is a secrets management platform that centralises the storage, access, and rotation of sensitive credentials across an organisation's infrastructure. Its core capabilities include:
- Static secrets storage: API keys, tokens, and passwords stored in a central, audited location.
- Dynamic secrets: On-demand, short-lived credentials for databases, AWS IAM, Kubernetes, and other systems. Vault creates them, uses them, and revokes them — reducing the blast radius of any single credential leak.
- PKI and certificate management: Vault acts as an internal certificate authority, issuing and rotating TLS certificates automatically.
- Encryption as a service: The Transit secrets engine lets applications encrypt data without managing keys themselves.
- Audit logging: Every read, write, and token creation is logged, creating a full chain of custody for secret access events.
Under GDPR, the relevance is immediate: dynamic secrets issued for database access contain the endpoint addresses and usernames of EU-resident data subjects' data. Audit logs record which developer accessed which secret at what time — that is operational personal data. TLS certificates contain domain names and organisational identifiers. Vault is not peripheral to your GDPR compliance posture; it is central to it.
The IBM Acquisition: CLOUD Act 20/25
Corporate Structure Post-Acquisition
Before June 2024, HashiCorp Inc. was an independent company incorporated in Delaware and headquartered in San Francisco, CA. Its CLOUD Act exposure was meaningful but limited by its smaller footprint and the absence of a defence and intelligence contractor parent.
After the acquisition, HashiCorp operates as a wholly owned subsidiary of IBM Corporation (NYSE: IBM), headquartered in Armonk, New York. IBM is a different legal entity entirely.
IBM's CLOUD Act exposure score: 20/25
| Factor | Score | Detail |
|---|---|---|
| US parent incorporation | 4/4 | IBM Corp. Delaware C-Corp, NYSE listed |
| US federal contractor status | 4/4 | IBM is a major US Department of Defense, NSA, and intelligence community contractor |
| HCP Vault cloud control plane | 3/4 | Cloud-managed secrets plane runs on IBM-controlled US infrastructure |
| IBM watsonx / AI integration | 2/4 | ML-based anomaly detection on audit logs creates secondary processing vectors |
| FISA Section 702 exposure | 3/4 | IBM's intelligence community relationships increase FISA court compellability |
| Audit log centralisation | 2/4 | Aggregated access logs across all HCP Vault tenants create a surveillance-ready dataset |
| HCP Vault Secrets (Sync) | 2/4 | Cloud-synced secrets to AWS/Azure/GCP create cross-jurisdictional copies |
Total: 20/25 — the highest CLOUD Act score in the EU-PAM Series.
What Does 20/25 Mean in Practice?
A CLOUD Act compulsion order issued to IBM does not require IBM to notify you, your DPA, or the affected data subjects. IBM must comply within the response window. For Vault specifically, this means US authorities could compel:
- The contents of your HCP Vault secrets store
- The audit trail showing who accessed which secret and when
- Dynamic credential templates and database access patterns
- PKI certificates and their associated organisational metadata
- Token metadata — including which Kubernetes service accounts have which vault policies
This is not a theoretical risk. IBM maintains standing relationships with US law enforcement and intelligence agencies as part of its federal contracts. The infrastructure for compliance exists; it is activated by a legal order.
Five Specific GDPR Risks for HashiCorp Vault Users
Risk 1: HCP Vault Control Plane — US Jurisdiction Over Your Keystore
HCP Vault (HashiCorp Cloud Platform) runs the Vault server cluster on IBM-controlled infrastructure. Even if you specify an EU AWS or Azure region for your HCP Vault cluster, the control plane — authentication, policy management, replication orchestration, and the Vault binary itself — runs through IBM's global infrastructure under US jurisdiction.
GDPR Art. 28 relevance: Your Data Processing Agreement with HashiCorp/IBM covers the processing it performs on your behalf. It does not protect you from a CLOUD Act order that compels IBM to disclose Vault's contents to US authorities outside the DPA framework.
Risk 2: Audit Logs as Personal Data Under GDPR Art. 4(1)
Vault audit logs record every interaction with the secrets store. A typical log entry includes: the requesting entity (Kubernetes pod name, developer username, IAM role), the secret path accessed, the timestamp, the source IP, and the operation performed (read, write, renew, revoke).
This combination of identifiers constitutes personal data under GDPR Art. 4(1). A developer's access pattern across a day — which database they connected to, which third-party API they used, which certificates they rotated — is operational personal data about a natural person. Storing this in a US-jurisdiction cloud creates GDPR Art. 44 transfer risk.
Risk 3: Dynamic Secrets Endpoints Contain EU-Resident Data References
When Vault's database secrets engine issues a dynamic PostgreSQL credential, the credential contains: the database hostname, the username created for that session, and the connection parameters. If that PostgreSQL instance holds EU-resident personal data, then the dynamic credential is a data access key — and its issuance event, logged in HCP Vault's US-jurisdiction audit store, is a record of who accessed EU-resident personal data and when.
Under GDPR Art. 30 (Records of Processing Activities), this access chain must be documentable and subject to erasure and audit rights. If the audit store sits in IBM's US infrastructure, your Art. 30 obligations are harder to fulfil.
Risk 4: HCP Vault Secrets (Cloud Sync) — Multi-Cloud Secret Proliferation
HCP Vault Secrets offers synchronisation of secrets to AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and other cloud vaults. This multi-cloud sync creates copies of your secrets across jurisdictions that may not be covered by your original data mapping.
A secret that started in your self-hosted Vault, migrated to HCP Vault for centralised management, and then synced to AWS Secrets Manager in us-east-1 has now been processed under US jurisdiction three times — through HashiCorp/IBM, through Amazon, and through your original Vault admin toolchain.
Risk 5: IBM Federal Contractor Governance Gap
IBM's status as a US federal defence and intelligence contractor creates a governance gap that no DPA can close. IBM has existing contractual relationships with US government agencies that include data sharing and access obligations. These obligations exist independently of and may supersede the data protection terms in your HashiCorp Enterprise Agreement.
When you sign an HCP Vault contract, you are signing with a subsidiary of a company that has standing federal contractor obligations to the US government. The subsidiary's DPA does not bind the parent; the parent's federal contracts bind the parent.
EU-Native Alternatives to HashiCorp Vault
OpenBao — The Direct Fork, CLOUD Act 0/25
OpenBao was created by the Linux Foundation in direct response to the IBM acquisition of HashiCorp. It is a hard fork of Vault Community Edition, released under the Mozilla Public License 2.0, with an explicit mandate to remain independent of any single corporate entity.
CLOUD Act score: 0/25 when self-hosted on EU infrastructure.
OpenBao maintains full API compatibility with Vault CE. Existing Vault configurations, policies, and integrations migrate without code changes. The secret engines (database, AWS, Kubernetes, PKI, transit) are identical. The audit log format is the same. Vault Agent and Vault SDK continue to work against OpenBao.
Recommended deployment: OpenBao on Hetzner CPX21 (€5.92/mo) with Raft integrated storage. No external dependencies. Full control over the Vault binary, storage backend, and network path.
Governance: Linux Foundation project governance means no single vendor can alter the licence, acquire the project, or introduce US jurisdiction into the supply chain.
Self-Hosted Vault Community Edition — Partial Mitigation
Vault Community Edition (CE) remains open source under the BSL 1.1 licence (a source-available licence, not OSI-approved open source). Running Vault CE on your own EU infrastructure eliminates the HCP cloud plane CLOUD Act risk — but it does not eliminate HashiCorp/IBM as the upstream binary provider.
For EU organisations with strict data sovereignty requirements, OpenBao is the cleaner option: same functionality, genuinely open source licence, no upstream IBM binary dependency.
Infisical — Open Source, Self-Hostable
Infisical provides secrets management with a modern developer experience: native SDK integrations for Node.js, Python, Go, and Rust; a Kubernetes operator for pod-level secret injection; and a web UI comparable to HCP Vault's interface.
Infisical Inc. is US-incorporated, but the platform is fully open source (MIT licence) and self-hostable. On EU infrastructure, CLOUD Act exposure drops to 0/25. Infisical Cloud (their managed offering) is US-jurisdiction and should be evaluated with the same CLOUD Act lens as HCP Vault.
PrivX Community Edition — SSH and PAM Focus
SSH Communications Security's PrivX Community Edition (Helsinki, FI) includes a secrets vault component focused on SSH keys, jump host credentials, and privileged session management. For organisations whose primary Vault use case is SSH access management and privileged session recording, PrivX CE provides a fully EU-native alternative with ANSSI alignment. CLOUD Act score: 1/25.
Migration Path: HCP Vault to OpenBao
A production migration from HCP Vault to self-hosted OpenBao follows four phases:
Phase 1 — Audit your secret engines (Weeks 1-2): Inventory all enabled secret engines (database, PKI, AWS, transit, KV v2) and their associated policies. Document every application that calls the Vault API and which paths it accesses.
Phase 2 — Deploy OpenBao alongside (Weeks 2-4): Stand up an OpenBao cluster on EU infrastructure using Raft storage. Replicate your policies and auth methods. Use the vault operator migrate equivalent in OpenBao to transfer KV v2 secrets from HCP Vault via the API.
Phase 3 — Migrate dynamic engines (Weeks 4-6): Re-configure database, PKI, and Kubernetes auth engines on OpenBao. Update Vault Agent configurations (drop-in compatible with OpenBao). Rotate all dynamic credentials through the new cluster.
Phase 4 — Cutover and decommission (Weeks 6-8): Update application environment variables and Kubernetes secrets to point to the OpenBao address. Monitor audit logs for any residual HCP Vault calls. Revoke all HCP Vault tokens. Terminate HCP Vault subscription.
Total migration cost: 6-8 weeks engineering time. Infrastructure cost delta: HCP Vault Plus starts at ~$0.03/hour per cluster. OpenBao on Hetzner: €5.92/mo (CPX21) for a single-node dev cluster, €17-35/mo for a three-node production Raft cluster.
Compliance Checklist: Vault Under GDPR Art. 44 and NIS2 Art. 21
| Requirement | HCP Vault (IBM) | Self-hosted OpenBao |
|---|---|---|
| GDPR Art. 44 (third-country transfers) | ⚠️ US transfer via IBM parent | ✅ No third-country transfer |
| GDPR Art. 28 (DPA coverage) | ⚠️ DPA cannot override CLOUD Act orders | ✅ You control the processor |
| NIS2 Art. 21(2)(i) (access control) | ⚠️ US-jurisdiction audit trail | ✅ EU-jurisdiction audit trail |
| DORA Art. 9(4)(d) (third-party ICT risk) | ❌ IBM federal contractor = high concentration risk | ✅ Open source, no vendor lock-in |
| BSI C5 / EUCS alignment | ⚠️ HCP Vault lacks EUCS certification | ✅ Self-hosted qualifies for EUCS Level Basic |
Conclusion
HashiCorp Vault remains technically excellent. The IBM acquisition did not change the product's functionality — it changed its legal ownership and CLOUD Act exposure. For European teams processing personal data, the shift from HashiCorp Inc. (San Francisco) to IBM Corp. (Armonk NY, federal contractor) is not a minor organisational change. It is a change in the effective jurisdiction of your entire secrets infrastructure.
OpenBao provides a direct, API-compatible migration path with zero CLOUD Act exposure when deployed on EU infrastructure. The Linux Foundation governance model protects the project from future acquisitions and licence changes. For organisations that built their secrets management practice on Vault, OpenBao is the straightforward answer to IBM's CLOUD Act 20/25 score.
The EU PAM Series:
- CyberArk PAM EU Alternative — CLOUD Act 19/25
- BeyondTrust EU Alternative — CLOUD Act 17/25
- Delinea EU Alternative — CLOUD Act 16/25
- HashiCorp Vault EU Alternative — CLOUD Act 20/25 (this post)
- EU PAM Comparison Finale — coming next
sota.io is an EU-native platform-as-a-service: no US parent, no CLOUD Act exposure, no PRISM participation. Start your free trial.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.