LastPass EU Alternative 2026: GoTo (formerly LogMeIn) Owns Your Passwords — And GoTo Is a Delaware Corporation
Post #1 in the sota.io EU Password Manager Compliance Series
In August 2022, LastPass disclosed that attackers had exfiltrated encrypted customer vaults — along with unencrypted metadata: URLs, IP addresses, site names, and billing details. In December 2022, a second disclosure revealed the attacker also obtained the cloud storage keys. By January 2023, LastPass confirmed that threat actors had used the stolen data to target cryptocurrency holders, draining wallets.
The breach exposed a structural problem beyond LastPass specifically: any US-incorporated password manager storing vaults in US-based cloud infrastructure is subject to the CLOUD Act — with or without a breach. This guide explains that legal reality and presents EU-native alternatives for organisations that cannot accept it.
Who Owns LastPass in 2026?
LastPass began as a product of LogMeIn, Inc. In 2021, LogMeIn rebranded as GoTo Group, Inc. — a Delaware C-Corporation headquartered in Boston, Massachusetts. GoTo is backed by Francisco Partners (San Francisco) and Evergreen Coast Capital, both US private equity firms.
The corporate chain:
- LastPass, LLC — operates the password manager product
- GoTo Group, Inc. (Delaware) — parent corporation
- Francisco Partners — majority PE backer
- Infrastructure: AWS US-East-1 (Virginia) for primary vault storage
LastPass was spun out as a separate company in 2021 while remaining under GoTo's corporate umbrella. A change in ownership structure does not change the legal reality: LastPass LLC remains a US entity, under US jurisdiction, with vaults stored on US cloud infrastructure.
The CLOUD Act Problem
The Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) allows US law enforcement and intelligence agencies to compel US corporations to produce data stored anywhere in the world — including data stored in EU data centres. The critical legal path:
- GoTo Group, Inc. is a US corporation under US jurisdiction.
- LastPass LLC is a subsidiary of GoTo Group, Inc.
- A National Security Letter (NSL) or court order directed at GoTo compels production of all LastPass data.
- AWS US-East-1 = US jurisdiction regardless.
- Even if LastPass were to move vaults to EU AWS regions, GoTo Group as US parent retains US jurisdiction over metadata and corporate records.
For EU data controllers using LastPass for employee credentials:
- GDPR Art.44: Transfers to third countries (USA) require appropriate safeguards. LastPass's SCCs are undermined by CLOUD Act override authority.
- GDPR Art.28: Data processor agreements with LastPass do not protect against lawful US government access.
- GDPR Art.32: Pseudonymised/encrypted data is still personal data if identifiers (URLs, IPs, usernames) remain accessible to the provider.
- NIS2 Art.21: Organisations in scope must implement access control and privileged access management. Using a US-exposed credential store for privileged access may fail a NIS2 audit.
The 2022 Breach: What Was Actually Stolen
LastPass's December 2022 disclosure is notable for what was not encrypted:
Encrypted (protected by master password):
- Stored passwords
- Credit card numbers
- Secure notes
Unencrypted (exposed in breach):
- Website URLs for every stored credential
- Site names and categories
- Username fields in some legacy vault configurations
- Billing information
- IP addresses of vault owners
- TOTP seeds (for accounts using LastPass Authenticator)
For EU organisations, the unencrypted URL metadata alone constitutes personal data under GDPR Art.4(1) — it reveals which internal systems, HR platforms, and financial services employees use, mapped to specific IP addresses. Processing this data under US jurisdiction without adequate safeguards violates GDPR Art.44.
GDPR Compliance Assessment: LastPass in 2026
| Dimension | LastPass Status |
|---|---|
| Corporate jurisdiction | ❌ USA (GoTo Group Delaware) |
| Data storage | ❌ AWS US-East-1 (primary) |
| CLOUD Act immunity | ❌ None — GoTo is US-subject |
| GDPR Art.44 transfer basis | ⚠️ EU-US DPF SCCs (contested post Schrems II) |
| Zero-knowledge for metadata | ❌ Partial — URLs/IPs historically plaintext |
| NIS2 Art.21 suitability | ⚠️ Risk — US-exposed for privileged access |
| Data breach history | ❌ Major 2022 breach (vaults + metadata exfiltrated) |
EU-Native Alternatives for 2026
Passbolt (Luxembourg)
Passbolt SA is incorporated in Luxembourg (EU Member State). It is open-source (AGPL-3.0) with self-hosted and cloud-hosted options, both operating within EU jurisdiction.
- Corporate structure: Passbolt SA, Luxembourg — no US parent, no US PE backing
- Architecture: True zero-knowledge — end-to-end encryption, server never sees plaintext
- NIS2 suitability: Strong — privileged access management (PAM) features, audit logs, role-based sharing
- Pricing: Community (self-hosted, free), Business (cloud/self-hosted, €49/mo for 10 users)
Padloc (Germany)
Padloc GmbH is a German startup offering an open-source, end-to-end encrypted password manager.
- Corporate structure: German GmbH — EU jurisdiction, GDPR-native
- Infrastructure: EU-hosted servers (Hetzner Germany)
- Self-hosting: Full self-host option available
- Pricing: Free (personal), €3.49/user/month (team cloud)
Vaultwarden (Self-hosted Bitwarden-compatible)
Vaultwarden is an unofficial, community-maintained, lightweight Bitwarden server implementation written in Rust, fully compatible with Bitwarden clients.
- No US jurisdiction risk when self-hosted on EU infrastructure
- Infrastructure: Your infrastructure — self-host on Hetzner, Scaleway, or OVHcloud
- Architecture: Full zero-knowledge, identical to Bitwarden protocol
- Pricing: Free (infrastructure costs only, ~€5-10/month on Hetzner)
Important: Vaultwarden is NOT the same as Bitwarden cloud. Bitwarden, Inc. is a Delaware corporation with US-based cloud infrastructure — the same CLOUD Act exposure as LastPass. Self-hosted Vaultwarden removes the US-jurisdiction risk entirely.
KeePass + KeePassXC (Offline, No Cloud)
KeePass (German-origin) and KeePassXC (community fork) are fully local, offline password managers with no cloud component — the strongest possible EU-compliance posture.
Decision Framework: Choosing Your EU Password Manager
Are you a team with shared credentials?
├── Yes → Do you have DevOps capacity to self-host?
│ ├── Yes → Vaultwarden (self-hosted, free) or Passbolt CE
│ └── No → Passbolt Cloud (Luxembourg) or Padloc Team (Germany)
└── No (individual/small team)
└── Do you need cloud sync?
├── Yes → Padloc Personal (Germany)
└── No → KeePassXC (offline, no cloud)
Conclusion
The 2022 breach was a symptom, not the cause. GoTo Group's Delaware incorporation and AWS US-East infrastructure create persistent CLOUD Act exposure for every LastPass customer, regardless of breach history.
EU organisations that need GDPR Art.44 compliance for their credential store — or those subject to NIS2 Art.21 — require a password manager under EU jurisdiction. Passbolt (Luxembourg), Padloc (Germany), and self-hosted Vaultwarden on EU infrastructure each satisfy this requirement. LastPass, as a GoTo subsidiary, cannot.
Next in the EU Password Manager Series: 1Password EU Alternative 2026 — AgileBits Inc. is Canadian (Five Eyes), and the new $620M Accel/Tiger Global funding round places 1Password squarely in US VC jurisdiction.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.