NordPass EU Alternative 2026: EU-Registered but Offshore-Owned — The Data Sovereignty Question Nord Security Doesn't Answer

Post #5 in the sota.io EU Password Manager Series

NordPass occupies a unique position in the enterprise password manager market: it is one of the few major password managers marketed as privacy-first that is not headquartered in the United States. Nord Security UAB — the Lithuanian private limited company behind NordPass — has no Delaware C-Corp parent, no US holding company, and no direct legal nexus to the US CLOUD Act. For EU security teams that have spent the last three years rejecting LastPass, 1Password, Dashlane, and Keeper on jurisdictional grounds, NordPass looks like an obvious answer.

The reality is more complicated. Nord Security's ownership structure runs through a web of offshore holding companies in Panama and Cyprus — jurisdictions that sit outside both EU data protection law and the CLOUD Act, but that introduce their own data governance ambiguities. The Lithuanian entity that processes your vault data is ultimately controlled by entities that operate under limited transparency obligations. For organisations where data sovereignty is not just a checkbox but a boardroom concern, that structure deserves scrutiny.

This guide works through the corporate architecture of Nord Security, the specific legal risks and non-risks for EU organisations, how the zero-knowledge architecture changes the risk calculus, and where EU-native alternatives with cleaner jurisdictional profiles fit.

The Nord Security Corporate Structure

Nord Security was founded in 2012 by Tomas Okmanas and Eimantas Sabaliauskas as part of Tesonet, a Lithuanian technology company that operates several internet privacy and security brands. Tesonet itself is a private company with complex ownership.

The chain of control that matters for GDPR:

Nord Security UAB (Lithuania) is the operating entity for NordPass, NordVPN, NordLayer, and other Nord products. UAB (Uždaroji akcinė bendrovė) is a Lithuanian private limited liability company, equivalent to a UK Ltd or German GmbH. As a Lithuanian entity, Nord Security UAB is subject to Lithuanian law, the Lithuanian Data Protection Authority (Valstybinė duomenų apsaugos inspekcija, VDAI), and — critically — EU GDPR directly.

Tefincom S.A. (Panama) is the entity behind NordVPN's historical domain registrations and certain commercial operations. Tefincom is a Panamanian sociedad anónima (S.A.) — an offshore structure historically used for privacy and asset protection. Panama has no data protection law equivalent to GDPR, no adequacy decision from the European Commission, and limited regulatory transparency obligations.

Holding and investment layer: Nord Security raised $100 million from General Atlantic in 2021. General Atlantic is a US-based private equity firm. While this does not create direct CLOUD Act exposure (General Atlantic holds equity, not operational data), it means that North Security's board has US institutional investor presence.

The key GDPR-relevant question: When Nord Security UAB in Lithuania processes your organisation's vault data, which entity controls that processing? Lithuanian law says Nord Security UAB. The offshore holding structure says the answer is more layered. GDPR Art.4(7) defines "controller" functionally — the entity that determines the purposes and means of processing — not just based on where the legal entity is registered.

What the Panama Connection Actually Means for GDPR

The Tefincom S.A. structure that NordVPN uses (and that Nord Security historically deployed for commercial operations) is not in itself a GDPR violation. But it creates three specific risks that EU legal teams flag during vendor assessments:

Risk 1: Controller Identification Under GDPR Art.4(7)

If the entity that makes decisions about how NordPass processes your data is not Nord Security UAB but an offshore holding company, the "controller" under GDPR may not be the Lithuanian entity. This matters because:

• Your Data Processing Agreement (DPA) must be with the actual controller or processor
• If the wrong entity signs your DPA, the agreement may not be GDPR-compliant
• Lithuanian supervisory authority jurisdiction applies only if the Lithuanian entity is actually the controller

In practice, Nord Security UAB signs DPAs and is the stated data controller. But "stated" and "functionally determined" can diverge in complex ownership structures.

Risk 2: International Transfer Risk Via Sub-Processors

GDPR Art.44 prohibits transfers of personal data to third countries without adequate protection. If Nord Security sub-processes data through entities in Panama, Cyprus, or other non-adequate countries (even for infrastructure, analytics, or support functions), those transfers require Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

NordPass's privacy documentation lists sub-processors. EU organisations should verify that all sub-processors are either EU-located or covered by an adequacy decision or SCCs. The Panamanian entity in the ownership chain does not automatically mean Panama-located data processing — but it creates due diligence obligations.

Risk 3: Regulatory Opacity

Unlike a Delaware-based company (where SEC and state-level disclosure requirements create a paper trail), Panamanian S.A. entities have minimal public disclosure obligations. This makes it harder to:

• Verify the ultimate beneficial owner (UBO) for GDPR Art.13/14 disclosure purposes
• Assess whether ownership changes affect your data controller relationship
• Conduct vendor risk assessments required under DORA (EU Regulation 2022/2554) for financial institutions

The CLOUD Act Non-Risk — And Why It Still Matters

Here is where NordPass genuinely differs from every other password manager covered in this series:

NordPass has no US parent company. Therefore, it has no direct CLOUD Act jurisdiction.

The CLOUD Act (18 U.S.C. § 2523) authorises US law enforcement to compel disclosure of data from US companies and their subsidiaries, regardless of where that data is stored. LastPass (GoTo, Boston), 1Password (AgileBits, Toronto — but US infrastructure and VC investor nexus), Dashlane (Dashlane Inc., New York), and Keeper (Keeper Security Inc., Chicago) are all directly subject to CLOUD Act warrants.

Nord Security UAB is a Lithuanian EU company. A US government warrant under the CLOUD Act has no direct legal force against a Lithuanian company. To compel disclosure from Nord Security, US law enforcement would need to use Mutual Legal Assistance Treaty (MLAT) mechanisms — a process that involves Lithuanian judicial oversight and is significantly slower and less covert than a CLOUD Act warrant.

This is a meaningful jurisdictional difference. For organisations where the threat model includes US law enforcement access (state actors, whistleblower protection, US geopolitical exposure), NordPass's non-US structure provides genuine protection that the other four password managers in this series cannot offer.

But the nuance matters: Panamanian and Cypriot entities do not have MLAT treaties structured to EU standards. If Nord Security's holding companies are subpoenaed by a jurisdiction with legal reach over those entities, the calculus changes. And General Atlantic's US investor presence — while not CLOUD Act exposure per se — means that if Nord Security were ever acquired by a US company, CLOUD Act exposure would materialise immediately.

Zero-Knowledge Architecture Analysis

NordPass uses a zero-knowledge architecture built on the XChaCha20 encryption algorithm with Argon2 key derivation. This is technically superior to the PBKDF2 schemes used by many competitors.

What zero-knowledge protects:

• Vault contents are encrypted locally before transmission
• Nord Security servers receive only ciphertext
• Even in response to a legal warrant, Nord Security cannot provide plaintext vault contents
• Key derivation from master password happens client-side only

What zero-knowledge does not protect:

• Vault metadata: Which URLs you access, when you access them, your vault item count, and organisational structure are not necessarily encrypted with the same zero-knowledge guarantees
• Account metadata: Email address, device identifiers, login timestamps, and IP addresses are visible to Nord Security and potentially to its sub-processors
• Sharing features: If business tiers use server-side sharing coordination, the server may have access to shared item keys
• Breach notifications: NordPass's breach monitoring (similar to HaveIBeenPwned integration) requires some form of credential hashing comparison with an external service

For most enterprise threat models, the vault content protection is what matters. But for organisations where even metadata exposure is a concern (intelligence agencies, law firms, M&A teams), the metadata layer deserves additional scrutiny.

GDPR Compliance Assessment

Nord Security publishes a GDPR compliance page and maintains a Data Processing Agreement (DPA) for business customers. Key factors:

Positive:

• Supervisory Authority: Lithuanian VDAI is the lead supervisory authority for Nord Security UAB's EU operations. VDAI is an EU DPA and operates under Article 55/56 GDPR cooperation mechanisms.
• Data Residency: Nord Security states that EU customer vault data is stored on servers in the European Union (Germany, Netherlands infrastructure reported). Data residency within the EU means no Art.44 transfer risk for primary storage.
• DPA Available: Business customers can obtain a signed DPA from Nord Security UAB.
• Standard Contractual Clauses: For sub-processors outside the EU, Nord Security represents that SCCs are in place.

Areas Requiring Due Diligence:

• Sub-processor List: Verify that all sub-processors with data access are EU-located or SCC-covered. Pay particular attention to analytics, support tooling (Zendesk, Intercom equivalents), and payment processing.
• DPF Registration: The EU-US Data Privacy Framework (DPF) is irrelevant here (Nord Security is not a US company), but its NOYB challenge (C-446/23) is relevant to sub-processors that are US entities.
• UBO Disclosure: GDPR Art.13/14 requires transparency about processing purposes and controllers. If the beneficial owner of Nord Security's ultimate holding company is not publicly identifiable, this creates a due diligence gap for some regulated industries.

DORA Implications (Financial Institutions): Under DORA (EU Regulation 2022/2554, applicable since January 2025), EU financial institutions must conduct ICT third-party risk assessments for critical service providers. A password manager managing privileged access credentials is typically a critical ICT dependency. DORA Article 28 requires assessment of the vendor's "legal, financial, operational and reputational risks" — the offshore holding structure is directly relevant to this assessment.

Data Residency Claims: What Nord Security Actually Promises

NordPass for Business allows organisations to select EU data residency. This means vault data is stored on servers physically located within the European Union. For the purposes of GDPR Art.44, data that never leaves the EU does not require transfer mechanism justification.

However, "data residency" claims require careful reading:

1. Primary vault storage may be EU-located while backup infrastructure uses different regions.
2. Support and operations teams may access vault infrastructure data (not vault contents) from locations outside the EU.
3. Telemetry and analytics data (which devices accessed the vault, when, from where) may flow to third-party analytics providers that are not EU-located.

For a thorough GDPR risk assessment, EU organisations should request Nord Security's full sub-processor list and verify the data flow map — not just the primary storage location claim.

Business Tier Analysis

NordPass offers three tiers relevant to enterprise adoption:

NordPass Personal (€X/mo): Individual use, zero-knowledge vault, browser extensions, mobile apps. No audit logs, no SCIM/SSO integration. Not suitable for enterprise credential governance.

NordPass Business (€X/user/mo): Shared vaults, admin dashboard, access control, audit log. Suitable for teams of 5–500. SSO integration via SAML 2.0 (Google Workspace, Okta, Azure AD, OneLogin). SCIM provisioning available.

NordPass Enterprise (custom pricing): Custom SSO and SCIM, dedicated account manager, SLA guarantees, LDAP integration, custom DPA terms. For large organisations with specific compliance requirements, Enterprise tier includes the ability to negotiate sub-processor transparency and custom data handling agreements.

Pricing relative to alternatives: NordPass Business pricing is competitive with 1Password Teams and Dashlane Business. Keeper Business is typically priced slightly lower. Passbolt (EU-native, self-hosted) is open-source and free for self-hosted deployments.

EU Alternatives With Cleaner Jurisdictional Profiles

For organisations where NordPass's offshore holding structure is a disqualifier, four alternatives offer different jurisdictional profiles:

1. Passbolt — Luxembourg SA, AGPL, Self-Hosted or Cloud

Corporate structure: Passbolt SA, Luxembourg. Luxembourg is an EU member state with strong data protection culture and no offshore holding complexity. Passbolt's investors are European.

CLOUD Act exposure: None. No US parent, no US investor nexus.

Jurisdiction: Luxembourg CNPD (Commission Nationale pour la Protection des Données) as lead supervisory authority.

Zero-knowledge: Yes — GPG-based end-to-end encryption. Vault contents are encrypted client-side.

Self-hosted option: Full self-hosting available under AGPL license. Run Passbolt on your own EU infrastructure (Hetzner, OVHcloud, Scaleway). With self-hosting, you control all data — Nord Security's offshore ownership structure is irrelevant.

Enterprise feature parity: SSO (SAML, OIDC), SCIM, LDAP, audit logs, access control, compliance reports. Slightly less polished UX than NordPass, but functionally complete for enterprise use.

Best for: Organisations that require maximum jurisdictional cleanliness AND want self-hosted control. Luxembourg SA + self-hosted = highest possible data sovereignty.

2. Proton Pass — Proton AG, Switzerland, Adequacy Decision

Corporate structure: Proton AG, Geneva, Switzerland. Not EU, but Switzerland has an adequacy decision from the European Commission (confirmed by CJEU standards). Swiss data transfers do not require Art.44 mechanisms.

CLOUD Act exposure: None. Swiss company, no US parent.

Jurisdiction: Swiss Federal Data Protection Act (nDSG, revised 2023). Swiss FDPIC (Federal Data Protection and Information Commissioner).

Zero-knowledge: Yes — built on the same cryptographic stack as ProtonMail, one of the most battle-tested privacy email services in the world.

Adequacy advantage: Switzerland's adequacy decision means EU-Switzerland data flows are treated equivalently to intra-EU flows — no SCCs required, no DPF dependency.

Enterprise features: Proton Pass for Business includes shared vaults, admin console, and SSO. Less mature than NordPass Business in terms of enterprise feature set, but the jurisdictional profile is significantly cleaner.

Best for: Organisations in regulated industries (healthcare, finance) where supply chain risk assessments require documented adequacy decisions for every data processor.

3. Vaultwarden — Self-Hosted Bitwarden-Compatible Server

Corporate structure: No corporate structure. Vaultwarden is an open-source, community-maintained Bitwarden-compatible server implementation. You run it on your infrastructure.

CLOUD Act exposure: None — you control the server.

Jurisdiction: Your jurisdiction. Run on Hetzner in Germany: German law applies. Run on OVHcloud in France: French law applies.

Zero-knowledge: Yes — Bitwarden protocol uses AES-256 encryption with PBKDF2 or Argon2 key derivation.

Self-hosting complexity: Medium. Requires Docker, a reverse proxy, and operational maintenance. Well-documented. sota.io can deploy Vaultwarden for you in minutes on EU infrastructure.

Cost: Infrastructure only. No per-seat licensing. Dramatically cheaper than NordPass Business at scale.

Best for: Engineering-led organisations with operational capacity to manage their own infrastructure, where total data control is the primary requirement.

4. KeePassXC — Offline, Open Source

Corporate structure: None. KeePassXC is open-source software with no corporate entity.

CLOUD Act exposure: None — data never leaves your device unless you choose to sync it.

Jurisdiction: None — local software.

Zero-knowledge: Maximum — no server, no network transmission, no corporate data access.

Limitation: No native team sharing, no web access, no mobile sync without third-party tools (KeeShare, Syncthing, or a self-managed cloud sync).

Best for: Individual contributors and small teams where offline security is paramount and cloud sync is acceptable via self-managed solutions.

NordPass vs EU Alternatives: Decision Matrix

Five Organisational Profiles — Which Password Manager Fits

Profile 1: "We need a SaaS password manager with minimal friction and EU compliance." → NordPass is viable. The offshore holding structure is a due diligence item, not necessarily a disqualifier. Get the DPA signed, verify the sub-processor list, document your assessment for your DPO.

Profile 2: "We are a German Mittelstand under DORA. Our DPO requires clean supply chain documentation." → Choose Passbolt (Luxembourg SA) or Proton Pass (Swiss adequacy). The offshore holding structure in NordPass creates DORA Art.28 documentation burden that Passbolt and Proton Pass avoid.

Profile 3: "We are a law firm with confidential client data and a zero-trust mandate." → Self-hosted Vaultwarden on Hetzner Germany. Maximum data control. No vendor risk. Legal professional secrecy obligations require that no third party — even a Lithuanian one with offshore parents — has any access path to credential data.

Profile 4: "We are a startup on Hetzner/OVHcloud that already manages our own infrastructure." → Vaultwarden on your existing cluster. Zero additional vendor, zero additional cost, full control. sota.io can configure the reverse proxy and backup in a standard deployment.

Profile 5: "We had a LastPass/Dashlane/1Password account and need to migrate immediately with minimal disruption." → NordPass with an Enterprise DPA is the fastest migration path. NordPass imports from all major competitors. Once migrated, reassess Passbolt self-hosting for the long term.

Migration From NordPass to a Self-Hosted Alternative

If you are currently on NordPass and want to migrate to Passbolt or Vaultwarden, the process is:

Step 1: Export from NordPass

• NordPass Business Admin Console → Export → CSV (unencrypted) or encrypted JSON
• Ensure the export includes all shared vault items, not just personal items
• Delete the export file immediately after import — it contains all credentials in plaintext

Step 2: Import to Passbolt

• Passbolt supports CSV import from NordPass, 1Password, and Bitwarden
• For large organisations, use the Passbolt CLI bulk importer
• After import, verify folder structure and access controls are correctly replicated
• Revoke NordPass licences only after verifying all users can access via Passbolt

Step 3: Import to Vaultwarden/Bitwarden

• Bitwarden's official import supports NordPass CSV directly
• Vaultwarden accepts any Bitwarden-compatible import
• Use Bitwarden desktop app → File → Import Data → NordPass (CSV)

Step 4: Revoke NordPass API access

• After migration is confirmed, revoke all API tokens and SSO integrations
• Request data deletion under GDPR Art.17 from Nord Security UAB
• Lithuanian VDAI has jurisdiction if Nord Security does not respond within 30 days

What GDPR Art.17 Deletion Looks Like With Nord Security

Under GDPR Art.17, you have the right to erasure. For NordPass:

• Request channel: privacy@nordpass.com or via Business/Enterprise account manager
• Expected response time: 30 days (GDPR Art.12 standard)
• What gets deleted: Vault data, account metadata, audit logs (after retention period)
• What may persist: Anonymised aggregated analytics, backups for the legally required retention period
• Supervisory authority: Lithuanian VDAI if Nord Security does not respond or respond inadequately

The Lithuanian VDAI is an actively functioning EU DPA — enforcement has accelerated since 2022 in line with the broader EU DPA enforcement trend. A complaint to VDAI is a credible escalation path.

The Bottom Line: Is NordPass GDPR-Compliant for EU Organisations?

The direct answer: Yes, with due diligence.

NordPass is operated by a Lithuanian EU company, processes data on EU servers, offers a GDPR DPA for business customers, and has no US parent that creates direct CLOUD Act exposure. These are genuine, meaningful advantages over LastPass, 1Password, Dashlane, and Keeper.

The offshore holding structure (Panama/Cyprus) is a due diligence flag, not an automatic GDPR violation. For most EU organisations — particularly those not in regulated industries — the standard NordPass Business DPA plus a verified sub-processor list is sufficient GDPR compliance documentation.

When NordPass is not sufficient:

• DORA-regulated financial institutions that require full supply chain transparency including UBO disclosure
• Public sector organisations subject to national cloud-sovereignty regulations stricter than baseline GDPR
• Legal and healthcare organisations with professional secrecy obligations that prohibit third-party data access under any conditions
• Organisations where the threat model includes sophisticated adversaries with potential reach over offshore holding jurisdictions

In those cases, Passbolt (Luxembourg SA, self-hosted) and Vaultwarden (fully self-hosted) provide cleaner jurisdictional profiles. Proton Pass (Switzerland, adequacy) is the best compromise for organisations that want a managed SaaS with no offshore ownership complexity.

The EU-native password manager landscape has matured significantly. You no longer need to choose between security and sovereignty. Choose the profile that matches your compliance posture.

This post is part of the sota.io EU Password Manager Series. Read the full series: LastPass EU Alternative · 1Password EU Alternative · Dashlane EU Alternative · Keeper Security EU Alternative

Need EU-native infrastructure for Passbolt or Vaultwarden? sota.io deploys EU-hosted managed services on Hetzner Germany — no US parent, no CLOUD Act, GDPR by design.