NordPass

NordPass is the password-manager product of Nord Security, the Lithuanian cybersecurity company headquartered in Vilnius and best known for NordVPN. NordPass launched in 2019 and sits alongside NordVPN, NordLayer, NordLocker and NordStellar in the Nord Security portfolio. As a product it is well-built: zero-knowledge architecture with **XChaCha20** end-to-end encryption (data encrypted on-device before it leaves), passkey support, integrated 2FA, secure sharing, data-breach scanning, and a business tier with SSO, activity logging and admin controls. The company voluntarily undergoes independent security audits and holds **ISO/IEC 27001 and SOC 2** attestations, plus HIPAA alignment and FIDO Alliance compliance. For an EU-sovereignty audit, however, NordPass is mid-table rather than top-tier — and the reason is infrastructure, not product quality. NordPass states plainly that it is **"hosted on AWS"**: Amazon Web Services is a US-owned hyperscaler, so even with EU-region placement the data-at-rest sits with a US-incorporated processor subject to the CLOUD Act. The directory rubric classifies a core US-owned sub-processor as **material** CLOUD Act exposure, which caps the compliance score at 3/5. The zero-knowledge encryption is a genuine and important mitigation — AWS holds only encrypted blobs Nord cannot decrypt and AWS cannot read — but the structural exposure is what the score reflects. Separately, the Nord Security ownership chain includes US venture capital: the 2022 $100M round was co-led by General Catalyst (US) alongside Novator (Iceland) and Burda (Germany); the group uses multiple legal entities across jurisdictions, so the precise NordPass operating entity should be confirmed against the Lithuanian register before the listing goes live. Pricing is freemium: a free tier limited to one active device; Premium at roughly €1.50-2/month on longer plans; Family and Business tiers above. The NordPass pricing page did not render concrete figures to automated fetching at audit, so the EUR entry is approximate. Best fit: individuals and businesses already inside the Nord ecosystem, and buyers who prioritise audited product security and prize zero-knowledge encryption over strict hosting sovereignty. EU buyers who need a clean no-US-infrastructure posture should prefer Proton Pass (CH), Passbolt (LU, self-hostable) or Psono (DE, self-hostable).