Back to blog

Checklist: choose a European password manager (10 criteria)

Updated March 2025 · passwordmanager.eu

Choosing a business password manager is less about “features in a table” and more about where secrets live, who can access them, and how you exit if the vendor changes terms. This checklist is written for IT and procurement teams evaluating European options—aligned with how we score tools in our free assessment.

1. Legal entity and contract

Confirm which company signs the DPA, court jurisdiction, and whether you can use your paper. EU customers often prefer an EU governing law clause where possible.

2. Data location (not just a flag icon)

Ask for primary hosting region, backup regions, and whether support staff can access vault metadata from outside the EU. “Hosted in Europe” should be verifiable in the contract or annex.

3. Subprocessors and transfers

Request an up-to-date subprocessor list and how transfers outside the EEA are covered (e.g. SCCs). This is where many “EU product” stories break down.

4. Encryption and key handling

Understand who holds keys, whether zero-knowledge applies to all data types you store, and how recovery works without exposing plaintext to the vendor.

5. Identity: SSO and directory

Map needs for Microsoft Entra ID / Google Workspace, SCIM, and break-glass accounts. SSO reduces friction; the vault still matters for non-SSO apps and shared credentials.

6. Admin controls and audit

Check role-based admin, event logs, export for SIEM, and retention. Regulated sectors often need evidence of access reviews—not just “we have 2FA.”

7. Device and browser posture

Clarify support for managed devices, extension policies, and offline access. Decide if mobile access should be restricted by policy.

8. Operational fit

Evaluate onboarding, helpdesk load, and whether you need self-hosted or air-gapped deployment for part of the estate.

9. Commercial model

Normalise per seat vs flat quotes on the same user population (including API-only or shared mailboxes). See our article on fair pricing comparison.

10. Exit strategy

Define export formats, notice periods, and how fast you can revoke SSO. A good vendor makes leaving boring; a bad one makes it expensive.