Centralise team passwords and secrets, sync permissions from Active Directory, support SSO authentication, and deploy on-premise on your own servers or in our EU-based Cloud. ISO 27001 certified, AES-256 client-side encryption, full audit log.
Trusted by 10,000+ companies worldwide
Developed in Europe, with full GDPR and NIS2 compliance and data sovereignty
Development and infrastructure meet the international benchmark for information security
Chosen by government agencies and highly regulated industries across Europe
Zero-knowledge architecture with client-side encryption keeps your passwords private
Independent research shows 30% savings compared to competitors
Credentials live in browsers, KeePass files, shared spreadsheets and chat threads. Mass resets are routine, no one is sure who has access to what, and audits drag for weeks.
Vaults, folders and individual passwords held in one place. Role-based access maps to who actually owns what. The audit log answers "who saw this credential, and when".
New starters wait days for the right credentials. Mid-year role changes leave orphan access on systems no-one tracks. Leavers walk off with passwords still active in vendor portals. The work is repetitive, easy to skip, and only surfaces when an audit finds the gap.
Sync users and groups from Active Directory or any LDAP server. Connect SAML 2.0 with Azure AD (Entra ID), Okta, ADFS or Google Workspace. AD groups drive Passwork roles, joiner/leaver work happens once.
Auditors and regulators ask for proof that access to credentials is granted, used, reviewed and revoked under the active framework. Most consumer-grade password managers cannot produce a clean access-control evidence line.
Passwork holds an active ISO 27001 certificate, processes data in line with GDPR, and is ready for NIS2. Every read, write, share, export and permission change writes a row to the audit log with user, time and target. Export to your SIEM and attach to your evidence pack.
Procurement, legal and security teams reward suppliers that store and process data in the EU. Most leading password managers are US-headquartered, with EU residency offered as a paid add-on or only via self-hosting. Suppliers who can answer the residency question with a clean "yes" move evaluations forward faster.
Run Passwork on-premise on your own servers or in your private network for full control of data and keys. Or use the cloud edition in EU data centers in Germany. Same access management features, your choice of residency.
DevOps teams need to read database credentials, API tokens and SSH keys from pipelines without a human in the loop. KeePass workarounds and env files are brittle and unaudited.
Read, write, rotate and audit secrets from CI/CD or scripts. API keys can be scoped and rotated programmatically. Every machine read is in the audit log alongside human reads.
Without a vault that works from anywhere, distributed staff fall back on chat threads, screenshots and email. Auditors flag it, leavers walk off with credentials, and customer-facing teams find expired logins inside support tickets.
Web app, native mobile apps and browser extensions for any user with an internet connection. Office and remote staff share identical permissions and identical audit trail. IP allowlist available where you need tighter control.
Inherited tools have shared folders and improvised role logic. Cutover risk and the cost of human migration kill many deals before they start.
Import folder structures and shared vaults from LastPass, Bitwarden, 1Password, KeePass, Dashlane or Pleasant Password Server. Python connector and CLI for scripted migrations. Most pilots are live in two weeks. Switching teams get 50% off the first year on Passwork when migrating from a competing password manager.
Connect Active Directory or your IdP, import a vault, define a few roles, and watch the audit log fill up. Free for two weeks, no credit card, on your real data.
Connect Passwork to Active Directory, an LDAP server or any SAML 2.0 identity provider. Users and security groups land in Passwork on a schedule.
Tie vaults and folders to your Active Directory groups (self-hosted edition). Set read, write, share or audit-only at the level you need. Inheritance handles the boring cases automatically.
Every access, change and share is logged with user, time and target. Export to your SIEM, attach to your ISO 27001 evidence, ship the NIS2 review.
Permissions inherit from your AD groups. Add a person to SRE in AD and the right credentials show up in their vault, with no admin click in Passwork.
Runs on your own servers or in your private network
Full data control, full network control. Same access management features as Cloud. Right for regulated industries and data-sovereignty buyers, and the default Passwork starting point.
Hosted in EU data centers in Germany. Operated by Passwork.
Up and running in 3 minutes. Right for teams that want EU residency without infrastructure to run.
Bulk import folders and shared vaults from your current tool. Most pilots are live in two weeks.
| Capability |
|---|
| Self-hosted |
| EU-hosted data |
| LDAP / AD sync |
| Enterprise SSO |
| Role-based access |
| REST API |
| SIEM audit logs |
| 50% off for switchers |
| |  |  |  |  |
|---|---|---|---|---|
| Native | No | Enterprise plan | Cloud only | File-based |
| Yes | Limited | EU region available | EU region available | Self-controlled |
| Native | AD Connector | Directory Connector | SCIM Bridge | Manual / plugin |
| Yes | Yes | Yes | OIDC only | No |
| Native | Group-based | Custom roles | Vault-level | Plugin-based |
| Yes | Provisioning API | Public API | Connect | No |
| Yes | Cloud only | Events API | Events API | Local only |
| Yes | No | No | No | N/A |
The feature set ISO 27001 auditors and NIS2 reviewers actually ask about, on the web, on mobile and in the terminal.
LDAP and Active Directory user and group sync
2FA, TOTP and FIDO U2F / YubiKey
Per-tenant identity provider configuration
Automatic role mapping from security groups
SAML 2.0 with Azure AD (Entra ID), Okta, ADFS, Google Workspace
Role-based access control on vaults, folders, individual passwords
One-click revoke across vaults when someone leaves
Read, write, share and audit-only modes
Inherit from AD groups or set per object
External user invitations with expiry
Full audit log: user, time, target, action
SIEM-ready export
ISO 27001 certified, NIS2 ready, GDPR compliant
Quarterly third-party penetration testing
EU data residency on Cloud, customer-controlled on Self-hosted
Python connector and CLI
Scoped, rotatable API keys
Audit on every machine read, alongside human reads
CI/CD, Docker and Kubernetes secrets patterns
REST API for read, write, rotate and audit
AES-256 client-side encryption in the browser
Server stores ciphertext only, no plaintext access
Per-vault key derivation
Customer-controlled keys on Self-hosted
Zero-knowledge architecture for the master password
Pleasant Password Server import
Folder structure and shared vaults preserved
Python connector and CLI for scripted migrations
Most pilots live in two weeks
CSV import from LastPass, KeePass, 1Password, Bitwarden, Dashlane
Best software to password management on premise. We chose it after checking various solutions. The possibility of installing it on our systems weighed heavily on the choice. The use is simple and …
I was looking for an on premise solution to store and manage our passwords. Multiuser with different roles and rights was a must, LDAP integration a nice add on. Passwork ticked all the boxes. They were …
Very easy and secure Passwork Manager. Easy sharing functionalities. Good LDAP integration, TOTP and Multifactor Authentication Options.
Every team manages credentials differently. See how companies across industries use Passwork to secure access, streamline collaboration, and maintain full control. From small IT teams to enterprise-wide deployments.
The City of Melle deployed Passwork to centralize credential management across municipal departments, eliminating password-related security incidents and improving access control.
Kindernothilfe deployed Passwork to enable secure password sharing across distributed teams in multiple countries, reducing access-related delays and improving operational efficiency.
Search, autofill, and create credentials without leaving the browser. Works with Chrome, Firefox, Edge, and Safari.
Quick access to your corporate passwords from your mobile device
Convenient login verification using the Passwork authenticator app
Full password management functionality in a native desktop application
Pick self-hosted or EU-based Cloud. Self-hosted is a Docker compose; Cloud is up in 3 minutes. No credit card.
Connect Passwork to AD or your SAML IdP. Users and groups land in Passwork on a schedule.
CSV from your current tool, REST API for bulk. Map AD groups to vaults and folders.
25 to 50 users in week two. 1,000 seats across the business in four to eight weeks.
Join thousands of IT professionals who trust Passwork to manage their passwords securely. Start your free trial today or get a personalised quote.
Access management is the practice of controlling who can use which IT resources, when, and under which conditions. For passwords and secrets it covers how credentials are stored, who is allowed to view or use them, how access is granted or revoked, and how every action is logged. Access management is one part of identity and access management (IAM); IAM also covers user provisioning, single sign-on and authentication.
Passwork is an access management tool focused on team passwords and secrets. It works alongside an IAM (Okta, Azure AD, Google Workspace) by syncing users, groups and SSO from the identity provider. Passwork is not a PAM today; PAM tools handle shared privileged accounts and session recording, and a dedicated Passwork PAM module is on the roadmap for later in 2026. Passwork stores individual team credentials, applies role-based permissions and writes a full audit log.
Passwork connects to Active Directory or any LDAP server. Users and security groups are imported on a schedule. When a person joins a group in AD, their access in Passwork updates without manual steps. When they leave, access is revoked everywhere. Vault, folder and password permissions can be mapped to AD groups.
Yes. Passwork supports SAML 2.0 with Azure AD (Entra ID), Okta, ADFS, Google Workspace and any compliant identity provider. Each tenant can have its own IdP configuration. Role mapping from security groups happens automatically after first login.
Yes. Self-hosted Passwork runs on your own servers, on-premise or in your private network. The application, database and key material stay inside your network. The cloud edition runs in EU data centers in Germany. Both editions share the same access management features, audit log and integrations.
Both protect team passwords with client-side encryption. Passwork is built around IT-team access management with native LDAP/AD sync, SAML 2.0 across multiple identity providers, role-based permissions on vaults and individual passwords, REST API with key rotation, and an EU-data-residency self-hosted option. Bitwarden has consumer roots and a different feature ladder for enterprise customers.
Every read, write, share, export and permission change is logged with user, time and target. The log is exportable for SIEM ingestion. Combined with role-based permissions, this covers the access-control audit requirements in ISO 27001 and supports NIS2 reporting.
Passwork is ISO 27001 certified. Cloud customers' data is stored in EU data centers in Germany, which keeps personal data inside the European Union for GDPR purposes. Self-hosted customers control the location of their data entirely. The platform is NIS2 ready.
A typical pilot covers one department in one to two weeks: connect AD or SSO, import a vault, define a few roles, onboard 25 to 50 users. A full rollout to 1,000 seats with multiple vaults usually takes four to eight weeks. The free trial is the recommended starting point.
Yes. Passwork accepts CSV exports from LastPass, KeePass, 1Password, Bitwarden, Dashlane and Pleasant Password Server. Folder structure and shared vaults are preserved. The REST API and CLI let you script larger migrations.
Passwork is priced per user per month with volume tiers. Self-hosted is sold as a site license; EU-based Cloud is billed monthly per active user. Teams switching from a competing password manager get 50% off the first year. Passwork access management pricing and plans.
Self-hosted Passwork supports clustering and failover for high availability and runs on customer-controlled hardware sized to the user count. Cloud deployments scale horizontally inside Passwork's EU data centers. Reference deployments include single-tenant rollouts of 1,000+ users and MSP multi-tenant rollouts across many client tenants.
Yes. The Passwork MSP access management program provides a dedicated multi-tenancy instance with isolated client databases, an MSP portal for remote management, white-label client workspaces with unique domains, and per-tenant SAML configuration.
Self-hosted Passwork supports primary and replica databases with cold backup, clustering and failover for high availability. Customers run their own backup schedule and retention. Encrypted vault exports via the Passwork REST API and CLI documentation provide an additional offsite recovery path.
Yes. A dedicated Passwork PAM module covering shared privileged accounts and session control is planned for release later in 2026. Today's Passwork access management already covers individual team credentials with role-based permissions and an audit log.
If you haven't received the email, check your spam folder or contact us at [email protected]
Please click the button below to change the language
Switch to EnglishFill out the form below to get your copy of the report
Fill out the form below to get your copy of the NIS2 guide
