Is 1Password subject to the CLOUD Act?

No. AgileBits is a Canadian company. The CLOUD Act applies to US-incorporated entities. Minority US investment does not create CLOUD Act exposure.

Is 1Password Safe for Canadian Data? Sovereignty Analysis

Q: Can 1Password read my passwords?

No. 1Password uses zero-knowledge encryption with a dual-key system. AgileBits cannot decrypt your vault data under any circumstances.

Q: Do I need a TIA for 1Password under Law 25?

Generally no. 1Password is Canadian-incorporated with zero-knowledge encryption. It does not trigger TIA requirements the way US-incorporated tools do.

Q: How does 1Password compare to LastPass?

1Password is Canadian (not CLOUD Act exposed) and has never been breached. LastPass is US-based, CLOUD Act exposed, and was breached in 2022.

Parent Company

AgileBits Inc. (Ontario, CA)

CLOUD Act Status

✓ Not Exposed

Canadian Jurisdiction

✓ Canadian-Owned

Encryption

✓ Zero-Knowledge E2EE

TIA / PIA Required

✓ Simplified

Track Record

Never breached (~20 years)

Is 1Password safe for Canadian organizations?

Yes — 1Password is one of the strongest sovereignty stories in Canadian technology. AgileBits Inc. was incorporated in Ontario in 2005, is headquartered at 4711 Yonge Street in Toronto, and remains Canadian-owned. As a Canadian company, 1Password is not subject to the US CLOUD Act. Canadian law enforcement requires a Canadian court order to access data — and even then, 1Password's zero-knowledge architecture means the company itself cannot decrypt your vaults.

This is a fundamentally different sovereignty posture from the US-parented tools analyzed elsewhere in this index. When you store credentials in Dropbox or Slack, US authorities can compel the provider to hand over your data. With 1Password, even if a government demanded access, AgileBits mathematically cannot comply — they don't have the keys.

1Password has raised $920 million in venture capital from US-based investors including Accel, ICONIQ Growth, and Tiger Global. This is worth noting for transparency, but US venture capital investment does not change a company's country of incorporation or its legal jurisdiction. AgileBits remains an Ontario-incorporated Canadian company subject to Canadian law. Minority investment does not create CLOUD Act exposure.

Regulatory Analysis

▾

Not CLOUD Act exposed

AgileBits Inc. is incorporated in Ontario, Canada. The US CLOUD Act applies to companies that are "subject to the jurisdiction of the United States" — meaning US-incorporated companies or foreign companies with sufficient US contacts. AgileBits is a Canadian company. It does not have a US parent company. US venture capital investors hold minority stakes but do not change the corporate jurisdiction.

🍁

Your Credentials

Passwords, keys, secrets
Encrypted on your device

🏢

AgileBits Inc.

Toronto, Ontario, Canada
Zero-knowledge — can't decrypt

🛡️

Canadian Jurisdiction

Canadian courts only
CLOUD Act does not apply

Zero-knowledge + Canadian jurisdiction = double protection

1Password provides two layers of sovereignty protection that work together. First, the jurisdictional layer: AgileBits is Canadian, so the CLOUD Act doesn't apply. Second, the technical layer: even under a valid Canadian court order, AgileBits cannot decrypt your data — the zero-knowledge architecture ensures only you hold the keys. This combination makes 1Password one of the most sovereignty-secure tools available for any data category.

Quebec Law 25

Quebec organizations using 1Password benefit from Canadian incorporation and zero-knowledge encryption. A TIA is technically not required for Canadian-jurisdiction tools where data does not leave Canada. However, organizations should document 1Password's jurisdiction and encryption architecture in their compliance records — it strengthens the overall compliance posture.

Alberta POPA

1Password's Canadian jurisdiction and zero-knowledge architecture make it one of the safest SaaS choices for Alberta public bodies. If a PIA is required for your credential management workflow, 1Password's Canadian incorporation and inability to access stored data are strong mitigations.

US VC investment — does it matter?

1Password has raised $920 million from primarily US-based investors: Accel ($200M Series A), followed by a $100M Series B, and a $620M Series C led by ICONIQ Growth with Tiger Global and Lightspeed. This makes it one of the largest-funded Canadian technology companies. However: minority investment does not change corporate jurisdiction. AgileBits Inc. remains Ontario-incorporated, subject to Canadian law. US investors cannot compel AgileBits to comply with US legal process. And even if they could, the zero-knowledge architecture means there's nothing to hand over. As of November 2025, 1Password had surpassed $400 million in ARR and was weighing a potential IPO in 2026 or 2027.

Five Eyes consideration

Canada is a member of the Five Eyes intelligence alliance (alongside the US, UK, Australia, and New Zealand). Some privacy-focused reviewers note this as a concern. However, Five Eyes intelligence sharing is about signals intelligence between governments — it does not create a legal mechanism for accessing encrypted commercial data. Combined with 1Password's zero-knowledge architecture, this concern is theoretical rather than practical for most organizations.

1Password is one of the Canadian-jurisdiction tools in the Upper Harbour Sovereignty Index. For the other tools in your stack — the ones that are CLOUD Act exposed — map your full exposure and document the gaps.

Map your entire SaaS stack to parent jurisdictions and CLOUD Act exposure in 10 minutes.

Map Your Stack →

Alternatives & Comparison

▾

1Password has the strongest sovereignty posture of any major password manager:

Tool	Ownership	CLOUD Act	Zero-Knowledge	Track Record
1Password	Canada (Ontario)	Not exposed	Yes (E2EE)	Never breached
Bitwarden	US	Exposed	Yes (E2EE)	No breaches
LastPass	US	Exposed	Partial	Breached 2022
Dashlane	US (Delaware)	Exposed	Yes (E2EE)	No breaches
Keeper	US	Exposed	Yes (E2EE)	No breaches

Based on Upper Harbour Sovereignty Index data. March 2026.

Key finding: 1Password is the only major password manager with Canadian jurisdiction. All competitors (Bitwarden, LastPass, Dashlane, Keeper) are US-incorporated and CLOUD Act exposed. While most offer zero-knowledge encryption, 1Password's Canadian incorporation provides an additional jurisdictional layer that no US competitor can match.

💬 Questions about 1Password and Canadian compliance?

We help organizations assess jurisdictional risk across their SaaS stack. Book a call or send us a message.

Book a Call → Email Us →

Technical Architecture

▾

Zero-knowledge encryption

1Password uses a dual-key system that makes it mathematically impossible for AgileBits to access your data. Your vault is encrypted with AES-GCM-256, derived from two components: your master password (which you choose and never share) and a 128-bit Secret Key (generated on your device during setup). Neither component is ever transmitted to AgileBits' servers. Without both keys, the encrypted data is computationally indecipherable.

This is not a policy commitment — it's a cryptographic guarantee. Even if AgileBits were compelled by a court order (Canadian or otherwise) to produce your data, they could only produce encrypted blobs that are useless without your master password and Secret Key.

End-to-end encryption

Everything stored in your 1Password vaults is end-to-end encrypted before leaving your device. Data is encrypted locally, transmitted encrypted, and stored encrypted. Decryption only occurs on your authenticated devices. AgileBits processes metadata for service delivery (account information, billing) but cannot access the contents of your vaults.

Data hosting

1Password stores encrypted vault data on its servers. The company offers Canadian data hosting options. However, because of the zero-knowledge architecture, the hosting location is less sovereignty-critical than for other SaaS tools — even if data were hosted outside Canada, it's encrypted with keys that AgileBits doesn't possess.

Security track record

1Password has never been breached in approximately 20 years of operation. The company maintains an extensive security audit program with over two dozen third-party audits published. In October 2023, 1Password detected suspicious activity related to Okta's customer support system, but confirmed no user, employee, or sensitive data was compromised. Contrast this with LastPass, which suffered a significant breach in 2022 where encrypted vault data was exfiltrated.

Extended Access Management

1Password has expanded beyond password management into Extended Access Management (XAM), including device trust, SaaS application discovery, and AI agent identity management. Enterprise features include SSO integration (Okta, Entra ID), SCIM provisioning, custom security policies, and comprehensive audit logging.

Frequently Asked Questions

▾

Is 1Password a Canadian company?

Yes. AgileBits Inc. was incorporated in Ontario, Canada in 2005 and is headquartered in Toronto. It remains Canadian-owned despite having raised $920 million from primarily US-based venture capital investors (who hold minority stakes).

Is 1Password subject to the US CLOUD Act?

No. AgileBits Inc. is a Canadian company and is not subject to the CLOUD Act. US venture capital investment does not change a company's country of incorporation or legal jurisdiction.

Can 1Password read my passwords?

No. 1Password uses a zero-knowledge architecture with a dual-key system (your master password + a 128-bit Secret Key generated on your device). AgileBits never has access to either key and mathematically cannot decrypt your vault data.

Has 1Password ever been breached?

No. In approximately 20 years of operation, 1Password has never had a breach of its encrypted vault data. The company maintains over two dozen third-party security audits. A 2023 incident related to Okta's support system was detected quickly with no user data compromised.

Do I need a TIA for 1Password under Law 25?

Generally no — 1Password is Canadian-incorporated and uses zero-knowledge encryption. A TIA is required when personal information leaves Quebec to a jurisdiction with weaker privacy protections. As a Canadian company, 1Password doesn't trigger this requirement in the same way US-incorporated tools do.

How does 1Password compare to LastPass?

1Password is Canadian-incorporated (not CLOUD Act exposed) and has never been breached. LastPass is US-incorporated (CLOUD Act exposed) and suffered a significant breach in 2022 where encrypted vault data was exfiltrated. Both use zero-knowledge encryption, but 1Password's dual-key architecture (master password + Secret Key) provides an additional security layer.

Methodology: This assessment is based on AgileBits Inc.'s corporate records (Ontario incorporation), vendor documentation, published security audits, and the Upper Harbour classification methodology. Data verified March 2026. Updated quarterly. Part of the Canadian Technology Sovereignty Index.

1Password Canadian Data Sovereignty Analysis