By: Keycrew Media
Chris Skipworth is CEO of, speaking on the company’s Amsterdam data center expansion, Zero Knowledge architecture, and what EU data residency means for the IT teams managing credentials day to day.
For most organizations, data residency has long been a legal department problem. Compliance teams mapped customer records, HR systems, and CRM data, then signed off on the transfer impact assessments needed to move that data across borders. Security tooling, for its part, was treated as plumbing rather than data processing, exempt by assumption from the same scrutiny applied to everything else.
Now the auditors have caught up.
Cumulative GDPR fines since 2018 now exceed €7.1 billion in cumulative GDPR fines, with €1.2 billion issued in 2025 alone, and more than 60% of the total has landed since January 2023. European data protection authorities are now recording more than 400 personal data breach notifications per day, a 22% jump year-on-year. The credential store (every login, every shared access key, every privileged account an IT team manages) is personal data under GDPR. In many organizations it carries more exposure than the CRM database anyone bothered to audit.
It was that gap which led Passpack to expand its Amsterdam data center and make EU data residency a foundational part of its European offer. Skipworth explains the thinking.
Why Amsterdam, and Why Now
Amsterdam has long been the natural anchor for European cloud infrastructure. The Netherlands supports 11,000 direct jobs in the Dutch data center sector and underpins 2.1 million positions across the digital economy, and its network infrastructure is among the most mature on the continent. Skipworth is matter-of-fact about why Amsterdam made sense.
“For a credential management platform, that maturity means rock-solid connectivity, redundant infrastructure, and the kind of uptime IT teams need when credential access underpins every other system they run,” he says.
The timing reflects something more than infrastructure readiness. As of 2026, the EU-US Data Privacy Framework remains a valid transfer mechanism, having survived its first annulment challenge at the EU General Court in 2025. But the judgment only evaluated the framework as it stood in July 2023, and the court was explicit that the Commission must continuously monitor US legal developments and intervene if protection levels deteriorate. For compliance teams, that is an open variable.
“We’d rather build for certainty than litigate for it,” says Skipworth. “Our Amsterdam data center will stand regardless of what the courts decide.”

What EU Residency Means for Your IT Team
When customer credentials are stored and processed within the Passpack Amsterdam data center, they stay there. There is no transatlantic routing or cross-border transfer paperwork, and no exposure to foreign jurisdiction over data that has no business leaving the EU in the first place.
Scoped, self-serve access means each client sees only the credentials they are meant to see. Clients can retrieve their own credentials directly, which reduces the volume of password-lookup support tickets an IT team has to field while keeping administrative control in place.
The Zero Knowledge architecture takes that further. Only the customer holds the decryption key, which means that if a government authority ever compels disclosure, what they receive is encrypted data that nobody at Passpack can unlock either. The EDPB points to customer-controlled encryption as the primary technical safeguard for exactly this scenario.
Activity logs, access reports, and offboarding documentation are built in by default, so audit preparation does not require manual reconstruction.
“For IT administrators, this simplifies things considerably,” Skipworth says. “The audit trail is cleaner. The transfer risk assessment is shorter. And the answer to ‘where does this data live?’ is one sentence.”
Built for European Teams
One dashboard. Every client in their own isolated vault. For managed service providers running credential infrastructure across dozens of organizations, that separation isn’t a feature, it’s the whole point. Each client gets their own credentials, their own permissions, their own audit trail. When a client relationship ends, they take their vault and leave. Nothing carries across.
Skipworth is direct about what happens when that structure isn’t there. A workforce that can’t navigate the tool defaults to workarounds: spreadsheets, shared inboxes, ad hoc systems nobody audited and everybody uses. For an MSP, that failure multiplies across every client at once.
The rollout of six European languages, Portuguese, Spanish, French, German, Italian, and Dutch, comes from exactly the same place as the Amsterdam decision.
“In both cases, the decision was to build for the market rather than around it,” he says.
The Bigger Picture
Data residency is increasingly showing up in vendor negotiations and board conversations. It is now the question procurement teams ask before legal even gets involved. For organizations that want to get ahead of that curve, Skipworth’s view is that the starting point is knowing where every piece of sensitive data lives, including the keys to everything else.
“Our Amsterdam data center isn’t a checkbox,” he says. “It’s a long-term commitment to the European market, and to the IT teams operating inside it.”




