Your files, or a corporate Space?
OpenCloud's flagship concept is Spaces: content is assigned to a Space, not to user accounts. That fits org-owned team drives and feels wrong when you just want your files to be yours. Cotton is account-owned and personal-first.
Bring your own Keycloak
OpenCloud's embedded identity provider is officially a small or dev-only stopgap - no MFA, up to a few hundred users, no migration path - and for production it tells you to run Keycloak with LDAP. Cotton ships passkeys and TOTP as the whole login system, no extra identity stack required.
One image versus a microservice constellation
Cotton is one Docker image plus Postgres. OpenCloud can spin up as a single test container, but its production shape is a cloud-native microservice fleet plus Collabora, a WOPI server, a reverse proxy, and - for real auth - Keycloak, each on its own subdomain.
The E2E they are still debating in a discussion thread
Cotton ships streaming AES-GCM by default plus client-side E2E folders the server cannot read. OpenCloud guarantees encryption in transit, while native end-to-end encryption is an open GitHub idea stuck on a hard problem - OIDC tokens versus password-derived keys - and its server-key model, by its own admin docs, does not keep the admin out.
Sovereign enterprise, or a finished personal cloud
Pick OpenCloud if you are an institution buying sovereign, federated, Spaces-based collaboration with a sysadmin team. Pick Cotton if you want your own files to feel finished on hardware you control, without standing up an enterprise platform.