Encrypted data are stil considered personal data by GDPR so if in my vault are for example client’s e-mail addresses I should have them stored only on the GDPR compliant cloud and have Data Processing Agreement (at least in the form of ToS ammendment).
From that it seems to be unacceptable use Bitwarden for anything else than personal (where I have 100% trust in BW) data. For freelancer or even company where in the vault can be some of the personal data this is not possible with GDPR.
I know there is option to self-host, but managing server is not for everyone. Definitely not viable solution for most small businesses. It would be better to be able to choose location in the EU or have DPA.
We actually spent quite a lot of time validating our GDPR status and get this question often. Beyond Privacy Shield, we adhere to standard contractual clauses and offer data processing agreements where required.
Thank you for the reply! I’m sure you did, but the MailChimp issue with standard contractual clauses is fairly new.
The SaaS service is hosted in the US only currently. Alternative SaaS locations have been requested but usually self-hosting resolves the need if there is a regulatory/compliance requirement outside of GDPR.
It would be great to provide SaaS service hosting in a country that requires the user to be informed of any data request by authorities. Switzerland seems to fulfil that condition, but I’m not sure about the legal situation with Switzerland not being an EU member (as far as I remember they’re considered equivalent to a member state for GDPR purposes).
I like the idea that I could put a BW Server in Switzerland or anywhere else for that matter. As others have stated it also would be great if BW offered their customers the option of BW hosted vaults in the EU. I would much rather have BW host it than do it myself, but that’s just my personal preference.
A couple of BW’s major competitors already do this: 1Password and KeeperSecurity. There may be others too. It would be great if BW did this too. If BW decides to go that route, I hope they will consider a way to move the data for people who wish to have their data hosted in the EU instead of having to create a new account and do export/import.
Nothing to update at this time, but we will share as news becomes available. For now, Bitwarden is compliant with GDPR due to our zero knowledge approach to encryption. Only you have the keys to decrypt your vault data.