Hi,
I like Bitwarden very much and it’s my recommendation #1 for friends and family. But as the freelancer I’m quite concerned about GDPR there in the EU.
Bitwarden states that is compliant with all Privacy Shield, HIPAA, GDPR , CCPA , SOC 2. I’m not sure about GDPR at all. Here is why:
Encrypted data are stil considered personal data by GDPR so if in my vault are for example client’s e-mail addresses I should have them stored only on the GDPR compliant cloud and have Data Processing Agreement (at least in the form of ToS ammendment).
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. What is personal data? | European Commission (europa.eu)
From that it seems to be unacceptable use Bitwarden for anything else than personal (where I have 100% trust in BW) data. For freelancer or even company where in the vault can be some of the personal data this is not possible with GDPR.
I know there is option to self-host, but managing server is not for everyone. Definitely not viable solution for most small businesses. It would be better to be able to choose location in the EU or have DPA.
We actually spent quite a lot of time validating our GDPR status and get this question often. Beyond Privacy Shield, we adhere to standard contractual clauses and offer data processing agreements where required.
Thank you for the reply! I’m sure you did, but the MailChimp issue with standard contractual clauses is fairly new.
From your standpoint/validation what that means for freelancers/SMBs? If I register account and use it for storing business related (ex. names/e-mails of the clients) data, do I have something (privacy policy seems very general) what I can show to the regulator?
The privacy policy is the standard for Bitwarden usage/agreements. If you have additional requests or privacy questions, I’d recommend reaching out via bitwarden.com/contact and the CS team can help with specific questions.
The SaaS service is hosted in the US only currently. Alternative SaaS locations have been requested but usually self-hosting resolves the need if there is a regulatory/compliance requirement outside of GDPR.
It would be great to provide SaaS service hosting in a country that requires the user to be informed of any data request by authorities. Switzerland seems to fulfil that condition, but I’m not sure about the legal situation with Switzerland not being an EU member (as far as I remember they’re considered equivalent to a member state for GDPR purposes).
I like the idea that I could put a BW Server in Switzerland or anywhere else for that matter. As others have stated it also would be great if BW offered their customers the option of BW hosted vaults in the EU. I would much rather have BW host it than do it myself, but that’s just my personal preference.
A couple of BW’s major competitors already do this: 1Password and KeeperSecurity. There may be others too. It would be great if BW did this too. If BW decides to go that route, I hope they will consider a way to move the data for people who wish to have their data hosted in the EU instead of having to create a new account and do export/import.
The SaaS solution will be much better for Freelancers as it will not require them to maintain their servers, we hope to make servers available soon in Europe
Nothing to update at this time, but we will share as news becomes available. For now, Bitwarden is compliant with GDPR due to our zero knowledge approach to encryption. Only you have the keys to decrypt your vault data.