# Compliance Bitwarden is dedicated to compliance with international standards for security and privacy. --- ### Bitwarden Security and Compliance Bitwarden envisages a world where no one gets hacked. This is reflected in Bitwarden’s steadfast commitment to security, privacy, and compliance with international standards. [Read the Security White Paper](https://bitwarden.com/help/bitwarden-security-white-paper/) ## Awards and Recognition ![soc2-color](https://bitwarden.com/assets/5qmV5rn9DTKKMsMskBs9Cv/dc310737497ba3d1b649dcde127c8756/badge-compliance-soc2-color.webp) ![gdpr-color](https://bitwarden.com/assets/3JONk7fDxmJ78aQyIyYWHW/8f2a1809e44dbc27af335b4eebaa19b6/gdpr-compliant.webp) ![data-privacy-framework](https://bitwarden.com/assets/2nkWHG7l2ksezkL4dbMp3R/14ac3b59e6798291bbd6cad1729bc9c6/DPF-logo-certifications-page.png) ![badge-compliance-iso27001](https://bitwarden.com/assets/3Q1bRprPg8qBybfl8myUou/d60fd3aeb85668dcdb0f386d9081d1a9/badge-compliance-iso27001_1_.svg?fm=png&w=800&q=90) ![hipaa-color](https://bitwarden.com/assets/7emd1yp1u4qICPVWm5xQ4O/6ed576b7b9e57fe684dbcd969d9d97f5/hipaa-compliant.webp) ![ccpa-color](https://bitwarden.com/assets/3BK0h7RmAmz2aXRpsCpnkF/e66d7d8a990fd1c7648364aa017c39fd/badge-compliance-ccpa-color.webp) ## Bitwarden privacy and product security ### Third-party audited External experts regularly review Bitwarden products, ensuring strong and trusted security. ![illustration-open-source](https://bitwarden.com/assets/6PoNmYpJGIuhjfgbJkSOMV/a0f394b43d6338469f6ce813454cd5a0/illustration-open-source.png) ### Zero-knowledge, end-to-end encryption Secured with strong encryption, no one has access to your vault information, not even Bitwarden! ![illustration-end-to-end-encryption](https://bitwarden.com/assets/653piscNAty6UwZLQf74Nc/b84ef5fc1c5b0c3b0a62fb1495071d21/illustration-end-to-end-encryption.png) ### Compliant with privacy and security standards Get Bitwarden products quickly approved by your internal IT and security teams with industry compliance. ![illustration-audit](https://bitwarden.com/assets/22H6uVYYWFDQ5KiImZMypM/777368a0bdc360b0e31b17722cd1c879/illustration-audit.png) ## Trust and transparency powered by open source An open source codebase enables the security of Bitwarden products to be easily audited by independent security researchers, notable security firms, and the Bitwarden community. ### Trusted open source architecture The Bitwarden codebase on GitHub is regularly reviewed and audited by millions of security enthusiasts and active Bitwarden community members. ![icon-open-source-2-blue](https://bitwarden.com/assets/3Pf9ZZrgNVFs7kQ1KVZ6ZJ/91e1118f8b19614779737cd4cb101a17/icon-open-source-2.png) [Read the code](https://github.com/bitwarden) ### Source code assessment Bitwarden completes annual source code audits and penetration tests for each client, including web, browser extension, and desktop — in addition to the core application and library. ![icon-security-audit-blue](https://bitwarden.com/assets/7FVNCGCl4IXW17G2WN5lSA/cabbc8a9ce1f5cc109d049e96b4624f9/icon-security-audit.png) [Access the reports](https://bitwarden.com/help/is-bitwarden-audited/#third-party-security-audits) ### Network security assessment Bitwarden completes annual network security assessments and penetration tests by reputable security firms. ![icon-data-breach-blue](https://bitwarden.com/assets/7vae54gWW67xGkc5MQzF03/a3a0c546bbf51c4a9accabd5af6b22e8/icon-data-breach.png) [Access the reports](https://bitwarden.com/help/is-bitwarden-audited/#third-party-security-audits) ### HackerOne bug bounty Independent security researchers are rewarded for submitting potential security issues. ![icon-cli-blue](https://bitwarden.com/assets/6aLcKclXtuaWWCnwcth26q/10c0ba547092f257b27bf2259549131f/icon-cli.png) [Check out the programme](https://hackerone.com/bitwarden/) ## Keeping your data secure As your password manager and credential security provider, Bitwarden uses trusted security measures and encryption methods to protect user data. ### Zero-knowledge, end-to-end encryption Bitwarden uses end-to-end encryption for all vault data, which only your master password can decrypt. With a zero-knowledge architecture, Bitwarden cannot read any encrypted data in your vault. [Learn more about encryption](https://bitwarden.com/help/bitwarden-security-white-paper/#user-data-protection) ### Multifactor encryption Multifactor encryption is an additional layer of encryption that protects your stored information. This makes it practically impossible for a malicious actor to break into your vault, even if they were able to gain access to your encrypted vault data. [Learn more about multifactor encryption](https://bitwarden.com/blog/bitwarden-security-fundamentals-and-multifactor-encryption/) ### Self-hosting options Choose to deploy and manage Bitwarden on-premises in your private network or infrastructure with self-hosting options. Self-hosting allows customers to have more detailed control over their stored information. [Learn how to self-host Bitwarden](https://bitwarden.com/help/self-host-an-organization/) ## Security compliance Bitwarden adheres to industry security standards with ISO 27001 certification, SOC2 and SOC3 certifications, and HIPAA compliance. ### SOC2 and SOC3 System and Organisation Controls (SOC) comprise a set of control frameworks that are used to validate an organisation’s security systems and policies. Bitwarden is SOC 2 Type II and SOC 3 certified.  SOC 2 reports available upon request. ![soc2-color](https://bitwarden.com/assets/5qmV5rn9DTKKMsMskBs9Cv/dc310737497ba3d1b649dcde127c8756/badge-compliance-soc2-color.webp) [Read the SOC 3 report](https://assets.ctfassets.net/7rncvj1f8mw7/2Sljjp4w5WkruimAllgaks/ec0064fd6e1839185f7dfd2803227e13/Bitwarden_-_2025_SOC_3_Report.pdf) ### HIPAA Bitwarden is HIPAA compliant and undergoes annual third-party audits for HIPAA Security Rule compliance. ![hipaa-color](https://bitwarden.com/assets/7emd1yp1u4qICPVWm5xQ4O/6ed576b7b9e57fe684dbcd969d9d97f5/hipaa-compliant.webp) [Read about Bitwarden HIPAA compliance](https://bitwarden.com/blog/why-use-a-hipaa-compliant-password-manager/) ### ISO 27001 Bitwarden is ISO 27001 certified and complies with ISO 27001 control sets relating to data security. ![badge-compliance-iso27001](https://bitwarden.com/assets/3Q1bRprPg8qBybfl8myUou/d60fd3aeb85668dcdb0f386d9081d1a9/badge-compliance-iso27001_1_.svg?fm=png&w=800&q=90) ## Privacy compliance Bitwarden prioritises protecting users’ personal data and ensuring compliance with key privacy standards across the globe. ### CCPA & CPRA Bitwarden complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). ![ccpa-color](https://bitwarden.com/assets/3BK0h7RmAmz2aXRpsCpnkF/e66d7d8a990fd1c7648364aa017c39fd/badge-compliance-ccpa-color.webp) [See the Bitwarden Privacy Policy](https://bitwarden.com/privacy/) ### GDPR Bitwarden complies with GDPR, current EU data protection rules, and EU Standard Contractual Clauses (SCCs). ![gdpr-color](https://bitwarden.com/assets/3JONk7fDxmJ78aQyIyYWHW/8f2a1809e44dbc27af335b4eebaa19b6/gdpr-compliant.webp) [See the Bitwarden Privacy Policy](https://bitwarden.com/privacy/) ### Data Privacy Framework Bitwarden complies with the Data Privacy Framework (DPF), previously called Privacy Shield, which defines the safe transfer of personal data. ![data-privacy-framework](https://bitwarden.com/assets/2nkWHG7l2ksezkL4dbMp3R/14ac3b59e6798291bbd6cad1729bc9c6/DPF-logo-certifications-page.png) [See the Bitwarden Privacy Policy](https://bitwarden.com/privacy/) ## Meet your security compliance standards with Bitwarden Bitwarden is more than a password manager; it's a foundational tool for achieving and maintaining industry compliance with key security standards. Through secure sharing, monitoring capabilities, centralised management, and robust data protection, Bitwarden strengthens your [business](https://bitwarden.com/en-gb/products/business/) or [enterprise's](https://bitwarden.com/en-gb/products/enterprise/) cyber security posture to meet compliance needs. ### ISO 27001 ISO 27001, an international standard, sets the foundation for creating, maintaining, and developing information security management systems (ISMS), including data management. [Read the full resource](https://bitwarden.com/resources/how-password-management-helps-companies-achieve-iso-27001-certification/) ### SOC 2 Service Organisation Control 2 (SOC 2) reports are often requested by customers and business partners of outsourced solution providers. Companies seeking SOC 2 compliance can use a SOC 2-compliant password manager to help meet requirements. [Read the full resource](https://bitwarden.com/resources/achieve-soc-2-password-compliance-with-bitwarden/) ### NERC The North American Electric Reliability Corporation (NERC) is a non-profit international regulatory body dedicated to setting compliance standards that help reduce risks to the electricity grid and power systems serving hundreds of millions of people in the United States, Canada, and part of Mexico. [Read the full resource](https://bitwarden.com/resources/enhancing-power-grid-security-meeting-nerc-cip-requirements-with-bitwarden/) ### NIS2 NIS2 is a set of requirements for securing network and information systems across the EU. The directive mandates businesses identified as operators of essential services to implement appropriate measures to enhance cyber security and comply with legal obligations. [Read the full resource](https://bitwarden.com/resources/how-a-password-manager-enables-nis2-compliance/) ### NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) provides guidance and best practices for organisations to follow, in order to help businesses, non-profits, and other private-sector institutions improve cyber security risk management. [Read the full resource](https://bitwarden.com/resources/nist-cybersecurity-framework/) ### SOX Sarbanes-Oxley Act (SOX) compliance involves adhering to a set of security requirements designed to ensure the integrity of financial reporting. [Read the full resource](https://bitwarden.com/resources/simplify-sox-compliance-with-bitwarden/) ### Password Management Maturity Model This framework helps organisations understand their password manager maturity level — based on their current operations — and identify what steps are necessary to strengthen their security and improve their existing classification. [Read the full resource](https://bitwarden.com/resources/password-management-maturity-model/) ## FAQs ### Can the Bitwarden team see my passwords? No. Your data is fully encrypted and/or hashed before ever leaving **your** local device, so no one from the Bitwarden team can ever see, read, or reverse-engineer it to access your real data. Bitwarden servers only store encrypted and hashed data. For more information about how your data is encrypted, see [Encryption](https://bitwarden.com/en-gb/help/what-encryption-is-used/). [Learn more >](https://bitwarden.com/en-gb/help/security-faqs/#q-can-bitwarden-see-my-passwords/) ### How do you keep the cloud servers secure? Bitwarden goes to great lengths to ensure that its websites, applications and cloud servers are secure. Bitwarden uses Microsoft Azure managed services to manage server infrastructure and security, rather than doing so directly. [Learn more >](https://bitwarden.com/en-gb/help/security-faqs/#q-what-happens-if-bitwarden-gets-hacked/) ### Is Bitwarden audited? Bitwarden regularly conducts comprehensive third-party security audits with notable security firms. These annual audits include source code assessments and penetration testing across Bitwarden IPs, servers and web applications. [Learn more >](https://bitwarden.com/en-gb/help/is-bitwarden-audited/) ### What happens if Bitwarden gets hacked? If, for some reason, Bitwarden were to be hacked and your data exposed, your information would still be protected thanks to [strong encryption and one-way salted hashing](https://bitwarden.com/en-gb/help/what-encryption-is-used/) measures applied to your vault data and master password. [Learn more > ](https://bitwarden.com/en-gb/help/security-faqs/#q-what-happens-if-bitwarden-gets-hacked/) ### Where is my data stored in the cloud? Bitwarden processes and stores all vault data securely in the [Microsoft Azure Cloud](https://en.wikipedia.org/wiki/Microsoft_Azure) in the [US or EU](https://bitwarden.com/en-gb/help/server-geographies/) using services that are managed by the team at Microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, security updates, and guarantees are backed by Microsoft and their cloud infrastructure. Review the [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/) documentation for more detail. [Learn more >](https://bitwarden.com/en-gb/help/data-storage/#on-bitwarden-servers/) ### Why should I trust Bitwarden with my passwords? You can trust us for a few reasons: 1. Bitwarden is **open-source** software. All of our source code is hosted on [GitHub](https://github.com/bitwarden/) and is free for anyone to review. Thousands of software developers follow Bitwarden's source code projects (and you should too!). 2. Bitwarden is **audited****by reputable third-party security firms** as well as independent security researchers. 3. Bitwarden **does not store your passwords**. Bitwarden stores encrypted versions of your passwords [that only you can unlock](https://bitwarden.com/en-gb/help/what-encryption-is-used/). Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers. 4. **Bitwarden has a reputation.** Bitwarden is used by millions of individuals and businesses. If we did anything questionable or risky, we would be out of business! Still don't trust us? You don't have to. Open source is beautiful. You can easily self-host the entire Bitwarden stack. You control your data. [Learn more >](https://bitwarden.com/en-gb/help/security-faqs/#q-why-should-i-trust-bitwarden-with-my-passwords/) ### Does Bitwarden use a salted hash for my password? PBKDF2 SHA-256 is used to derive the encryption key from your master password, however you may choose [Argon2](https://bitwarden.com/en-gb/help/what-encryption-is-used/#argon2id/) as an alternative. Bitwarden [salts and hashes ](https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/)your master password with your email address **locally**, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database. [Learn more >](https://bitwarden.com/en-gb/help/what-encryption-is-used/#pbkdf2/) ### How is my data securely transmitted and stored on Bitwarden servers? Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Storage](https://bitwarden.com/en-gb/help/data-storage/). [Find out more >](https://bitwarden.com/en-gb/help/what-encryption-is-used/) ### What encryption is being used? Bitwarden uses [AES-CBC](https://bitwarden.com/en-gb/help/what-encryption-is-used/#aes-cbc/) 256-bit encryption for your vault data, and [PBKDF2](https://bitwarden.com/en-gb/help/what-encryption-is-used/#pbkdf2/) SHA-256 or [Argon2](https://bitwarden.com/en-gb/help/what-encryption-is-used/#argon2id/) to derive your encryption key. [Learn more >](https://bitwarden.com/en-gb/help/what-encryption-is-used/) ### What information is encrypted? All vault data is encrypted by Bitwarden before being stored anywhere. To learn how, see [Encryption](https://bitwarden.com/en-gb/help/bitwarden-security-white-paper/#how-vault-items-are-secured/). [Learn more >](https://bitwarden.com/en-gb/help/vault-data/) ### Where is my data stored on my computer/device? Data that is stored on your computer/device is encrypted and only decrypted when you unlock your vault. Decrypted data is stored **in memory** only and is **never written to persistent storage**. [Learn more >](https://bitwarden.com/en-gb/help/data-storage/#on-your-local-machine/)