Bitwarden for Enterprise Features Datasheet
This document describes and references the features available to Bitwarden Enterprise Organisations in several categories:
Application Range and Ease of Use
Enterprise Features | Description |
|---|---|
Deployment options | Use the included Bitwarden cloud service or install to a private cloud or on-premises self-hosted solution. Bitwarden may also be installed completely offline in an air-gapped environment. |
Web application | Fully encrypted cloud web app at https://vault.bitwarden.com, or on your self-hosted server. |
Mobile apps | Available for iOS and Android. Learn more. |
Browser extensions | Available for Chrome, Firefox, Opera, Edge, Vivaldi, Brave, Tor and Safari. Learn more. |
Desktop applications | Available for Windows, Mac and Linux. Learn more. |
Command-line interface (CLI) | Available for Windows, Mac and Linux. Learn more. |
Administrative Features and Capabilities
Enterprise Features | Description |
|---|---|
Simple user management | Add or remove seats and onboard or offboard users directly from the web app. Learn more. |
Role-based access control | Assign role-based access for organisation users, including a custom role and granular permissions (e.g. Hide Passwords, Read-only). Learn more. |
Directory sync | Synchronise your Bitwarden organisation with your existing user directory. Provision and deprovision users, groups and group associations. Learn more. |
SCIM support | Use the SCIM protocol to manage and provision Bitwarden users, groups and group associations from your Identity Provider or directory service for easy onboarding and employee succession. Learn more. |
Account recovery | Designated administrators can reset and assign a master password for end-user accounts if an employee loses access. Learn more. |
Collections with curated access and role-based access control (RBAC) | Create an unlimited number of password collections containing an unlimited number of passwords. Collections can be assigned to groups or individual users. Learn more. |
Enterprise policies | Enforce security rules for all users, for example requiring the use of Two-step Login.Learn more. |
Claimed domains and accounts | Admins can claim ownership of email domains, giving the organisation control over Bitwarden accounts registered with company email addresses, even before those users are formally onboarded.Learn more. |
Temporary password sharing and generation | Create and share temporary data using Bitwarden Send.Learn more. |
Managed client deployment support | Deploy browser extensions, desktop apps and mobile apps at scale using MDM tools like Microsoft Intune, GPO and Linux/macOS policy files.Learn more. |
Complimentary Families plan for users | All enterprise users receive a complimentary Families plan for personal use to practise good security habits outside the workplace.Learn more. |
Reporting
Enterprise features | Description |
|---|---|
Access Intelligence | Gain actionable visibility into risky or unusual access patterns within your organisation's vault, helping security teams proactively identify and address credential health issues.Learn more. |
Vault health reports | Run reports for Exposed Passwords, Reused Passwords, Weak Passwords and more.Learn more. |
Data breach reports | Run reports for data compromised in known breaches (e.g. email addresses, passwords).Learn more. |
Auditable event logs and SIEM integration | Time-stamped records of events that occur within your organisation vault for easy use in the web app or ingestion by SIEM tools. Built-in integrations include Splunk, Microsoft Sentinel, Elastic, Rapid7, Panther and Sumo Logic. Others can be supported via API calls.Learn more. |
Authentication
Enterprise features | Description |
|---|---|
2FA for individuals | A robust set of 2FA options for any Bitwarden user.Learn more. |
2FA at organisation level | Enable 2FA via Duo for your entire organisation.Learn more. |
Biometric authentication | Available for browser extensions, desktop apps and mobile apps.Learn more. |
Log in with device | Users can approve login from a trusted device instead of entering a master password, reducing friction while maintaining security.Learn more. |
Log in with passkey | Users can log in using a FIDO-compliant passkey supporting the WebAuthn PRF extension in both the web app and browser extensions (for compatible browsers). Logging in with a passkey bypasses the need for two-step login, master password and login email address, making this method ideal for a break-glass administrator account.Learn more. |
New device login verification | Protects against unauthorised access by requiring verification when a login attempt is made from an unrecognised device and an account does not have two-step login set up and is not subject to SSO policies. Learn more. |
SSO with trusted devices | SSO with trusted devices allows users to authenticate using SSO and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. Learn more. |
Login with SSO | Use your existing Identity Provider (IdP) to authenticate your Bitwarden organisation users via SAML 2.0 or OpenID Connect (OIDC). Learn more. Using Login with SSO, you can use one of two decryption options to determine how users decrypt Vault data once authenticated. Learn more. |
SSO with customer-managed encryption (self-host only) | Employees use their SSO credentials to authenticate and decrypt all in a single step. This option shifts retention of users' master passwords to companies, requiring the business to deploy a key connector to store the user keys. Learn more. |
Security
Enterprise Features | Description |
|---|---|
Secure storage for logins, passkeys, notes, cards, identities and SSH keys. | Bitwarden vault items are encrypted before being stored anywhere. Learn more. |
Zero-knowledge encryption | All vault data is end-to-end encrypted. Learn more. |
Secure username and password generator | Generate secure, random and unique credentials for every vault item. Learn more. |
Encrypted export | Download encrypted exports for secure storage of Vault data backups. Learn more. |
Biometric authentication | Available for browser extension, desktop and mobile applications. Learn more. |
Emergency access | Users can designate and manage trusted emergency contacts, who may request access to their vault in an emergency. Learn more. |
Account fingerprint phrase | Security measure that uniquely and securely identifies a Bitwarden user account when encryption-related or onboarding operations are performed. Learn more. |
Enterprise policies for vault timeout and locking | Enforce organisation-wide timeout and lock settings to reduce exposure risk on inactive sessions. Learn more. |
Subprocessors | See the full list of subprocessors: Bitwarden Subprocessors. |
Compliance, Audits, Certifications
Enterprise Features | Description |
|---|---|
SOC 2 Type II and SOC 3 | |
ISO 27001 | Bitwarden is ISO 27001 certified and compliant with ISO 27001 control sets relating to data security. |
Security and compliance assessments | Bitwarden invests in annual third-party audits, security assessments and other compliance standards. All reports are available on the Bitwarden compliance page. |
GDPR, CCPA and HIPAA | Read about Bitwarden compliance with various privacy frameworks. |
White-box testing | Performed by unit tests and QA engineers. |
Black-box testing | Performed via automation and manual testing. |
Bug Bounty Programme | Conducted through HackerOne. Learn more. |
APIs and Extensibility
Enterprise Features | Description |
|---|---|
Programmatically accessible | Public and Private APIs for Organisations. Learn more. |
Command-line interface | Fully featured, self-documenting command-line tool. Learn more. |
Extensibility support | Automate workflows by combining API and CLI. |
SSH Agent | The Bitwarden desktop app can serve as an SSH agent, securely storing and serving SSH keys to terminals and development tools without exposing private keys on disk. Learn more. |
Secrets Manager | A dedicated secrets management product (separate subscription required) for DevOps and engineering teams to securely store, share and inject secrets (API keys, tokens, credentials) into CI/CD pipelines and infrastructure tools. Integrates with GitHub Actions, GitLab CI/CD, Ansible, Terraform and Kubernetes. Learn more. |
Resilience
Enterprise Features | Description |
|---|---|
Server geographies | Select to have your cloud data hosted on either US- or EU-based Microsoft Azure servers. Learn more. |
Local cache and offline access | Logged-in clients can access Bitwarden vaults with a read-only cache that remains on the device for 30 days. Learn more. |
Data backup tools | In addition to vault exports that may be scripted, self-hosted deployments have access to toolsets to assist with data backup and restoration. Cloud deployments are supported by Azure point-in-time restoration policies for disaster recovery. |
Dedicated customer support | Enterprise customers receive priority support and access to dedicated customer success resources, including onboarding playbooks, the Customer Success Hub, and direct support channels. Learn more. |