Bitwarden for Enterprise Features Datasheet
This document describes and references the features available to Bitwarden Enterprise Organizations in several categories:
Application Range and Ease-of-use
Enterprise Features | Description |
|---|---|
Deployment options | Use the included Bitwarden cloud service or install to a private cloud or on-prem self-hosted solution. Bitwarden may also be installed completely offline in an air-gapped environment. |
Web application | Fully encrypted cloud web app at https://vault.bitwarden.com, or on your self-hosted server. |
Mobile apps | Available for iOS and Android. Learn more. |
Browser extensions | Available for Chrome, Firefox, Opera, Edge, Vivaldi, Brave, Tor, and Safari. Learn more. |
Desktop applications | Available for Windows, Mac, and Linux. Learn more. |
Command-line interface (CLI) | Available for Windows, Mac, and Linux. Learn More. |
Administrative Features and Capabilities
Enterprise Features | Description |
|---|---|
Simple user management | Add or remove seats and onboard or offboard users directly from the web app. Learn more. |
Role based access control | Assign role-based access for Organization users, including a custom role and granular permissions (e.g. Hide Passwords, Read-Only). Learn more. |
Directory sync | Synchronize your Bitwarden organization with your existing user directory. Provision and deprovision users, groups, and group associations. Learn more. |
SCIM support | Use the SCIM protocol to manage and provision Bitwarden users, groups, and group associations from your Identity Provider or directory service for easy onboarding and employee succession. Learn more. |
Account recovery | Designated administrators can reset and assign a master password of end-user accounts if an employee loses access. Learn more. |
Collections with curated access and role-based access control (RBAC) | Create an unlimited amount of password collections containing an unlimited amount of passwords. Collections can be assigned to groups or individual users. Learn more. |
Enterprise policies | Enforce security rules for all users, for example mandating use of Two-step Login. Learn more. |
Claimed domains and accounts | Admins can claim ownership of email domains, giving the organization control over Bitwarden accounts registered with company email addresses, even before those users are formally onboarded. Learn more. |
Temporary password sharing and generation | Create and share ephemeral data using Bitwarden Send. Learn more. |
Managed client deployment support | Deploy browser extensions, desktop apps, and mobile apps at scale using MDM tools like Microsoft Intune, GPO, and Linux/macOS policy files. Learn more. |
Complimentary Families plan for users | All enterprise users receive a complimentary family plan for personal use to practice good security habits outside of the workplace. Learn more. |
Reporting
Enterprise Features | Description |
|---|---|
Access Intelligence | Gain actionable visibility into risky or unusual access patterns within your organization's vault, helping security teams proactively identify and address credential health issues. Learn more. |
Vault health reports | Run reports for Exposed Passwords, Reused Passwords, Weak Passwords, and more. Learn more. |
Data breach reports | Run reports for data compromised in known breaches (e.g. email addresses, passwords). Learn more. |
Auditable event logs and SIEM integration | Time stamped records of events that occur within your organization vault for easy use in the web app or ingestion by SIEM tools. Built-in integrations include Splunk, Microsoft Sentinel, Elastic, Rapid7, Panther, and Sumo Logic. Others can be supported via API calls. Learn more. |
Authentication
Enterprise Features | Description |
|---|---|
2FA for individuals | A robust set of 2FA options for any Bitwarden user. Learn more. |
2FA at organization-level | Enable 2FA via Duo for your entire organization. Learn more. |
Biometric authentication | Available for browser extension, desktop and mobile applications. Learn more. |
Log in with device | Users can approve login from a trusted device instead of entering a master password, reducing friction while maintaining security. Learn more. |
Log in with passkey | Users can log in utilizing a FIDO-compliant passkey supporting the WebAuthn PRF extension in both the web app and browser extensions (for compatible browsers). Logging in with a passkey bypasses the need for two-step login, master password, and login email address, making this method ideal for a break-glass administrator account. Learn more. |
New device login verification | Protects against unauthorized access by requiring verification when a login attempt is made from an unrecognized device. and an account does not have two-step login set up nor is subject to SSO policies. Learn more. |
SSO with trusted devices | SSO with trusted devices allows users to authenticate using SSO and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. Learn more. |
Login with SSO | Leverage your existing Identity Provider (IdP) to authenticate your Bitwarden organization users via SAML 2.0 or OpenID Connect (OIDC). Learn more. |
SSO with customer managed encryption (self-host only) | Employees use their SSO credentials to authenticate and decrypt all in a single step. This option shifts retention of the users master passwords to companies requiring the business to deploy a key connector to store the user keys. Learn more. |
Security
Enterprise Features | Description |
|---|---|
Secure storage for logins, passkeys, notes, cards, identities, and SSH keys. | Bitwarden vault items are encrypted before being stored anywhere. Learn more. |
Zero knowledge encryption | All vault data is end-to-end encrypted. Learn more. |
Secure username and password generator | Generate secure, random, and unique credentials for every vault item. Learn more. |
Encrypted export | Download encrypted exports for secure storage of Vault data backups. Learn more. |
Biometric authentication | Available for browser extension, desktop and mobile applications. Learn more. |
Emergency access | Users can designate and manage trusted emergency contacts, who may request access to their vault in case of emergency. Learn more. |
Account fingerprint phrase | Security measure that uniquely and securely identifies a Bitwarden user account when encryption-related or onboarding operations are performed. Learn more. |
Enterprise policies for vault timeout and locking | Enforce organization-wide timeout and lock settings to reduce exposure risk on inactive sessions. Learn more. |
Subprocessors | See the full list of subprocessors: Bitwarden Subprocessors. |
Compliance, Audits, Certifications
Enterprise Features | Description |
|---|---|
SOC 2 Type II and SOC 3 | |
ISO 27001 | Bitwarden is ISO 27001 certified and in compliance with ISO 27001 control sets surrounding data security. |
Security and compliance assessments | Bitwarden invests in annual third party audits, security assessments, and other compliance standards. All reports are available on the Bitwarden compliance page. |
GDPR, CCPA, & HIPAA | Read about Bitwarden compliance with various privacy frameworks. |
White-box testing | Performed by unit tests and QA engineers. |
Black-box testing | Performed via automation and manual testing. |
Bug Bounty Program | Conducted through HackerOne. Learn more. |
APIs and Extensibility
Enterprise Features | Description |
|---|---|
Programmatically accessible | Public and Private APIs for Organizations. Learn more. |
Command line interface | Fully featured and self-documented command-line tool. Learn more. |
Extensibility support | Automate workflows by combining API and CLI. |
SSH Agent | The Bitwarden desktop app can serve as an SSH agent, securely storing and serving SSH keys to terminals and development tools without exposing private keys on disk. Learn more. |
Secrets Manager | A dedicated secrets management product (separate subscription required) for DevOps and engineering teams to securely store, share, and inject secrets (API keys, tokens, credentials) into CI/CD pipelines and infrastructure tools. Integrates with GitHub Actions, GitLab CI/CD, Ansible, Terraform, and Kubernetes. Learn more. |
Resiliency
Enterprise Features | Description |
|---|---|
Server geographies | Select to have your cloud data hosted on either US- or EU-based Microsoft Azure servers. Learn more. |
Local cache & offline access | Logged in clients can access Bitwarden vaults with a read-only cache that remains on the device for 30 days. Learn more. |
Data backup tools | In addition to vault exports that may be scripted, self-host deployments have access to toolsets to assist with data backup and restoration. Cloud deployments are supported by Azure point-in-time restoration policies for disaster recovery. |
Dedicated customer support | Enterprise customers receive priority support and access to dedicated customer success resources, including onboarding playbooks, the Customer Success Hub, and direct support channels. Learn more. |