Bitwarden

Bitwarden is a free and open-source password management service.

5.9/10

How we calculate ratings →

Handling

Does the policy allow personally-targeted or behavioral marketing? Yes, but you may opt-out

4/10

Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Score

Always

This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service.

Not specified

When reasonably requested

60%

Only when required by a court order or subpoena

80%

N/A (no personal data to share)

The service would have no personal data to share with law enforcement.

100%

Never (special legal jurisdiction)

The service operates in a jurisdiction in which sharing data with law enforcement is never required.

100%

Citation

We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or lawful government request, including in connection with national security or law enforcement requirements. This may include disclosures: to respond to subpoenas or court orders; to establish or exercise our legal rights or defend against legal claims; or to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law. In each case, we will make reasonable efforts to verify the validity of the request before disclosing your Personal Information.

Does the service allow third-party access to private personal data? Yes, all parties specified (including non-critical service providers such as advertisers)

3/10

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Score

Yes

The policy allows sharing personal data with third parties (not just critical service providers), and does not explicitly list the third parties.

Yes, all parties specified (including non-critical service providers such as advertisers)

30%

Yes, not all parties specified (but only to critical service providers)

70%

Yes, all parties specified (only to critical service providers)

80%

100%

Notes

A list of subprocessors can be found at bitwarden.com/help/subprocessors. The privacy policy mentions only Google Analytics is mentioned as an example for their collection of Analytics Data.

Transparency

Does the policy require users to be notified in case of a data breach? Not necessarily

0/7

Is the policy's history made available? Only the date it was last modified

3/5

Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Does the policy outline the service's general security practices? Yes, including independent audits

3/3

Score

Somewhat

The policy provides only a very vague overview of its security practices.

30%

Yes

60%

Yes, including audits

"Reviews," "monitoring," etc. also count as audits.

80%

Yes, including independent audits

Independent "reviews," "monitoring," etc. also count as independent audits.

100%

N/A

The service doesn't collect any personal information.

100%

Citation

The security of your Personal Information is important to us. Your data, including Personal Information, is never sent to the Bitwarden cloud servers without first being encrypted on your local device using AES 256 bit encryption. In addition, Bitwarden encrypts the transmission of that information using secure socket layer technology (SSL).

We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. You acknowledge and agree that no Internet or email transmission is ever fully secure or error free. You agree to take special care in deciding what information you send to us via email. If you have any questions about the security of your Personal Information, you can Contact Us.

Notes

Bitwarden is SOC2 and SOC3 certified and HIPAA compliant. More information about their audit history and compliance can be found at bitwarden.com/compliance

Collection

Is it clear why the service collects the personal data that it does? Mostly

7/10

Score

Somewhat

30%

Mostly

70%

Yes

100%

N/A

The service doesn't collect any personal information.

100%

Citation

Bitwarden may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes and to fulfill other legal obligations, including:

To provide you services that you request, such as when we:
- Respond to your requests for information about our products, services, training and events;
- To enable your access and use of the Site, and to enable you to communicate, collaborate, and share information with those you designate;
- To send you technical notices, updates, security alerts, and support and administrative messages;
For our business purposes we have a legitimate interest, when we:
- Operate the Site;
- Administer your account if you have registered on the Site, including billing and payment;
- Send marketing, advertising, training, certification or event materials to which you've agreed, requested or subscribed or to otherwise inform you about our products and services;
Apply information security policies and controls on the Site, including overall Site integrity, identity management and account authentication;
For research and development to improve the Bitwarden Service, Site and other Bitwarden services;
Perform other general business management and operations purposes, such as to provide, operate, maintain, make modifications to protect and improve the Site.
To fulfill legal obligations, including:
Legal compliance, such as to enforce our legal rights, to comply in good faith with applicable laws, and to protect users of the Site or Service.
For other purposes about which we notify you and, where relevant or required, give you choice about the new purpose.

Does the policy list the personal data it collects? Yes, generally

7/10

Score

The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects.

Only summarily

The policy uses overly vague language to provide a summary of the types of collected personal data.

30%

Yes, generally

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

70%

Yes, exhaustively

All types of collected personal data are listed specifically

100%

N/A (no personal data is collected)

100%

Citation

Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data.

Vault Data includes all information stored within accounts to the Bitwarden Service, including but not limited to login credentials, attachments including photos, videos, images and other files, and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data.You may add, modify, and delete Vault Data at any time.

Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account ("Administrative Data"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.

When you use the Site or communicate with us (e.g. via email) you will provide, and Bitwarden will collect certain Personal Information such as

Name
Business name and address
Business telephone number
Email address
IP-address and other online identifiers
Any customer testimonial you have given us consent to share.
Information you provide to the Site's Interactive Areas, such as fillable forms or text boxes, training, webinars or event registration.
Information about the device you are using, comprising the hardware model, operating system and version, unique device identifiers, network information, IP address, and/or Bitwarden Service information when interacting with the Site.
If you interact with the Bitwarden Community or training, or registered for an exam or event, we may collect biographical information and the content that you share.
Information gathered via cookies, pixel tags, logs, or other similar technologies.

Does the service allow the user to control whether personal data is collected or used for non-critical purposes? On an opt-out basis, for all non-critical data/uses

6/10

Does the service collect personal data from third parties? No

10/10

Last Updated

September 9, 2024

Sources

Source #1 ↗

Contributors

Deivedux