Zum Inhalt springen
Unabhängig verifiziert · Quartalsweises Re-Audit
EU VETTED

Vaultwarden

VERIFIZIERT
Passwort-Manager · Spain

AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry; EU-maintained, no CLOUD Act exposure when run on EU infrastructure.

Kurzfassung

Vaultwarden aus der Kategorie Passwort-Manager ist ein EU-eigener Dienst mit Spain als Hosting-Standort und ohne erkennbares CLOUD-Act-Risiko.

Bewertungsnotizen

Vaultwarden is an AGPLv3 open-source, Rust-written, Bitwarden-compatible server maintained by Daniel García (dani-garcia), a Spanish developer, with a community of contributors, formerly 'bitwarden_rs', renamed to avoid trademark confusion; it is self-host-only with no hosted/cloud product and no company entity, so it has no DPA, no sub-processors, no telemetry and no business model. Run on EU infrastructure (Hetzner, OVHcloud, Scaleway) it is EU-maintained, self-hosted, with no CLOUD Act exposure and zero vendor-counterparty risk: structurally the cleanest possible posture in the password-manager category.

CLOUD ACT
OWNERSHIP
SUB-PROCS
nicht offengelegt
Geprüfte Signale
Jurisdiktion
  • EU-/Angemessenheits-Hosting
  • EU-/Angemessenheits-Betreiber
  • Keine US-CLOUD-Act-Exposition
Transparenz
  • Öffentlicher AVV
  • Unterauftragsverarbeiter offengelegt
  • Open-Source-Clients
  • Zertifizierung durch Dritte
JUMP TO
OVERVIEW

Über Vaultwarden

Vaultwarden is an unofficial, open-source server implementation of the Bitwarden client API, written in Rust and maintained by Daniel García (GitHub: dani-garcia), a developer based in Spain, together with a community of contributors. It was formerly known as "bitwarden_rs" and was renamed to Vaultwarden to separate itself from the official Bitwarden server and avoid trademark and branding confusion. It is licensed under the AGPL-3.0 licence, relicensed from GPLv3 specifically to close the loophole that would have allowed commercial SaaS use without contributing back.

The reason Vaultwarden belongs in an EU-sovereignty directory is structural: it is self-host-only. There is no Vaultwarden cloud product, no Vaultwarden company, no commercial entity, no funding, no DPA, no sub-processors, and no telemetry, because there is nothing hosted to process. It is server software that a user or organisation runs themselves, fully compatible with the official Bitwarden desktop, mobile and browser clients, and deliberately lightweight so it can run on a small VPS or Raspberry Pi where the official resource-heavy Bitwarden server would be impractical. Run on EU infrastructure (Hetzner, OVHcloud, Scaleway, IONOS, STACKIT) it is EU-maintained, self-hosted, with no CLOUD Act exposure and zero vendor-counterparty risk: there is no vendor that could be acquired, change posture, or be served a US warrant.

The trade-offs are the usual self-hosting ones, plus a couple specific to Vaultwarden. There is no enterprise SSO / SCIM support (a deliberate scope decision; that is where official Bitwarden's paid tiers differentiate), the operator is responsible for backups, TLS, and updates, and one of the active maintainers is employed by Bitwarden and contributes on their own time independently (reviewed by other maintainers). Vaultwarden is completely free; funding is via donations. Best fit: technically capable EU individuals, homelab users, and SMBs with IT capacity who want a Bitwarden-compatible vault under their own full control on EU infrastructure, and any procurement-grade buyer for whom "no vendor at all" is the strongest possible sovereignty answer.

SUB-PROCESSORS

Unterauftragsverarbeiter-Karte · nicht offengelegt

Selbst gehostet: keine Anbieter-Verarbeitungskette. Diese Software hat keinen anbieterbetriebenen Dienst; bei Selbsthosting bleiben die Daten auf der vom Betreiber kontrollierten Infrastruktur und es gibt keine offenzulegende Anbieter-Verarbeitungskette.
CERTIFICATIONS

Rahmenwerke & Zertifizierungen · keine gelistet

Wir haben die Website des Anbieters und die Register der Zertifizierungsstellen geprüft. Keine aktiven Zertifizierungen gefunden zum Zeitpunkt der letzten Prüfung (2026-05-18).
FEATURES

Funktionsmatrix

Passkeys Ja
Autofill Ja
Leak-Überwachung Nein
Familienfreigabe Ja
Datenexport Ja
Geräte Unbegrenzt
Plattformen iOS macOS Windows Android Linux Web
INTEGRATION & ZUGRIFF
REST API Yes
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option Yes
PUBLIC DOCUMENTS

Öffentliche Dokumente

DSGVO-AVV-Zugänglichkeit wird für diesen Eintrag nicht bewertet. Selbst gehostete oder lokale Software, Anbieter, die keine Auftragsverarbeiter sind, und Produkte mit SecNumCloud-, EUCS- oder BSI-C5-Zertifizierung werden nicht auf DSGVO-AVV-Zugänglichkeit bewertet (siehe So prüfen wir).
  • Auftragsverarbeitungsvertrag (AVV)
    — nicht bewertet
    n/v
  • Liste der Unterauftragsverarbeiter
    — nicht zutreffend
    n/v
ALTERNATIVES

Alternativen in dieser Kategorie

heylogin
Germany · Gegründet 2021
EU-SOUVERäN

German passwordless zero-knowledge password manager (heylogin GmbH, Braunschweig), all-German sub-processor stack, ISO 27001:2022, no CLOUD Act exposure.

Öffentl. AVV Subprozessoren Open Source
FROM
€4/Mt.
CLOUD ACT
NONE
KeePassXC
Germany · Gegründet 2016
EU-SOUVERäN

GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016): no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.

Öffentl. AVV Subprozessoren Open Source
FROM
CLOUD ACT
NONE
LC-Pass
Germany
EU-SOUVERäN

German-hosted business password manager from LC by vBoxx GmbH; collections, group sharing, central management, unlimited devices; an EU-hosted 1Password / LastPass alternative.

Öffentl. AVV Subprozessoren Open Source
FROM
€3.99/Mt.
CLOUD ACT
NONE