GDPR-Compliant CRM: Why Self-Hosted Bitrix24 Wins for EU Companies

Q: What server specifications are needed to run Bitrix24 On-Premise?

For up to 50 users, a common baseline is a 4-core CPU e.g., Intel Xeon class, 12 GB RAM, and a 128 GB SSD for the database. Requirements scale with user count and data volume; the implementation partner provides exact specifications before deployment.

Published: 23 Apr 2026 · Updated: 5 Jun 2026 · 9 min read

For EU companies facing strict GDPR obligations, self-hosted Bitrix24 offers something no cloud CRM can match: complete control over where personal data lives, who touches it, and under what jurisdiction it is processed.

Most cloud CRM platforms route data through infrastructure that spans multiple jurisdictions — US, EU, and beyond. For a data protection officer, this creates immediate exposure:

Chapter V transfers: Personal data leaving the EEA requires adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. Every sub-processor your CRM vendor uses adds risk.
Art. 28 processor obligations: You must audit your CRM vendor and every sub-processor they engage. Cloud vendors' sub-processor lists change, and you often have no veto.
Art. 32 technical measures: You need evidence that appropriate technical controls exist — but in a multi-tenant cloud you rely entirely on the vendor's assertions.
Data subject rights (Arts. 15–20): Access, erasure, and portability requests require you to know exactly where data is stored. "Somewhere in our cloud" is not an acceptable answer.

Self-hosted Bitrix24 eliminates most of these variables because the data never leaves infrastructure you own and operate.

What "Self-Hosted" Actually Means in Bitrix24 Terms

Bitrix24 On-Premise (the "box" edition) is a fully licensed, standalone installation deployed on a server you control — your own hardware, a private cloud instance in an EU-based data centre, or a dedicated server at a certified host. The vendor provides software; you own the environment.

From a deployment perspective, a typical installation involves:

Provisioning a server meeting minimum specifications (based on our implementation experience: for up to 50 users, a 4-core CPU, 12 GB RAM, and a 128 GB SSD for database files is a common baseline)
Installing the Bitrix24 Corporate Portal product on Linux
Configuring SSL, DNS, firewall rules, and outbound mail
Registering the licence key and removing test data
Setting up automated backups on the same server or to a separate secure location
Configuring Push & Pull services for real-time chat and notifications

Once live, all CRM entities — contacts, companies, leads, deals, documents, chat history — reside exclusively on that server. No data is replicated to vendor infrastructure.

See Self-Hosted CRM: Why Choose Bitrix24 On-Premise for Data Sovereignty for a full feature-by-feature breakdown of the on-premise edition.

Data Flow Architecture: On-Premise vs. Cloud

Understanding where each system element resides is critical for your Records of Processing Activities (RoPA) under Art. 30 GDPR. The diagram below illustrates the key difference in data routing.

The following diagram shows how personal data flows in a self-hosted Bitrix24 deployment versus a cloud deployment. In the on-premise model, all CRM data stays within company-controlled infrastructure; external integrations touch the self-hosted instance directly. In the cloud model, data transits through the vendor's servers, potentially across jurisdictions.

flowchart LR
    subgraph ON_PREM["Self-Hosted (EU Server)"]
        B24_OP[Bitrix24 On-Premise]
        DB[(Company Database)]
        B24_OP <--> DB
    end
    subgraph INTEGRATIONS["Integrations"]
        WEB[Website / Web Forms]
        PHONE[Telephony / VoIP]
        ERP[ERP / Accounting]
        ESIGN[E-Signature Module]
    end
    WEB --> B24_OP
    PHONE --> B24_OP
    B24_OP <--> ERP
    B24_OP --> ESIGN
    subgraph CLOUD_MODEL["Cloud CRM (for contrast)"]
        B24_CL[Vendor Cloud Servers]
        SP[Sub-processors / CDN / US nodes]
        B24_CL --- SP
    end
    WEB -.->|data leaves EU?| B24_CL

When you use third-party web forms or external approval workflows, each integration point becomes a data transfer that must be documented. With on-premise, you choose which integrations to enable and can enforce that all data paths remain within your defined perimeter.

Requirement	Cloud CRM	Self-Hosted Bitrix24
Data residency	Vendor-controlled; may change	Fixed to your server location
Sub-processor risk	Inherits vendor's sub-processor chain	None — you control all processors
Art. 28 DPA	Required with vendor + all sub-processors	Only with your hosting provider
Audit rights	Limited to vendor's audit reports	Full access — it's your server
Encryption at rest	Vendor manages keys	You manage keys
Right to erasure	Depends on vendor's deletion process	Direct database control
Incident notification	Relies on vendor to detect and report	Your SOC / IT team detects and reports
Data portability	API or export tools	Direct DB access + API

Access Control and Role-Based Data Segmentation

GDPR's data minimisation principle (Art. 5(1)(c)) requires that staff access only the personal data necessary for their role. Bitrix24 On-Premise supports granular role-based access control out of the box:

Manager-level access: Each sales manager sees and edits only their own deals and contacts
Team leader access: Supervisors can view and modify all deals within their team scope
Administrator access: Full CRM visibility with audit trail
Field-level restrictions: Specific sensitive fields (e.g., financial details, personal identifiers) can be hidden from roles that don't require them

In practice, this means a junior sales rep processing leads never sees the full client database — a direct technical implementation of data minimisation. These role structures are configured during the initial deployment and documented for your RoPA.

For organisations migrating from platforms with less granular access control, this is one of the most tangible compliance improvements. If you're coming from Salesforce, HubSpot, or Pipedrive, the migration from Salesforce to Bitrix24 or migration from HubSpot to Bitrix24 process includes mapping your existing role structures into Bitrix24's permission model.

E-Signature and Document Processing Under GDPR

Many organisations process consent forms, data processing agreements, and client contracts inside their CRM. Under GDPR, the signing process itself generates personal data — name, timestamp, IP address, intent record — that must be stored lawfully and securely.

With self-hosted Bitrix24, document workflows and e-signature processes run entirely within your controlled environment. You can configure:

Automated document dispatch linked to CRM pipeline stages
Client-facing signing flows where signed documents and metadata return directly to the contact card in your on-premise instance
Retention and deletion rules applied at the database level, with no dependency on a third-party e-signature vendor's data practices

This is especially relevant for organisations subject to strict local e-signature and electronic document regulations, where the solution must comply with national legal frameworks in addition to GDPR.

Migration from Cloud Bitrix24 to On-Premise: What the Process Looks Like

Many EU companies already use Bitrix24 Cloud and want to move to on-premise for compliance reasons. Based on our implementation experience, a cloud-to-on-premise migration typically covers:

Server provisioning — technical requirements shared with the client; if no internal infrastructure is available, a recommended hosting provider is suggested (~7 hours for full deployment)
Data migration — all CRM entities, settings, and integrations transferred from the cloud instance to the on-premise server
Integration reconfiguration — telephony, web forms, and third-party tools reconnected to point at the new on-premise URL
User acceptance testing — the client verifies that all functionality works identically to the cloud version
Cutover and go-live — DNS switched, cloud subscription terminated
Warranty support period — typically one month of post-migration support covering any issues related to the migrated data, settings, and integrations

The total timeline depends on the complexity of existing integrations. A straightforward migration for a team of 20–50 users with standard CRM configuration typically completes within four to six weeks.

For a detailed breakdown of implementation timelines and costs across different project sizes, see Bitrix24 Implementation Cost & Timeline: Real Data from 1,300+ Projects.

Risks That Remain: What Self-Hosted Doesn't Solve Automatically

Self-hosted deployment is a necessary condition for GDPR compliance — but not sufficient on its own. DPOs should be aware of residual risks:

Third-party web forms: If you embed Google Forms or similar tools to collect customer data, that data passes through the form provider's servers before reaching Bitrix24. Use native Bitrix24 web forms or host your own form solution.
Email in transit: Emails sent from Bitrix24 to external recipients may transit through multiple mail servers. End-to-end encryption of email content is a separate technical measure.
Staff devices: Data accessed on employee laptops or mobile devices is outside the server perimeter. Mobile device management (MDM) policies are required.
Backup storage: If backups are sent to a cloud storage service, that destination must also be GDPR-compliant and covered by appropriate agreements.
Connected integrations: Every third-party integration — telephony providers, payment processors, marketing tools — must be assessed separately as a data processor under Art. 28.

A well-structured RoPA documents each of these data flows and the controls applied to each one. The on-premise deployment gives you the foundation; your policies and technical measures complete the picture.

Licensing and Infrastructure Cost Considerations

Bitrix24 On-Premise is a perpetual licence with an annual renewal fee for updates and support. The licence covers a defined number of users (editions are available from 50 users upward). Infrastructure costs — server hardware or dedicated hosting — are separate and depend on your region and chosen provider.

For EU companies, hosting on a certified data centre within the EEA (Germany, Ireland, Netherlands, and others are common choices) is straightforward and cost-competitive. The total cost of ownership over three to five years is typically comparable to or lower than an equivalent cloud subscription at scale, once you factor in the compliance overhead saved on vendor audits and sub-processor management.

If you are evaluating on-premise against cloud options — including cost modelling — Bitrix24 vs HubSpot provides a useful reference for understanding where the two platforms sit on the cost and feature spectrum.

Frequently Asked Questions

Does self-hosted Bitrix24 automatically make us GDPR compliant?

No — self-hosted deployment removes the vendor data-sharing risk and gives you full control over data location, but compliance also requires proper access controls, a documented RoPA, data processing agreements with your hosting provider, and policies covering staff devices, email, and third-party integrations.

Where does the data physically reside in an on-premise Bitrix24 deployment?

All CRM data — contacts, deals, documents, chat history — is stored exclusively on the server you provision. You choose the location: your own data centre, a private cloud instance, or a dedicated server at a hosting provider. No data is replicated to Bitrix24 (1C-Bitrix) infrastructure.

Can we migrate from Bitrix24 Cloud to on-premise without losing data?

Yes. A structured cloud-to-on-premise migration transfers all CRM entities, settings, and integrations. Based on typical project experience, a team of 20–50 users with standard configuration completes the migration in four to six weeks, followed by a warranty support period.

What server specifications are needed to run Bitrix24 On-Premise?

For up to 50 users, a common baseline is a 4-core CPU (e.g., Intel Xeon class), 12 GB RAM, and a 128 GB SSD for the database. Requirements scale with user count and data volume; the implementation partner provides exact specifications before deployment.

Do we still need a Data Processing Agreement with the hosting provider?

Yes. Even with on-premise Bitrix24, your hosting provider has physical or administrative access to the server and must be treated as a data processor under Art. 28 GDPR. Choose a provider that offers a compliant DPA and hosts infrastructure within the EEA.

How does Bitrix24 On-Premise handle the right to erasure (Art. 17 GDPR)?

Because you have direct access to the database, you can execute deletion requests at the record level without depending on a vendor's deletion pipeline. Bitrix24 also provides UI-level tools to delete or anonymise contact and deal records, and these actions can be logged for audit purposes.

Based on real practice

This article is based on 7 internal documents from the practice of ACP Group — work plans, specs, questionnaires and Bitrix24 implementation cases.

Need help implementing Bitrix24?

ACP Group — Gold Partner of Bitrix24. 7+ years, 1300+ projects.
Call us +971 55 780 1481 or visit our main site.

Go to acp-24.com →