Self-Hosted CRM: Why Choose Bitrix24 On-Premise for Data Sovereignty

What Data Sovereignty Actually Means for a CRM

Data sovereignty is not just a buzzword — for companies in finance, healthcare, defence supply chains, and public-sector adjacent industries, it is a legal obligation. When your CRM sits on a vendor's shared cloud, you are trusting a third party to:

• store personal and commercial data in a jurisdiction you have approved
• implement access controls you cannot audit directly
• respond to government data requests according to their own policies

A self-hosted CRM shifts all of that control back to you. Your database lives on hardware you own or lease, in a data centre you choose, governed by the firewall rules you write. GDPR Article 32 (technical and organisational measures), HIPAA, local data protection frameworks in the UAE (PDPL), Brazil (LGPD), and similar regulations all become significantly easier to comply with when you control the stack end-to-end.

With Bitrix24 On-Premise (the "box" or corporate portal edition), the application and all its data — CRM records, chat logs, documents, call recordings — reside entirely within your own infrastructure. The vendor never touches your data after installation.

On-Premise vs Cloud Bitrix24: Key Differences

The table below summarises the most commercially relevant differences based on our implementation experience across 1,300+ projects.

Dimension	Cloud (Professional)	On-Premise (Corporate Portal)
Data location	Vendor's data centres	Your server / chosen data centre
Annual licence cost	~$1,500–$1,800/yr (100 users, varies by region)	One-time purchase + ~25% annual renewal
Server hardware needed	None	Yes (see requirements below)
Upgrade & maintenance	Automatic	Your responsibility (or partner's)
Source code access	No	Yes (PHP-based, modifiable)
ERP / HR system integration	API-based, limited user import	API + direct DB-level integration; full user import possible
Compliance audit trail	Limited	Full — you control logs and backups
Customisation depth	Marketplace apps + REST API	Core code modifications possible

Pricing note: Exact figures depend on your region and current Bitrix24 pricing. The on-premise licence follows a model where the first-year cost is higher than the cloud subscription, but annual renewal is roughly 25% of the initial licence price — making TCO competitive over a 3–5 year horizon.

Who Should Choose the Self-Hosted Edition

Based on our project archive, the following profiles consistently opt for on-premise:

• Regulated industries — financial services, insurance, medical device companies, legal firms — where data residency must be documented and auditable.
• Organisations with existing ERP or HR systems (SAP, 1C, Oracle HR) that require deep, bidirectional data exchange including employee record imports — something the cloud edition restricts.
• Companies with strict network perimeter policies — e.g., public-sector contractors — where the CRM must be accessible only over a corporate VPN or a defined IP whitelist.
• Large document-heavy operations — organisations that need to store a significant archive of files and contracts on their own storage, not a vendor's CDN.
• Businesses that have outgrown SaaS customisation limits — teams that need to modify portal logic, build custom components, or integrate legacy internal systems at the code level.

Bitrix24 for Manufacturing Companies and Bitrix24 for IT & Software Companies are two verticals where on-premise deployments are particularly common in our experience.

Server Requirements and Deployment Architecture

The diagram below shows the typical on-premise deployment topology: web traffic enters through a reverse proxy, application logic is handled by Apache, and all CRM data stays inside your network boundary.

The following describes how requests flow in a self-hosted Bitrix24 setup: an end-user browser or mobile app connects to an nginx reverse proxy, which forwards dynamic requests to Apache/PHP. The application reads from and writes to a dedicated MySQL/Percona database. Backups are written to a separate backup storage on the same server or a mounted network drive. All components remain inside the organisation's own network perimeter.

flowchart LR
    USER[User Browser / Mobile] --> NGINX[nginx reverse proxy]
    NGINX --> APACHE[Apache + PHP]
    APACHE --> DB[(MySQL / Percona DB)]
    APACHE --> FILES[File Storage]
    DB --> BACKUP[Backup Storage]
    FILES --> BACKUP
    APACHE --> PUSH[Push & Pull Server]
    subgraph Your Infrastructure
        NGINX
        APACHE
        DB
        FILES
        BACKUP
        PUSH
    end

Minimum server specs for up to 50 users (from our deployment specs):

• CPU: Intel Xeon E3 class, 4 cores at 3.4 GHz or better
• RAM: 12 GB DDR4 minimum; 16–32 GB recommended for active portals
• Storage: 128 GB SSD for the database; separate volume for file storage
• OS: CentOS Stream 9 or compatible (avoid EOL distributions)
• Web environment: nginx 1.26+, Apache 2.4.62+, PHP 8.2+, Percona Server 8.0+

For larger portals (50–250 users), one audited deployment in our archive ran comfortably on a 16-core server with 47 GB RAM and a ~28 GB database.

Deployment checklist: - Provision the server (your own hardware or a dedicated VPS/cloud instance) - Configure DNS record pointing to the server IP - Deploy Bitrix24 Corporate Portal using the vendor's official VM image or environment script - Register the licence key - Configure SSL (Let's Encrypt or corporate certificate) - Set up Push & Pull for real-time chat and notifications - Configure system email (SMTP) - Set automated backups to a local or remote target - Restrict admin panel access by IP whitelist

The full deployment phase typically takes 7–10 working hours for an experienced partner. See Bitrix24 Implementation Cost & Timeline for broader project scoping guidance.

Security Hardening for Self-Hosted Bitrix24

On-premise means you gain control — but also full responsibility. Security audits we have conducted on production self-hosted portals repeatedly surface the same misconfiguration patterns:

Risk	Finding	Remediation
Information disclosure	display_errors and display_startup_errors enabled in php.ini — exposes file paths, SQL queries, DB structure	Disable both options in php.ini
Outdated web environment	Running EOL OS (e.g., CentOS 7) or outdated nginx/PHP/MySQL versions with known CVEs	Upgrade to current Bitrix24-recommended web environment
No two-factor authentication	Admin and user accounts accessible with password only	Enable 2FA via the built-in Bitrix24 OTP application
Missing HSTS header	Connections can be downgraded to HTTP	Add Strict-Transport-Security header in nginx/Apache config; enforce HTTP→HTTPS redirect
Unrestricted admin access	Admin panel reachable from any IP	Restrict /bitrix/admin/ to a corporate IP range or VPN
Outdated DB schema	DB structure errors accumulate, causing instability	Run auto-repair + manual check; target 0 errors in the system test
Framing vulnerability	Portal can be embedded in third-party frames (clickjacking)	Enable anti-framing protection in Bitrix24 security settings
Web antivirus disabled	Server-side malware scanning inactive	Enable the built-in web antivirus module (note: minor performance overhead)

A security audit of one production portal in our archive found 5 threats, 3 of them critical — all stemming from deferred maintenance on the web environment and disabled security policies. A structured hardening engagement resolved every finding within a 2-day window.

Additional best practices: - Maintain a regularly updated IP blocklist in your firewall for known attack sources - Keep a custom-code modification log (on one audited portal, 23 of 109,188 files were modified — all changes should be documented) - Schedule core and module updates through the Bitrix24 admin panel on a quarterly cadence

Migration from Cloud to On-Premise: What Gets Transferred

Moving an existing Bitrix24 cloud account to an on-premise server is a structured, multi-phase engagement. Here is what our standard migration plan covers:

What transfers cleanly: - Organisational structure and all department hierarchies - Employee accounts (passwords are reset and distributed via Excel on first login) - CRM leads — field settings, pipeline stages, card data, automation rules (robots + business processes), access rights - CRM deals — same scope as leads - CRM contacts and companies — field settings, card data, automations - Document templates — re-mapped to new field IDs (templates referencing old IDs must be reconfigured)

What does NOT transfer automatically (platform limitations): - Chat/messenger history between employees - "My Drive" personal file storage - Personal calendars - Activity log on CRM cards (calls, emails, meetings, comments logged in the right panel) - Two-factor authentication codes

Typical migration timeline: 2–5 working days for the data transfer phase, depending on data volume, plus up to 1 month of warranty support post-launch.

If you are currently on a different platform entirely, see our guides on migrating from HubSpot to Bitrix24 and migrating from Salesforce to Bitrix24 for cross-platform migration specifics.

Licensing and Total Cost of Ownership

Bitrix24 On-Premise uses a perpetual licence model with annual renewal. The economics look different from SaaS — upfront cost is higher, but the long-term TCO often favours on-premise for organisations over 50 users with a 3+ year horizon.

Typical cost structure (indicative, regional pricing applies):

Item	One-time	Annual
On-premise licence (50 users)	~$1,700–$2,000*	~$450–$550 renewal
Marketplace module access	~$400/yr	~$400/yr
Server / VPS hosting	—	~$25–$100/mo depending on specs
Partner deployment & setup	~$1,500–$3,000	—
Annual maintenance / updates	—	Included in partner support contract

*Prices vary significantly by country and current Bitrix24 pricing. Always confirm with your regional partner.

Key TCO advantages of on-premise: - No per-user seat costs scaling linearly — licence is capacity-based, not per-head - Server costs are predictable and often already covered by existing infrastructure budgets - Deep ERP integration (e.g., with HR/payroll systems) avoids expensive middleware or iPaaS tools

The Bitrix24 Marketplace is available for the on-premise edition, extending functionality with third-party modules — this is an additional recurring cost to factor in.

Is Self-Hosted Bitrix24 Right for Your Organisation?

The decision comes down to three axes:

Control vs convenience. Cloud is faster to start and zero-maintenance. On-premise gives you full control of data, infrastructure, and code — but requires a capable IT team or a reliable implementation partner to maintain it.

Compliance requirements. If your industry mandates documented data residency, audit trails you own, or restricts data from leaving national borders, on-premise is not optional — it is the only viable path.

Long-term economics. For organisations with 50+ users on a multi-year horizon, the on-premise licence renewal cost (roughly 25% of the initial price per year) combined with predictable server costs often produces a lower TCO than an equivalent cloud subscription.

Before committing, a thorough requirements gathering process is essential. Our Bitrix24 Onboarding Questionnaire covers the 50+ questions that help map your processes to the right deployment model. For a feature-level comparison with competing platforms, see Bitrix24 vs HubSpot.

The on-premise edition is not the right choice for every organisation — but for those where data sovereignty is non-negotiable, it remains the most capable self-hosted CRM platform available at this price point.