diff --git a/_articles/faqs/security-faqs.md b/_articles/faqs/security-faqs.md
index 9fb21185..aa4f76f0 100644
--- a/_articles/faqs/security-faqs.md
+++ b/_articles/faqs/security-faqs.md
@@ -1,87 +1,100 @@
---
layout: article
title: Security FAQs
-categories: [faqs, security]
+categories: [security, faqs]
featured: false
popular: false
hidden: false
tags: []
+order: 08
+redirect_from:
+ - /article/why-should-i-trust-bitwarden/
+ - /article/what-happens-if-bitwarden-is-hacked/
+ - /article/can-bitwarden-see-my-passwords/
---
-## Compliance General
+This article contains Frequently Asked Questions (FAQs) regarding **Security**.
-### Current Certifications
+### Q: Why should I trust Bitwarden with my passwords?
-- GDPR
-- CCPA
-- HIPAA
-- SOC 2 Type 2
-- SOC 3
+**A:** You can trust us for a few reasons:
-For more information, please visit:
+1. Bitwarden is **open source** software. All of our source code is hosted on [GitHub](https://github.com/bitwarden){:target="_blank"} and is free for anyone to review. Thousands of software developers follow Bitwarden's source code projects (and you should too!).
+2. Bitwarden [is **audited**]({% link _articles/security/is-bitwarden-audited.md %}) **by reputable third-party security firms** as well as independent security researchers.
+3. Bitwarden **does not store your passwords**. Bitwarden stores encrypted versions of your passwords [that only you can unlock]({% link _articles/security/what-encryption-is-used.md %}). Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
+4. **Bitwarden has a reputation.** Bitwarden is used by millions of individuals and businesses. If we did anything questionable or risky, we'd be out of business!
-### GDPR
+Still don't trust us? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).
-You can read more about Bitwarden’s data protection and privacy policies here:
-
+### Q: What happens if Bitwarden gets hacked?
-### HIPAA
+**A:** Bitwarden takes extreme measures to ensure that its websites, applications, and cloud servers are secure. Bitwarden uses Microsoft Azure managed services to manage server infrastructure and security, rather than doing so directly.
-Read our [blog post](https://bitwarden.com/blog/post/why-use-a-hippa-compliant-password-manager/) for more information.
+If for some reason Bitwarden were to get hacked and data be leaked despite this, your information is still protected due to [strong encryption and one-way salted hashing]({% link _articles/security/what-encryption-is-used.md %}) measures taken on your Vault data and master password.
-### SOC Certifications
+### Q: Can Bitwarden see my passwords?
-You can find more about our SOC certifications on our blog [here.](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/)
+**A:** No.
-## Desktop Electron Backdoor Concern
+Your data is fully encrypted and/or hashed before ever leaving **your** local device, so no one from the Bitwarden team can ever see, read, or reverse engineer to get to your real data. Bitwarden servers only store encrypted and hashed data. For more information about how your data is encrypted, see [Encryption]({% link _articles/security/what-encryption-is-used.md %}).
-The often shared article suggests an attack that requires a user to have a compromised machine, which of course would allow a malicious attacker to compromise data on that machine. As long as you have no reason to believe the device you are using has been compromised, your data is safe.
+### Q: Is my master password stored locally?
-## Duo MFA / 2FA / Two-step Login Requirement
+**A:** No.
-The ability to enforce 2FA is made possible using an [Enterprise Policy](https://bitwarden.com/help/article/policies/) included with an Enterprise Organization subscription. As an additional option, you can enable Duo MFA integration to enforce 2FA/MFA for your Organization.
+We do not keep the master password stored locally or in memory. Your encryption key (derived from the master password) is kept in memory only while the app is unlocked, which is required to decrypt data in your vault. When the vault is locked, this data is purged from memory.
+We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application to be completely safe while in a locked state.
-## New Device Not Recognized
+### Q: What do I do if I don't recognize a new device logging in?
-Do you recognize the IP address as a home or work IP address? If you Google "my ip" it will show the current IP address of your current connection. Make sure you check the IP of your mobile network as well. You will want to check if the IP shown in the notification is similar or not. If the IP isn't recognizable then it is recommended for you to change your password and make sure Two-step Login is configured on your Bitwarden account. You will also want to log into the Web Vault (https://vault.bitwarden.com) and go to Settings > My Account. Scroll to the bottom of the page and select Deauthorize Sessions. After Bitwarden has been updated with the new password and sessions have been reauthorized, you may want to change any accounts you have configured in Bitwarden. This is mainly precautionary steps, it doesn't mean someone has definitely logged into your account without permission. Are you sure the email on the message was to the right email address and not another account you may have? This notification could be a false positive or a fake/joke message but if you cannot determine why it was sent then you may want to be sure you are safe. It is better safe than sorry. Remember, access only is possible with your username, password, and alongside your Two-step Login if configured. The only way someone could access your account is if you do not have a Two-step Login configured and they guess your password if it doesn’t happen to be strong enough or a simple phrase.
+**A:** If the IP address of a new device doesn't match any known IP addresses (home network, work network, mobile network, etc.), change your master password and make sure Two-step Login is enabled for your account. You should also Deactivate All Sessions from the **Settings** page of your Web Vault to force logout on all devices. If you think your Vault items might be compromised, you should change your passwords.
-## Master Password Stored Locally?
+### Q: What is Bitwarden compliant with? What certifications do you have?
-We do not keep the master password stored locally or in memory. Your encryption key (which is derived from the master password) is kept in memory while the app is unlocked. This is needed to decrypt data in your vault. When the vault is locked, this data is purged from memory. We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are also purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application to be completely safe while in a locked state.
+**A:** Bitwarden is compliant with the following policies:
-## Third party scripts, libraries, and services
+- **GDPR.** Read more [here](https://bitwarden.com/privacy).
+- **CCPA.** Read more [here](https://bitwarden.com/compliance).
+- **HIPAA.** Read more [here](https://bitwarden.com/blog/post/why-use-a-hippa-compliant-password-manager/).
+- **SOC 2 Type 2.** Read more [here](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/).
+- **SOC 3.** Read more [here](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/).
-Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host.
+For more information, please visit our [Security and Compliance](https://bitwarden.com/compliance) page.
-## Security General (Whitepaper, Audit report, etc.)
+### Q: What third-party scripts, libraries, and services are used?
-- Assessment Report: [Available here](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf)
-- Additional Reading (Security):
-- HackerOne:
-- GitHub Project:
+**A:** Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host.
-## Self-signed Certificate Setup, On-premises/self-hosted
+### Q: How do I require Two-step Login for my Organization?
-When configuring your server with a self-signed certificate you will need to have two files, a private key and a server cert, then you will configure their path in the config.yml file in the Bitwarden installation directory. You can see an example of how to create a self-signed cert by referring to #6 here: https://help.bitwarden.com/article/install-on-premise/#manual-docker-installations The path that is defined in the config.yml is actually the location inside the NGINX container. The directory on the host is mapped to the container so you will actually want to make sure your correct certificate related files are under the ./bwdata/ssl/ directory. You should only ever need to work with the files under ./bwdata/ssl/, you do not want to work with files directly inside any container. It should line up like this (bitwarden.domain.local is only an example):
+**A:** Use an [Enterprise Policy]({% link _articles/organizations/policies.md %}), included with an Enterprise Organization subscription. You can also enable Duo MFA integration to enforce 2FA/MFA for your Organization. For more information, see [Two-step Login via Duo]({% link _articles/two-step-login/setup-two-step-login-duo.md %}).
-```
-{ ./bwdata/config.yml }
-ssl_certificate_path: /etc/ssl/bitwarden.domain.local/certificate.crt
-ssl_key_path: /etc/ssl/bitwarden.domain.local/private.key
-Ssl_ca_path:
-```
+### Q: What are the certificate options for a self-hosted instance of Bitwarden?
-```
-{ ./bwdata/ssl/bitwarden.domain.local }
-certificate.crt
-Private.key
-```
+**A:** See [Certificate Options]({% link _articles/hosting/certificates.md %}) for a complete list and instructions.
-## Web Browser Extension Security/Safety Concern
+### Questions Regarding Specific Client Apps
-Extensions are safe to use if they are developed correctly. Due to the nature of how browser extensions work there is always a chance for a bug to arise. We take extreme care and caution when we are developing our extensions and add-ons, we keep our eyes and ears out for anything going on in the industry, and we conduct security audits for many more eyes on everything.
+#### Q: What data does Bitwarden use from client applications?
-## Web Browser Permission Request
+**A:** Bitwarden uses Administrative Data to provide the Bitwarden Service to you. As indicated by some **App Privacy** reports, users provide the following information on account creation:
-Users now have the ability to schedule their clipboard to be cleared of any Bitwarden entries made when filling forms or any other activity they may perform with Bitwarden which uses the clipboard. The permission requested by the extension is asking for an allowance for the app to do this. We need to read the clipboard value to ensure that we don't clear it out if it isn't a value you copied from the Bitwarden app itself. We keep track of the last copied Bitwarden value when we go to clear the clipboard N seconds later, we read the clipboard and then check it against the last copied value from Bitwarden, if it is the same, we clear it, if not, we leave it alone. This way we don't overwrite any important information you may have in your clipboard. This option is disabled by default and will only become active if you choose to set a schedule.
+- Your Name (*optional*).
+- Your Email Address (used for Email Verification, Account Administration, and communication between you and Bitwarden).
+
+Additionally, a **Bitwarden-generated** device-specific GUID (sometimes referred to as a *Device ID*) is assigned to your device. This GUID is used to alert you when a new device logs into your Vault.
+
+#### Q: Are Electron apps safe?
+
+**A:** An often shared article suggests a flaw with Electron apps, however the referenced attack requires a user to have a compromised machine, which of course would allow a malicious attacker to compromise data on that machine. As long as you have no reason to believe the device you are using has been compromised, your data is safe.
+
+#### Q: Are Browser Extensions safe?
+
+Extensions are safe to use if they are developed correctly. Due to the nature of how browser extensions work there is always a chance for a bug to arise. We take extreme care and caution when we are developing our extensions and add-ons, we keep our eyes and ears out for anything going on in the industry, and we conduct security audits to keep many eyes on everything.
+
+#### Q: What is the Browser Extension asking permission for?
+
+**A:** On installation, the Browser Extension will ask permission to access your clipboard in order to use the scheduled clipboard clear function (accessed in the **Options** menu).
+
+When this **optional feature** is enabled, clipboard clear will clear any Bitwarden entries made by or filled on a configurable interval. Access to the clipboard allows Bitwarden to do this *without* removing a clipboard item not associated from the Bitwarden application by checking the last-copied item again the last-copied item from your Vault. Please note, this feature is **off by default**.
diff --git a/_articles/miscellaneous/subprocessors.md b/_articles/miscellaneous/subprocessors.md
index 1686475a..7ee1112d 100644
--- a/_articles/miscellaneous/subprocessors.md
+++ b/_articles/miscellaneous/subprocessors.md
@@ -1,10 +1,11 @@
---
layout: article
-title: Who are Bitwarden's Subprocessors?
-categories: [miscellaneous]
+title: Bitwarden's Subprocessors
+categories: [security]
featured: false
popular: false
tags: []
+order: 07
---
Reference the table below for a list of Bitwarden's subprocessors.
diff --git a/_articles/miscellaneous/website-icons.md b/_articles/miscellaneous/website-icons.md
index 229e6702..a821e874 100644
--- a/_articles/miscellaneous/website-icons.md
+++ b/_articles/miscellaneous/website-icons.md
@@ -1,35 +1,40 @@
---
layout: article
-title: Your privacy when using website icons
-categories: [miscellaneous]
+title: Privacy when using Website Icons
+categories: [security]
featured: false
popular: false
tags: [icons, website icons, privacy]
+order: 06
---
*Bitwarden does not collect any information when you download icons for website logins stored in your Bitwarden vault.*
-## The Bitwarden icons server
+## Using Website Icons
-When Bitwarden displays a login item associated with a website in your Bitwarden vault it attempts to accompany it with a "website icon". This "website icons" feature allows you to easily identify particular logins in your vault by a recognizable icon. This is usually represented by a logo or brand image of that website. The Bitwarden icons server provides the delivery endpoint for these website icons.
+When Bitwarden displays a login item associated with a website in your Vault (determined by the URI field), it attempts to accompany it with a graphical "website icon".
-If you are using the "website icons" feature on a device, Bitwarden will issue requests to `icons.bitwarden.net` for each item of type "Login" in your vault that has a URI that resembles a website (ex. `google.com` or `https://google.com`, but not `google` or `http://localhost`). The icons server is fronted with a CDN that caches the icons on Cloudflare's edge nodes all around the world. Subsequent requests to the same icon will likely hit CDN caches instead of the icons server directly. Your requests may never actually hit Bitwarden's icons server because another Bitwarden user with the same website in their vault requested the icon before you.
+Website icons help you to easily identify particular logins in your Vault by recognizable iconography, usually represented by a logo or brand image of that website. The Bitwarden icons server provides the delivery endpoint for these website icons.
-## Privacy concerns
+If you are using website icons on a device, Bitwarden will issue requests to `icons.bitwarden.net` for each item of type "Login" in your Vault that has a URI that resembles a website (ex. `google.com` or `https://google.com`, but not `google` or `http://localhost`).
+
+Bitwarden's icons server is fronted with a CDN that caches the icons on Cloudflare's edge nodes all around the world. Subsequent requests to the same icon will likely hit CDN caches instead of the icons server directly. Your requests may never actually hit Bitwarden's icons server because another Bitwarden user with the same website in their Vault requested the icon before you.
+
+## Privacy Concerns
Because a request for an icon image contains the hostname of the website stored in your vault, it is important to understand that this feature will "leak" otherwise cryptographically protected information to Bitwarden servers and/or CDN endpoints. An example of a icon request looks like the following:
`https://icons.bitwarden.net/google.com/icon.png`
-**The icons server endpoints do not log or collect any information regarding icon image requests.** However, this is something you would have to take our word for since we have no way to demonstrate this publicly other than reviewing our [open source codebase](https://github.com/bitwarden).
+**The icon server endpoints do not log or collect any information regarding icon image requests.** However, this is something you would have to take our word for since we have no way to demonstrate this publicly other than reviewing our [open source codebase](https://github.com/bitwarden).
-## Disabling website icons
+## Disabling Website Icons
-We understand that certain privacy-minded users may not want to use the "website icons" feature. We provide the option to disable website icons on all Bitwarden client applications:
+We understand that certain privacy-minded users may not want to use website icons. We provide the option to disable website icons on all Bitwarden client applications:
- **Web vault:** Settings → Options → Disable Website Icons
- **Browser extension:** Settings → Options → Disable Website Icons
- **Mobile app:** Settings → Options → Disable Website Icons
- **Desktop app:** Settings → Options → Disable Website Icons
-When the website icons feature is disabled, Bitwarden will opt to show you a generic, locally accessed icon instead ({% icon fa-globe %}) that is the same for all login items stored in your vault.
+When website icons are disabled, Bitwarden will opt to display a generic, locally accessed icon instead ({% icon fa-globe %}) for all login items stored in your vault.
diff --git a/_articles/organizations/deploying-bitwarden-as-a-msp.md b/_articles/organizations/deploying-bitwarden-as-a-msp.md
index b935aa93..c2fb0044 100644
--- a/_articles/organizations/deploying-bitwarden-as-a-msp.md
+++ b/_articles/organizations/deploying-bitwarden-as-a-msp.md
@@ -6,6 +6,7 @@ featured: false
popular: false
hidden: false
tags: [tutorial]
+order: 05
---
If you are looking for information about the Bitwarden Partner Program, look no further. Bitwarden supports a reseller and managed service provider (MSP) model. You can get started right away (no formal agreement needs to be signed).
@@ -72,10 +73,10 @@ Read more: [Syncing Users and Groups with a Directory](https://bitwarden.com/hel
## Best Practices and Other Information
### Pricing for Partners
-Whether you’re reselling or using Bitwarden on behalf of clients, Bitwarden offers a transparent pricing model. Price is based on per user per month, and is not dependent on the deployment method (cloud, private cloud, or self-host). Volume discounts start at 500 seats.
+Whether you’re reselling or using Bitwarden on behalf of clients, Bitwarden offers a transparent pricing model. Price is based on per user per month, and is not dependent on the deployment method (cloud, private cloud, or self-host). Volume discounts start at 500 seats.
### Invoicing
-Bitwarden will invoice based on Organization Seats for yearly subscriptions and an invoice will be sent to the Billing Contact on your Account. With many of our MSPs, they add on or charge for additional services, so they prefer to handle billing their own clients.
+Bitwarden will invoice based on Organization Seats for yearly subscriptions and an invoice will be sent to the Billing Contact on your Account. With many of our MSPs, they add on or charge for additional services, so they prefer to handle billing their own clients.
### Value-Added Services
Partners have complete flexibility for how they want to structure additional services for Clients. Some examples of services are organization consulting and implementation, onboarding training, Collections management, Support, and Reporting. If you’d like to see an example of how to structure an invoice for your client, [contact us](https://bitwarden.com/contact/).
@@ -94,4 +95,3 @@ Bitwarden recommends every end-user take advantage of their personal Vault to st
Company credentials should be stored in the Organizational Vault and put into a Collection appropriate for team use. Personal credentials should be stored in personal Vaults. This way, if an end-user parts way with the company, both parties can ensure smooth success. The employee retains access to their personal items, but will not have access to Organizational items.
Read more about the benefits of the Bitwarden Partner Program on [our blog](https://bitwarden.com/blog/post/secure-password-management-for-msps/). If you have additional questions or feedback, feel free to reach out to the [Bitwarden sales team](https://bitwarden.com/contact).
-
diff --git a/_articles/security/administrative-data.md b/_articles/security/administrative-data.md
new file mode 100644
index 00000000..1d3c0a0c
--- /dev/null
+++ b/_articles/security/administrative-data.md
@@ -0,0 +1,30 @@
+---
+layout: article
+title: Administrative Data
+categories: [security]
+featured: true
+popular: false
+tags: []
+order: 02
+---
+
+Users provide personal information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service. Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.
+
+{% callout success %}
+We encourage you to review our [Privacy Policy](https://bitwarden.com/privacy){:target="\_blank"} for more information.
+{% endcallout %}
+
+These data include:
+
+- Your Name (*Only if provided during account creation*).
+- Your Email Address (used for Email Verification, Account Administration, and communication between you and Bitwarden).
+- A **Bitwarden-generated** device-specific GUID (sometimes referred to as a *Device ID*, and used to alert you when a new device logs into your Vault.)
+
+For Organizations, these data also include:
+
+- Equivalent Domains
+- Organization Name
+- Organization Business Name
+- Organization Billing Email Address
+- Collection External IDs
+- Group Names and External IDs
diff --git a/_articles/security/can-bitwarden-see-my-passwords.md b/_articles/security/can-bitwarden-see-my-passwords.md
deleted file mode 100644
index 3960571b..00000000
--- a/_articles/security/can-bitwarden-see-my-passwords.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-layout: article
-title: Can the Bitwarden team see my passwords?
-categories: [security]
-featured: true
-popular: false
-tags: []
----
-
-No.
-
-Since your data is fully encrypted and/or hashed before ever leaving **your** local device, no one from the Bitwarden team can ever see, read, or reverse engineer to get to your real data. Bitwarden servers only store encrypted and hashed data. This is an important step that Bitwarden takes to protect you.
-
-You can read more about how your data is encrypted and transmitted [here]({% link _articles/security/what-encryption-is-used.md %}).
\ No newline at end of file
diff --git a/_articles/security/cloud-server-security.md b/_articles/security/cloud-server-security.md
deleted file mode 100644
index 21cb9650..00000000
--- a/_articles/security/cloud-server-security.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: article
-title: How do you keep the cloud servers secure?
-categories: [security]
-featured: true
-popular: false
-tags: [cloud, azure]
----
-
-Bitwarden processes and stores all data securely in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"} using services that are managed by the team at Microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees are backed by Microsoft and their cloud infrastructure.
-
-Don't trust the Bitwarden cloud? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).
diff --git a/_articles/security/where-is-data-stored-computer.md b/_articles/security/data-storage.md
similarity index 55%
rename from _articles/security/where-is-data-stored-computer.md
rename to _articles/security/data-storage.md
index a02bd0c9..843e37d5 100644
--- a/_articles/security/where-is-data-stored-computer.md
+++ b/_articles/security/data-storage.md
@@ -1,17 +1,31 @@
---
layout: article
-title: Where is my data stored on my computer/device?
+title: Storage
categories: [security]
featured: true
popular: false
-tags: []
+tags: [cloud]
+order: 04
+redirect_from:
+ - /article/where-is-data-stored-cloud/
+ - /article/where-is-data-stored-computer/
+ - /article/cloud-server-security/
---
-Your data is also automatically synced to our [cloud servers]({% link _articles/security/where-is-data-stored-cloud.md %}). In the event that you need to recover your data due to a device crash, simply reinstall the Bitwarden application and log in and your data will be re-synced.
+This articles describes **where** Bitwarden stores your Vault Data and Administrative Data.
-All sensitive data stored on your computer/device is encrypted. The data can be found in the following locations:
+Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Encryption]({% link _articles/security/what-encryption-is-used.md %}).
-## Desktop
+## On Bitwarden Servers
+
+Bitwarden processes and stores all data securely in the [Microsoft Azure Cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="\_blank"} using services that are managed by the team at microsoft. Since Bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees and backed by Microsoft and their cloud infrastructure. Review the [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/) documentation for more detail.
+
+Don't trust Bitwarden Servers? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).
+## On your Local Machine
+
+Data that is stored on your computer/device is also encrypted and only decrypted when you unlock your Vault. Vault data can be found in the following locations based on the client application in use:
+
+#### Desktop App
- Windows
- Standard Installations & Store: `%AppData%\Bitwarden`
@@ -27,7 +41,7 @@ All sensitive data stored on your computer/device is encrypted. The data can be
You can override the storage location for your Bitwarden desktop application data by setting the `BITWARDEN_APPDATA_DIR` environment variable to an absolute path.
{% endcallout %}
-## Browser Extension
+#### Browser Extension
- Windows
- Chrome: `%LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb`
@@ -46,15 +60,17 @@ You can override the storage location for your Bitwarden desktop application dat
- Firefox: `~/.mozilla/firefox/your_profile/storage/default/moz-extension+++[UUID]^userContextID=[integer]`
{% callout info %}
-To enhance security, Firefox uses Universally Unique Identifiers (UUIDs) within extension storage folder names. Use the `about:debugging#/runtime/this-firefox` page (navigate from Firefox's address bar) to locate your Bitwarden extension UUID. Replace [UUID] with that UUID. Note also that Firefox allows users to customize where to store their profiles (and thus local Bitwarden extension data). The location specified above is the default.
+To enhance security, Firefox uses Universally Unique Identifiers (UUIDs) within extension storage folder names. In the address bar, navigate to `about:debugging#/runtime/this-firefox` to locate your Bitwarden extension UUID. Replace [UUID] with that UUID.
+
+Firefox also allows users to customize where to store their profiles (and thus local Bitwarden extension data). The location specified above is the default.
{% endcallout %}
-## Mobile
+#### Mobile
- iOS: app group for `group.com.8bit.bitwarden`
- Android: `/data/data/com.x8bit.bitwarden/`
-## CLI
+#### CLI
- Windows: `%AppData%\Bitwarden CLI`
- macOS: `~/Library/Application Support/Bitwarden CLI`
diff --git a/_articles/security/how-is-data-securely-transmitted-and-stored.md b/_articles/security/how-is-data-securely-transmitted-and-stored.md
deleted file mode 100644
index d5f37876..00000000
--- a/_articles/security/how-is-data-securely-transmitted-and-stored.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-layout: article
-title: How is my data securely transmitted and stored on Bitwarden servers?
-categories: [security]
-featured: true
-popular: false
-tags: [encryption]
----
-
-Bitwarden takes security very seriously when it comes to handling your sensitive data. Your data is never sent to the Bitwarden cloud servers without first being encrypted on your local device using [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="blank"} 256 bit encryption. You can read more about Bitwarden encryption [here]({% link _articles/security/what-encryption-is-used.md %}). Bitwarden never stores meaningful data on its servers.
-
-When your devices sync with the Bitwarden cloud servers, a copy of the encrypted data is downloaded and securely stored to your local device. Whenever you use the Bitwarden apps or extensions your data is decrypted only in memory as needed. Data is never stored in its decrypted form on the remote Bitwarden servers or on your local device.
-
-Bitwarden servers are securely hosted and managed in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"}.
diff --git a/_articles/security/is-bitwarden-audited.md b/_articles/security/is-bitwarden-audited.md
index 701b3a1a..f4dae565 100644
--- a/_articles/security/is-bitwarden-audited.md
+++ b/_articles/security/is-bitwarden-audited.md
@@ -1,20 +1,75 @@
---
layout: article
-title: Is Bitwarden audited?
+title: Compliance, Audits, and Certifications
categories: [security]
featured: true
popular: false
tags: [audit]
+order: 05
---
-Yes.
+Bitwarden is a global company with customers located all over the world. Our business is to help customers protect, store, and share their sensitive data. We prioritize protecting the personal data of our customers and their end-users as paramount to our company mission. Bitwarden complies with industry standards, and conducts regular audits shared transparently with our customers and users. Our open source approach puts us in a unique position, where our software is viewed and scrutinized by a globally engaged community.
-By making 100% of our source code available under an open source GPLv3 license, our goal is to be as transparent as possible about how Bitwarden works and how it handles your sensitive data. Being open source also allows thousands of developers to quickly identify potential issues and to verify the quality of our solutions. However, we also understand the need for reputable, independent third-party experts to officially audit the Bitwarden codebase.
+## Privacy
-In October 2018, Bitwarden successfully completed a source code audit and cryptographic analysis by security firm [Cure53](https://cure53.de/). You can read more about this security audit [here](https://bitwarden.com/blog/post/third-party-security-audit).
+For our privacy policy, visit [bitwarden.com/privacy](https://bitwarden.com/privacy){:target="\_blank"}.
-In July 2020, Bitwarden successfully completed a thorough security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/). You can read more about this security audit [here](https://bitwarden.com/blog/post/bitwarden-network-security-assessment-2020/).
+### GDPR
-In August 2020, Bitwarden achieved SOC 2 Type 2 and SOC 3 certification. You can learn more about this [here](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/)
+Bitwarden participates in the EU-U.S. and Swiss Privacy Shield Frameworks and complies with GDPR and current applicable EU data protection rules.
-Bitwarden also interacts with independent security researchers through our public bug bounty program on [HackerOne](https://hackerone.com/bitwarden/).
+### CCPA
+
+Bitwarden is compliant with the California Consumer Privacy Act (CCPA).
+
+### Privacy Shield
+
+Bitwarden complies with EU-U.S. Privacy Shield Frameworks. In addition, Bitwarden uses and complies with EU Standard Contractual Clauses (SCCs). For more information, please see [Bitwarden Privacy Shield Frameworks](https://www.privacyshield.gov/participant?id=a2zt0000000CoURAA0){:target="\_blank"}.
+
+### HIPAA
+
+Bitwarden is HIPPA compliant.
+
+## Third Party Security Audits
+
+### SOC 2 Type 2 and SOC 3
+
+Bitwarden has completed SOC Type 2 and SOC 3 compliance. For more information, see the blog post [Bitwarden achieves SOC 2 certification](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/){:target="\_blank"}.
+
+### 2020 Security Assessment
+
+Bitwarden completed a thorough security assessment and penetration test by auditing firm [Insight Risk Consulting](https://www.insightriskconsulting.com/){:target="\_blank"}. For more information, please see the blog post [Bitwarden 2020 Security Audit is Complete](https://bitwarden.com/blog/post/bitwarden-network-security-assessment-2020/){:target="\_blank"}.
+
+[Read the report](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf).
+
+### 2018 Security Assessment
+
+Bitwarden completed a thorough security audit and cryptographic analysis by security firm [Cure53](https://cure53.de/){:target="\_blank"}. For more information, please see the blog post [Bitwarden Completes Third-party Security Audit](https://bitwarden.com/blog/post/third-party-security-audit/){:target="\_blank"}.
+
+## Open Source Codebase
+
+### Codebase on GitHub
+
+Bitwarden is focused on open source software with the entirety of the codebase available on GitHub.com. For more information, please see [github.com/bitwarden](github.com/bitwarden){:target="\_blank"}.
+
+### Open Source at Bitwarden
+
+Bitwarden is an open source password manager. For more information please visit [our open source page](https://bitwarden.com/open-source/){:target="\_blank"}.
+
+## Cloud Hosting
+
+The Bitwarden cloud service is hosted on Microsoft Azure. Please visit [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/en-us/resources/microsoft-azure-compliance-offerings/){:target="\_blank"} for more detail.
+
+## Security Information
+
+### Zero Knowledge Encryption
+
+Bitwarden takes a zero knowledge encryption approach to password management, meaning every piece of information in your Vault is encrypted. For more information on this approach, please see the blog post [How End-to-End Encryption Paves the Way for Zero Knowledge](https://bitwarden.com/blog/post/end-to-end-encryption-and-zero-knowledge/){:target="\_blank"}.
+
+### Vault Security in Bitwarden
+
+For more information on how Bitwarden Vaults are protected, including options for Bitwarden client applications, please see the blog post [Vault Security in the Bitwarden Password Manager](https://bitwarden.com/blog/post/vault-security-bitwarden-password-manager/){:target="\_blank"}.
+
+### Bug Bounty Program
+
+Bitwarden also interacts with independent security researchers through our public bug bounty program on [HackerOne](https://hackerone.com/bitwarden/){:target="\_blank"}.
diff --git a/_articles/security/password-salt-hash.md b/_articles/security/password-salt-hash.md
deleted file mode 100644
index 71e60aff..00000000
--- a/_articles/security/password-salt-hash.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-layout: article
-title: Does Bitwarden use a salted hash for my password?
-categories: [security]
-featured: true
-popular: false
-tags: [encryption, hash]
----
-
-Yes.
-
-Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.
-
-The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have **no value** to the hacker.
diff --git a/_articles/security/vault-data.md b/_articles/security/vault-data.md
new file mode 100644
index 00000000..e8d44630
--- /dev/null
+++ b/_articles/security/vault-data.md
@@ -0,0 +1,28 @@
+---
+layout: article
+title: Vault Data
+categories: [security]
+featured: true
+popular: false
+tags: []
+order: 01
+redirect_from:
+ - /article/what-information-is-encrypted/
+---
+
+All Vault data is encrypted by Bitwarden before being stored anywhere. To learn how, see [Encryption]({% link _articles/security/what-encryption-is-used.md %}).
+
+Vault data can only be decrypted using a key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
+
+{% callout success %}
+We encourage you to review our [Privacy Policy](https://bitwarden.com/privacy){:target="\_blank"} for more information.
+{% endcallout %}
+
+Vault data that is encrypted includes, but is not limited to:
+
+- Names of Folders, Collections, Items, & Attachments
+- All Login information (including usernames, passwords, URIs, TOTPs, etc.)
+- All Card information (including cardholder name, number, brand, expiration, security codes, etc.)
+- All Identity information (including names, email, phone, passport numbers, license numbers, SSNs, addresses, etc.)
+- All Secure Notes and notes connected to a Login, Card, or Identity
+- All Custom Field name/value combinations
diff --git a/_articles/security/what-encryption-is-used.md b/_articles/security/what-encryption-is-used.md
index 00f52957..7c982d03 100644
--- a/_articles/security/what-encryption-is-used.md
+++ b/_articles/security/what-encryption-is-used.md
@@ -1,33 +1,51 @@
---
layout: article
-title: What encryption is being used?
+title: Encryption
categories: [security]
featured: true
popular: false
tags: [encryption]
+order: 03
+redirect_from:
+ - /article/password-salt-hash/
+ - /article/how-is-data-securely-transmitted-and-stored/
---
-Bitwarden uses [AES-CBC][aes]{:target="blank"} 256 bit encryption as well as [PBKDF2][pbkdf2]{:target="blank"} to secure your data.
+Bitwarden uses [AES-CBC](#aes-cbc) 256-bit encryption for your Vault data, and [PBKDF2](#pbkdf2) SHA-256 to derive your encryption key.
-[AES-CBC][aes]{:target="blank"} is a standard in cryptography and used by the US government and other government agencies around the world for protecting top secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
+Bitwarden **always** encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. **Bitwarden servers are only used for storing encrypted data.** For more information, see [Storage]({% link _articles/security/data-storage.md %}).
-[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. This key is then salted and hashed. The default iteration count used with PBKDF2 is 100,001 iterations on the client (this client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048][rsa]{:target="blank"}.
+Vault data can only be decrypted using the key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
-Bitwarden does not write any cryptographic code. Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
+{% callout success %}
+We encourage you to visit our [Interactive Cryptography Page](https://bitwarden.com/help/crypto.html){:target="\_blank"} to see for yourself how Bitwarden encrypts your data.
+{% endcallout %}
-- JavaScript (web, browser extension, desktop, and CLI vaults)
+## AES-CBC
+
+[AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="\_blank"}-CBC [(Cipher Block Chaining)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)){:target="blank"}, used to encrypt Vault data, is a standard in cryptography and used by the US government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
+
+## PBKDF2
+
+[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. Bitwarden [salts and hashes](https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/){:target="\_blank"} your master password with your email address **locally**, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database.
+
+The default iteration count used with PBKDF2 is 100,001 iterations on the client (*client-side iteration count is configurable from your account settings*), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via [RSA-2048][rsa]{:target="blank"}.
+
+The utilized hash functions are one-way hashes, meaning they **cannot be reverse engineered** by anyone at Bitwarden to reveal your master password. Even if Bitwarden were to be hacked, there would be no method by which your master password could be obtained.
+
+## Invoked Crypto Libraries
+
+**Bitwarden does not write any cryptographic code.** Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
+
+- JavaScript (Web Vault, Browser Extension, Desktop, and CLI)
- [Web Crypto][webcrypto]{:target="blank"}
- [Node.js Crypto][nodecrypto]{:target="blank"}
- [Forge][forge]{:target="blank"}
-- C# (mobile vault)
+- C# (Mobile)
- CommonCrypto (iOS, Apple)
- Javax.Crypto (Android, Oracle)
- [BouncyCastle][bouncy]{:target="blank"} (Android)
-Bitwarden **always** encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The Bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the Bitwarden cloud servers.
-
-For examples of how this encryption is used, please visit our [cryptography example page.](https://bitwarden.com/help/crypto.html)
-
[aes]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[pbkdf2]: https://en.wikipedia.org/wiki/PBKDF2
[rsa]: https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048
diff --git a/_articles/security/what-happens-if-bitwarden-is-hacked.md b/_articles/security/what-happens-if-bitwarden-is-hacked.md
deleted file mode 100644
index c4e8cfbc..00000000
--- a/_articles/security/what-happens-if-bitwarden-is-hacked.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: article
-title: What happens if Bitwarden gets hacked?
-categories: [security]
-featured: true
-popular: false
-tags: [hacked]
----
-
-Bitwarden takes extreme measures to ensure that its websites, application, and cloud servers are secure. Part of this security comes from the fact that [we rely on managed services and do not manage our cloud server infrastructure at all]({% link _articles/security/cloud-server-security.md %}).
-
-However, if for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected. This is because Bitwarden uses strong encryption and one-way salted hashing. As long as you use a strong master password, your data is safe no matter who gets hold of it.
diff --git a/_articles/security/what-information-is-encrypted.md b/_articles/security/what-information-is-encrypted.md
deleted file mode 100644
index 941235df..00000000
--- a/_articles/security/what-information-is-encrypted.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-layout: article
-title: What information is encrypted?
-categories: [security]
-featured: true
-popular: false
-tags: []
----
-
-All information associated with your stored vault data is protected with end-to-end encryption. This includes:
-
-- Folder names
-- Collection names
-- Item names
-- Item notes
-- Attachments
-- Custom field names/values
-- Login information
- - Usernames
- - Passwords
- - URLs
- - Authenticator keys (TOTP)
-- Card information
- - Cardholder names
- - Numbers
- - Brands
- - Expirations
- - Security codes
-- Identity information
- - Names
- - Contact info (email, phone, etc)
- - Password numbers
- - License numbers
- - SSNs
- - Addresses
-- Secure note information
-
-Certain information in Bitwarden cannot be encrypted. This includes:
-
-- Your name (if provided)
-- Your account's email address
-- Equivalent domains
-- Organization names
-- Organization business names
-- Organization billing email
-- Collection external ids
-- Organization group names and external ids
diff --git a/_articles/security/where-is-data-stored-cloud.md b/_articles/security/where-is-data-stored-cloud.md
deleted file mode 100644
index 497ada39..00000000
--- a/_articles/security/where-is-data-stored-cloud.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: article
-title: Where is my data stored in the cloud?
-categories: [security]
-featured: true
-popular: false
-tags: [cloud]
----
-
-Bitwarden processes and stores all data securely in the [Microsoft Azure cloud](https://en.wikipedia.org/wiki/Microsoft_Azure){:target="_blank"} using services that are managed by the team at Microsoft. Bitwarden does not manage any server infrastructure or security directly. All data is backed up multiple times over, again using services provided by Microsoft Azure.
-
-Don't trust the Bitwarden cloud? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).
diff --git a/_articles/security/why-should-i-trust-bitwarden.md b/_articles/security/why-should-i-trust-bitwarden.md
deleted file mode 100644
index f9a01a04..00000000
--- a/_articles/security/why-should-i-trust-bitwarden.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-layout: article
-title: Why should I trust Bitwarden with my passwords?
-categories: [security]
-featured: true
-popular: true
-tags: []
----
-
-1. Bitwarden is open source software. All of our source code is hosted on [GitHub](https://github.com/bitwarden){:target="_blank"} and is free for anyone to review. Thousands of software developers follow Bitwarden's source code projects (and you can too!).
-2. Bitwarden [is audited]({% link _articles/security/is-bitwarden-audited.md %}) by reputable third-party security auditing firms as well as independent security researchers.
-3. Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords [that only you can unlock]({% link _articles/security/can-bitwarden-see-my-passwords.md %}).
-Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
-4. Bitwarden has a reputation. Bitwarden is used by millions of individuals and businesses. If we did anything questionable or risky we would be out of business.
-
-Still don't trust us? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).