Kimai

🩺 Vitals

• 📦 Version: 2.56.0 (Released 2026-04-27)
• 🚀 Velocity: Active (Last commit 2026-04-27)
• 🌟 Community: 4.6k Stars · 771 Forks
• 🐞 Backlog: 325 Open Issues

🏗️ Profile

• Official: kimai.org
• Source: github.com/kimai/kimai
• License: AGPL-3.0
• Deployment: Docker | SaaS
• Data Model: PHP (Symfony) + MariaDB/MySQL
• Jurisdiction: Austria 🇦🇹 / EU 🇪🇺 (Kevin Papst — Individual)
• Compliance (SaaS): N/A (Undisclosed — no public trust page or audit reports)
• Compliance (Self-Hosted): GDPR Ready
• Complexity: Low (2/5) - Standard Docker stack
• Maintenance: Low (2/5) - Mature Symfony architecture
• Enterprise Ready: High (4/5) - LDAP/SAML support via plugins

1. The Executive Summary

What is it? Kimai is a professional-grade time-tracking and invoicing suite designed for European professional services, agencies, and consulting firms. It provides a robust, "Boardroom Ready" alternative to US-based SaaS platforms by offering absolute data residency in the EU and full source-code transparency.

The Strategic Verdict:

• 🔴 For Large Scale Enterprises (SaaS): Caution. The legal entity is a Sole Proprietorship, which introduces "Key Person Risk." Procurement teams should prioritize self-hosting to ensure long-term operational continuity.
• 🟢 For Privacy-First Organizations: Strong Buy. Kimai offers a "Safe Harbor" from the US CLOUD Act. Its strict adherence to EU data residency and "Privacy by Design" makes it an elite choice for firms handling sensitive government or corporate IP.

2. The "Hidden" Costs (TCO Analysis)

3. The "Day 2" Reality Check

🚀 Deployment & Operations

• Installation: Primarily deployed via Docker, leveraging a standard PHP/Nginx/MariaDB stack. The SaaS version is hosted exclusively on Hetzner in Germany.
• Scalability: Supports multi-user environments with complex hierarchical permissions. While PHP-based, its use of the Symfony framework ensures it can scale to support hundreds of concurrent users in an agency setting.

🛡️ Security & Governance (Risk Assessment)

• Jurisdiction & Geopolitics (Austria/EU): Kimai is operated by Kevin Papst, an individual developer domiciled in Vienna, Austria, with SaaS infrastructure hosted in Germany. As an EU-native entity, Kimai faces zero CLOUD Act exposure. The material governance risk is key-person concentration: with a bus factor of 1, long-term roadmap continuity and security patching depend entirely on a single maintainer.
• The Compliance Shift: Self-hosting shifts GDPR compliance obligations entirely to the enterprise. The operator must independently secure the infrastructure, maintain database backups, and manage timesheet data in accordance with the EU Working Time Directive. Enterprise features required for compliance audits — audit trail logs, RBAC, and SAML SSO — are not included in the open-source core and require paid plugin subscriptions.
• License Risk (AGPL-3.0 Network Clause): The core is governed by AGPL-3.0. Any enterprise that modifies the core and deploys it over a network — internally or as a service — is legally required to open-source those modifications under the same AGPL license. Enterprise plugins are sold under restrictive proprietary terms that prohibit SaaS redistribution or sub-licensing. Internal forks or custom plugin development require formal legal review before deployment.

4. Market Landscape

🏢 Proprietary Incumbents

• Harvest: A US-based SaaS time-tracking platform; organizations switch to Kimai to eliminate per-user subscription costs ($14–$18/user/mo) and move timesheet data to EU-controlled infrastructure.
• Clockify: An aggressive freemium platform that gates audit logs, SSO, and advanced reporting behind high-cost enterprise tiers; Kimai provides equivalent functionality via modular plugin subscriptions with no per-seat lock-in.

🤝 Open Source Ecosystem

• TimeTagger: A modern, minimal alternative for solo freelancers.
• InvoicePlane: Stronger focus on accounting/billing; Kimai remains the superior choice for project-based time recording and reporting.