🩺 Vitals
- 📦 Version: 2.14.4 (Released 2026-04-27)
- 🚀 Velocity: Active (Last commit 2026-05-05)
- 🌟 Community: 47.2k Stars · 2.9k Forks
- 🐞 Backlog: 632 Open Issues
🏗️ Profile
- Official: penpot.app
- Source: github.com/penpot/penpot
- License: MPL-2.0
- Deployment: Docker | Kubernetes
- Data Model: PostgreSQL / Valkey (Redis)
- Jurisdiction: Spain 🇪🇸 / USA 🇺🇸 (Kaleidos Inc.)
- Compliance (SaaS): GDPR Ready
- Compliance (Self-Hosted): GDPR Ready
- Complexity: Moderate (3/5) - Docker Compose or Helm, PostgreSQL and Valkey required
- Maintenance: Moderate (3/5) - Regular update cadence with active release schedule
- Enterprise Ready: High (4/5) - RBAC and AES-256 included; SAML/SCIM SSO requires Enterprise plan
1. The Executive Summary
What is it? Penpot is an open-source design and prototyping platform built entirely on open web standards — SVG, CSS, and HTML. Unlike Figma's proprietary binary format, Penpot stores designs as standard SVGs, making assets human-readable, version-controllable, and permanently accessible without vendor permission. It is built by Kaleidos Inc. (Spain/US), supports real-time collaboration, and is the primary open-source choice for product teams that need a design-to-code handoff workflow without Figma's per-seat licensing floor.
The Strategic Verdict:
- 🔴 For Teams Deep in the Adobe Ecosystem: Caution. Migrating from Figma or Adobe XD requires workflow adjustments, plugin replacements, and designer retraining. The format gap is closing but not yet closed for teams relying on advanced auto-layout or proprietary component libraries.
- 🟢 For Sovereignty-Focused Product Teams: Strong Buy. MPL-2.0 licensed, GDPR Ready on SaaS, fully self-hostable, and backed by open standards that guarantee design asset portability independent of any vendor decision. Eliminates the Figma pricing floor ($12–$75/user/mo) for large collaborative teams.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Figma (SaaS) | Penpot (Self-Hosted) |
|---|---|---|
| Licensing | $12–$75/user/mo | $0 (MPL-2.0) |
| Vendor Lock-in | High (proprietary format) | None (SVG/CSS/JSON exports) |
| SAML/SCIM SSO | Enterprise tier only | Enterprise Plan Required ($950/mo) |
| Data Residency | Figma Cloud | 100% Self-Owned |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: Penpot ships Docker Compose and Helm charts for Kubernetes deployments. The stack requires a persistent PostgreSQL database and a Valkey (Redis-compatible) instance; Traefik or an equivalent reverse proxy is recommended for TLS termination and object storage routing.
- Open Standards Advantage: Designs are stored as standard SVGs with exportable CSS, SCSS, and JSON via the official Penpot Export tool. Design assets can be version-controlled in Git alongside the codebase — a structural advantage over binary-format tools.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & The CLOUD Act (Spain 🇪🇸 / USA 🇺🇸): Kaleidos Inc. is a US corporation with physical operations and EU data hosting through its Spanish branch. EU-based operations provide strong GDPR protections, but the US parent entity structure brings potential CLOUD Act exposure for the SaaS tier — a US court order could compel disclosure of data held by the US entity. Self-hosting eliminates this vector entirely: your PostgreSQL instance, your infrastructure, your data.
- The Compliance Shift: Self-hosting shifts infrastructure security, PostgreSQL and Valkey management, TLS configuration, backup strategy, and network isolation entirely to the operator. The Penpot architecture supports SOC 2, HIPAA, and FedRAMP readiness — the application provides RBAC and AES-256 encryption capabilities — but achieving those frameworks requires the operator to build and audit the full surrounding infrastructure stack. Kaleidos's own compliance claims in this area are based on their marketing materials, not independent audit reports.
- License Risk (MPL-2.0 — File-Level Copyleft): MPL-2.0 is highly permissive for both internal and commercial deployment. The copyleft clause is file-level only: modifications to existing Penpot source files must be open-sourced, but integrating Penpot into a larger proprietary product does not trigger copyleft for the surrounding codebase. There is no enterprise tax, no network clause, and no restriction on commercial self-hosting.
4. Market Landscape
🏢 Proprietary Incumbents
- Figma: The dominant collaborative design platform; teams evaluate Penpot to eliminate per-seat licensing fees and escape Figma's proprietary file format, which ties design assets to Adobe's continued platform availability.
- Adobe XD: Adobe's design and prototyping tool, now in maintenance mode; organisations evaluate Penpot as the active, open-source successor for teams that need continued investment in their design toolchain without Adobe's Creative Cloud dependency.
🤝 Open Source Ecosystem
- Excalidraw: The preferred choice for low-fidelity architectural sketching and rapid ideation — complementary to Penpot rather than a replacement for high-fidelity UI design.
- Appsmith: Often used to build the operational dashboards and internal tools that are designed and spec'd in Penpot before implementation.