🩺 Vitals
- 📦 Version: posthog-cli/v0.7.11 (Released 2026-04-28)
- 🚀 Velocity: Active (Last commit 2026-05-05)
- 🌟 Community: 34.3k Stars · 2.7k Forks
- 🐞 Backlog: 3946 Open Issues
🏗️ Profile
- Official: posthog.com
- Source: github.com/PostHog/posthog
- License: MIT (Core) | Custom (Enterprise Edition)
- Deployment: Docker | Kubernetes | SaaS
- Data Model: ClickHouse (OLAP) + PostgreSQL
- Jurisdiction: USA 🇺🇸 / UK 🇬🇧 (PostHog Inc. / Hiberly Ltd.)
- Compliance (SaaS): SOC 2 Type II
- Compliance (Self-Hosted): HIPAA Eligible | GDPR Ready
- Complexity: High (5/5) - Distributed ClickHouse + Kafka architecture at scale
- Maintenance: High (4/5) - Requires dedicated data engineering for production deployments
- Enterprise Ready: Moderate (3/5) - RBAC and SAML gated behind paid enterprise add-ons
1. The Executive Summary
What is it? PostHog is an open-core product analytics platform that consolidates event tracking, session replay, feature flagging, and A/B testing into a single stack. Developed by PostHog Inc. (USA) / Hiberly Ltd. (UK) and VC-backed, it solves the data silo problem — user behaviour data (analytics) and the control plane (feature flags) share the same event pipeline, eliminating complex cross-tool joins. The MIT-licensed community core is fully self-hostable; enterprise governance features (RBAC, SAML, SSO enforcement) are gated behind proprietary Enterprise Edition packages.
The Strategic Verdict:
- 🔴 For Teams Needing Enterprise Governance Out of the Box: Caution. RBAC and SAML are not included in the community edition — evaluate the Enterprise Edition add-on cost before assuming the self-hosted tier meets your security baseline.
- 🟢 For Engineering-Led SaaS Products and Scale-Ups: Strong Buy. PostHog replaces a fragmented stack — separate analytics, feature flag, and session replay contracts — with a unified platform at a fraction of the cost, with full data sovereignty on self-hosted deployments.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Amplitude (SaaS) | PostHog (Self-Hosted) |
|---|---|---|
| License Fee | $10k–$60k+/yr (growth/enterprise) | $0 (MIT core) |
| RBAC / SAML | Included | Paid Enterprise Edition add-on |
| Infrastructure | Managed SaaS | ~$200–500/mo (ClickHouse VPS) |
| Data Sovereignty | Amplitude Cloud (US) | 100% Operator-Owned |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: Hobby deployments run via Docker Compose on a single node — suitable for development and low-volume production. Scale deployments require Kubernetes and careful ClickHouse cluster management; PostHog recommends dedicated data engineering resources for event volumes above ~1M/month.
- Scalability: Built on ClickHouse, the platform handles billions of events. Self-hosting at that scale requires managing distributed ClickHouse shards and a Kafka message bus — a meaningful operational commitment beyond the hobby tier.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (USA 🇺🇸 / UK 🇬🇧): PostHog Inc. is a US corporation subject to the CLOUD Act — SaaS behavioural data can be compelled by US government without notifying the data subject. Hiberly Ltd. (UK) is the EU-facing entity, covered by the UK-GDPR adequacy decision. For EU operators under NIS2 or strict GDPR mandates, self-hosting in a VPC eliminates CLOUD Act exposure entirely.
- The Compliance Shift: The PostHog SaaS tier holds SOC 2 Type II (verified via SafeBase Trust Center). Self-hosting transfers the entire compliance posture to the operator — PostHog's SOC 2 certification explicitly does not cover self-hosted instances. Database encryption, access controls, and audit logging are the operator's responsibility. HIPAA Eligible and GDPR Ready postures are achievable on self-hosted infrastructure, but HIPAA BAA coverage is only available on paid cloud tiers.
- License Risk (MIT Core + Proprietary Enterprise Edition): The community core is MIT-licensed — maximally permissive. The Enterprise Edition introduces a proprietary licence that prohibits unauthorized production use, distribution, or copying of its features. RBAC, SAML authentication, and SSO enforcement each require separate paid Enterprise Edition packages. The commercial tax escalates sharply once a team's governance requirements exceed the community baseline.
4. Market Landscape
🏢 Proprietary Incumbents
- Amplitude: The dominant enterprise product analytics SaaS. Growth and enterprise tiers reach $10k–$60k+/year at scale, with all user behaviour data resident in Amplitude's US-managed infrastructure.
- Mixpanel: Product analytics focused on user journey and cohort analysis. Closed-source SaaS with no self-hosting option; data residency options are available at premium pricing.
🤝 Open Source Ecosystem
- Matomo: The established alternative for privacy-focused web analytics. Use Matomo for SEO and marketing attribution; PostHog for product-led growth and behavioural experimentation.
- Umami: A lighter alternative for teams that need simple, cookieless web analytics without the operational complexity of ClickHouse.