๐ฉบ Vitals
- ๐ฆ Version: v3.20.154-lts (Released 2026-05-04)
- ๐ Velocity: Active (Last commit 2026-05-01)
- ๐ Community: 37.9k Stars ยท 5.0k Forks
- ๐ Backlog: 975 Open Issues
๐๏ธ Profile
- Official: tooljet.com
- Source: github.com/ToolJet/ToolJet
- License: AGPL-3.0 (Community) | Custom (Enterprise)
- Deployment: Docker | Kubernetes
- Data Model: PostgreSQL (metadata only โ business data remains in source databases via proxy)
- Jurisdiction: USA ๐บ๐ธ (ToolJet Solutions, Inc. โ Delaware) / India ๐ฎ๐ณ (ToolJet Solutions Pvt. Ltd.)
- Compliance (SaaS): SOC 2 Type II | ISO 27001 | GDPR Ready
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: Medium (3/5) - Drag-and-drop builder; JavaScript required for advanced query logic
- Maintenance: Medium (3/5) - Fast release cadence (NestJS/React stack); active maintainer presence
- Enterprise Ready: Moderate (3/5) - Full builder available in Community Edition; SSO (SAML/OIDC/LDAP), granular RBAC, audit logs, and multi-environment workflows require paid tiers
1. The Executive Summary
What is it? ToolJet is an open-source low-code framework for building internal tools, admin panels, and business dashboards. Developed by ToolJet Solutions, Inc. (Delaware, US) with engineering operations in India, it uses a proxy architecture โ ToolJet connects to your existing databases and APIs and renders a UI layer, but your business data never transits or resides in ToolJet's infrastructure. The Community Edition is AGPL-3.0 licensed and self-hostable via Docker or Kubernetes; the SaaS offering carries verified SOC 2 Type II and ISO 27001 certifications. Enterprise governance features (SSO, RBAC, audit logs) are gated behind proprietary Team and Enterprise tiers at UNDISCLOSED pricing.
The Strategic Verdict:
- ๐ด For Regulated Workloads on Community Edition: Caution. The free self-hosted tier lacks the SSO, granular RBAC, and audit log controls required by most compliance frameworks. Organisations in healthcare, finance, or government must budget for Enterprise tier or accept a significant governance gap.
- ๐ข For Internal Tool Development with Data Sovereignty: Strong Buy. The proxy architecture is the defining feature โ business data stays in your own databases at all times. Self-hosted instances can be deployed in fully isolated network environments, making ToolJet viable where no third-party SaaS can operate.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Retool (SaaS) | ToolJet (Self-Hosted) |
|---|---|---|
| Platform Cost | ~$10/user/mo (Team) | $0 (Community Edition) |
| SSO / SAML | Enterprise tier | Enterprise tier (paywalled) |
| Audit Logs | Enterprise tier | Enterprise tier (paywalled) |
| Granular RBAC | Enterprise tier | Enterprise tier (paywalled) |
| Data Residency | Retool-managed cloud | 100% sovereign (proxy model) |
3. The "Day 2" Reality Check
๐ Deployment & Operations
- Installation: Deployed via Docker Compose or Kubernetes Helm charts with official configurations provided. The NestJS backend and React frontend are packaged together; a PostgreSQL instance is required for ToolJet's own metadata (app definitions, user accounts, audit records). Business data is never written to this database โ it is fetched at query time from connected sources and rendered client-side only.
- Developer Experience: ToolJet embraces code alongside its visual builder. JavaScript queries can be written inline, external NPM packages can be imported, and complex multi-step workflows can be constructed with conditional logic โ bridging the gap between no-code and full-stack development for internal tooling.
๐ก๏ธ Security & Governance (Risk Assessment)
- Jurisdiction & CLOUD Act (USA ๐บ๐ธ / India ๐ฎ๐ณ): ToolJet Solutions, Inc. is Delaware-incorporated โ full US CLOUD Act exposure for the SaaS offering. Engineering operations run through ToolJet Solutions Private Limited (Karnataka, India), placing source development and potential data access paths under a second jurisdiction subject to India's DPDP Act 2023 and IT Act. For organisations with cross-border data transfer restrictions, self-hosted deployment in an isolated network environment is the correct posture โ it eliminates ToolJet's data holding entirely and reduces jurisdictional exposure to the operator's own infrastructure.
- The Compliance Shift: SOC 2 Type II and ISO 27001 are verified against the SaaS cloud offering; self-hosted instances inherit none of these certifications. Infrastructure hardening, database encryption at rest, network isolation, and access controls become the operator's responsibility. The controls required to achieve compliance in a self-hosted environment โ granular RBAC, unlimited audit logs, multi-environment staging โ are gated behind Team and Enterprise tiers. A Community Edition deployment lacks these controls out of the box and should not be presented as compliant without a compensating controls assessment.
- License Risk (AGPL-3.0 โ Network Copyleft; Open-Core Enterprise Tax): AGPL-3.0 applies strong network copyleft โ any organisation modifying ToolJet source code and exposing it over a network must open-source those modifications under AGPL. Standard internal deployment of the unmodified Community Edition does not trigger this clause. The enterprise ceiling is structural: SSO (SAML/OIDC/LDAP), SCIM provisioning, granular RBAC, unlimited audit logs, and multi-environment workflows are all gated behind proprietary licences at UNDISCLOSED pricing. Obtain Enterprise pricing before committing Community Edition to any regulated workload โ the governance ceiling will be reached at the first SSO or audit requirement.
4. Market Landscape
๐ข Proprietary Incumbents
- Retool: The dominant internal tool builder for engineering teams. Per-seat SaaS pricing and all app definitions residing in Retool's cloud infrastructure are the primary drivers for migration to ToolJet โ particularly for organisations with data residency requirements that the Retool SaaS model cannot satisfy.
- Mendix: A traditional enterprise low-code platform targeting business analysts and citizen developers. Higher abstraction layer and deeper enterprise workflow automation than ToolJet, but a substantially higher commercial cost and no self-hosted path comparable to ToolJet's open-core model.
๐ค Open Source Ecosystem
- Appsmith: The closest architectural rival โ engineering-first, open-source, and similarly proxy-model. Preferred by teams that prioritise a larger pre-built widget library and a more established enterprise support ecosystem.
- Budibase: Better suited for teams that want a built-in database and a GUI-first workflow with less JavaScript exposure. ISO 27001 focus and simpler initial complexity distinguish it from ToolJet's more developer-oriented approach.