Twenty

🩺 Vitals

• 📦 Version: v2.2.0 (Released 2026-05-04)
• 🚀 Velocity: Active (Last commit 2026-05-04)
• 🌟 Community: 45.5k Stars · 6.3k Forks
• 🐞 Backlog: 119 Open Issues

🏗️ Profile

• Official: twenty.com
• Source: github.com/twentyhq/twenty
• License: AGPL-3.0 (Community) | Custom (Enterprise — twenty-ee)
• Deployment: Docker
• Data Model: PostgreSQL
• Jurisdiction: USA 🇺🇸 (Twenty.com PBC)
• Compliance (SaaS): GDPR Ready (SOC 2 Type II in progress — unverified)
• Compliance (Self-Hosted): Self-Hosted (User Managed)
• Complexity: Moderate (3/5) - Docker Compose setup; PostgreSQL administration required
• Maintenance: Moderate (3/5) - Rapidly evolving codebase; expect frequent schema updates
• Enterprise Ready: Moderate (3/5) - Unlimited custom objects and workflow automation in Community; SSO, advanced RBAC, and managed integrations require paid tiers

1. The Executive Summary

What is it? Twenty is an open-source CRM designed as a developer-first alternative to Salesforce, built by Twenty.com PBC — a US Public Benefit Corporation. It uses a flexible, PostgreSQL-native data model that allows teams to define unlimited custom objects and relationships without proprietary configuration tools or consultant lock-in. The Community Edition is AGPL-3.0 licensed and self-hostable via Docker; enterprise features (SSO, advanced RBAC, lifecycle permissions) are gated in the proprietary twenty-ee commercial package. The SaaS offering is GDPR Ready with SOC 2 Type II audit currently in progress.

The Strategic Verdict:

• 🔴 For Regulated or Compliance-Heavy Workloads: Caution. SOC 2 is not yet complete, and the enterprise governance controls required by compliance-heavy organisations (SSO, granular RBAC, audit logs) are gated behind paid tiers. Community Edition deployments require compensating controls before use in regulated environments.
• 🟢 For Data-Sovereign CRM Replacement: Strong Buy. Full PostgreSQL ownership means CRM data — contacts, deals, pipeline history — lives in your own infrastructure, not a vendor cloud. Unlimited custom objects and workflow automation are available in the free tier, making it a credible Salesforce exit path for engineering-led organisations.

2. The "Hidden" Costs (TCO Analysis)

3. The "Day 2" Reality Check

🚀 Deployment & Operations

• Installation: Docker Compose deployment with PostgreSQL as the primary data store. Standard setup for engineering teams; schema migrations are managed by Twenty's tooling. The codebase is rapidly evolving — expect regular updates and schema changes as the platform matures toward a stable architecture.
• Extensibility: Custom objects, fields, and relationships are defined natively in PostgreSQL without proprietary schema tools. Developers can extend Twenty via its GraphQL API and webhook system, integrating with existing data pipelines or internal tooling without vendor-managed connectors.

🛡️ Security & Governance (Risk Assessment)

• Jurisdiction & CLOUD Act (USA 🇺🇸): Twenty.com PBC is incorporated in the United States — full CLOUD Act exposure applies to the SaaS offering. Public Benefit Corporation status signals a governance commitment beyond profit maximisation, but does not alter US federal data access obligations. Self-hosted deployments eliminate Twenty's data holding entirely; all CRM records reside in the operator's own PostgreSQL instance, reducing jurisdictional exposure to the operator's infrastructure posture.
• The Compliance Shift: Twenty.com reports SOC 2 Type II as "In Progress" — treat as UNDISCLOSED until a completed audit report is published; do not use this status as a procurement argument for regulated workloads. GDPR compliance is documented for the SaaS offering. Self-hosted instances carry no inherited certifications — database encryption at rest, network access controls, and backup integrity are the operator's full responsibility. SSO and granular RBAC sufficient for enterprise access management are gated behind paid tiers; Community Edition deployments require a compensating controls assessment before use in regulated environments.
• License Risk (AGPL-3.0 Core + Proprietary twenty-ee Exception): The community core is AGPL-3.0 — network copyleft applies to any modified deployment exposed over a network. The critical risk is the twenty-ee directory: SSO, advanced RBAC, and lifecycle permissions are governed by a separate proprietary commercial licence, not AGPL. Organisations must maintain strict separation between the AGPL core and twenty-ee modules during deployment — inadvertent use of twenty-ee features without an active commercial agreement constitutes a licence violation. Clarify which features sit in twenty-ee before committing Community Edition to a production CRM workload.

4. Market Landscape

🏢 Proprietary Incumbents

• Salesforce: The dominant enterprise CRM. Per-seat licensing at $25–$300+/user/month, proprietary configuration tooling, and all customer relationship data residing in Salesforce's cloud are the primary drivers for migration — particularly for engineering-led organisations that want to own their CRM schema and data without consultant dependency.
• HubSpot: The dominant mid-market CRM and marketing platform. Free tier with aggressive upsell to paid seats; all contact and pipeline data resides in HubSpot's cloud. Twenty is the self-hosted alternative for teams exiting HubSpot's free-to-paid funnel who require full data ownership.

🤝 Open Source Ecosystem

• Krayin: The closest dedicated OSS CRM alternative — Laravel-based, self-hostable, and CRM-first in scope. Preferred by teams that want a more mature feature set for sales pipeline management without Twenty's rapidly evolving schema.
• Odoo: The choice for organisations that need CRM embedded within a broader ERP suite — accounting, inventory, HR, and CRM in a single platform. A different procurement conversation from Twenty, but the correct path when CRM is one module in a larger business operations requirement.