Self-hosted vs. local-first personal CRM: two privacy architectures, compared honestly
Self-hosting means full control plus a server to run; local-first keeps data on-device with optional encrypted sync. Threat models, costs, and who picks which.
Self-hosted and local-first are the two serious answers to the same worry — relationship notes in a stranger’s cloud — and they are not interchangeable. One trades convenience for control and hands you a server to run. The other keeps the primary copy on your device and hands you almost nothing to operate. Which trade fits depends on you, not on the software.
Two architectures, one motive
A personal CRM holds the most sensitive database most people will ever build voluntarily: who matters to you, what they confided, when you last spoke, what’s fragile in their life right now. Putting that on a vendor’s servers in plaintext means trusting not just today’s company but every future owner of it, every pricing pivot, every quiet acquisition.
Both architectures in this comparison refuse that bet — differently. A self-hosted CRM moves the server under your control: the application runs on a machine you rent or own, and the vendor disappears from the data path entirely. Local-first software abolishes the mandatory server instead: the primary copy lives on the device in your hand, the app is fully functional offline, and a server — if you enable one — is reduced to a relay for encrypted sync between your own devices. The term comes from Kleppmann, Wiggins, van Hardenberg & McGranaghan (2019), whose paper laid out the test we’d encourage applying to any “private” app: if the vendor vanished tomorrow, would the software still work, with your data intact, on hardware you control?
Both architectures pass that test. Everything else about them differs.
Self-hosting: control as a part-time job
The reference product here is Monica — open source under AGPL v3, maintained since 2017, installable via Docker or by hand, with a genuinely free self-hosted edition. We compare it to our own product at length on the Endearist vs. Monica page, and the short version stands: if you want a comprehensive, web-based system of record and you enjoy operating software, Monica self-hosted is an excellent choice.
The money is the easy part. A small VPS at about a dollar a month puts three years of self-hosting near €30 — against roughly €270 for Monica Cloud at $9 a month over the same stretch. No personal CRM gets meaningfully cheaper in cash.
The honest ledger is the time. Self-hosting a PHP/Laravel application with a MySQL database means owning operating-system patches, application upgrades and their occasional breaking migrations, TLS renewal, and backups that you restore-test rather than merely schedule. A few hours a month when things go well; an unplanned evening when they don’t. And the duty has a sharp edge: a self-hosted CRM that stops getting patched doesn’t politely degrade. It sits on a public IP address, holding intimate data about everyone you know, accumulating known vulnerabilities. Neglected self-hosting isn’t a lesser version of privacy — it’s a liability the vendor cloud never was.
Two further trade-offs deserve plain statement. Monica is web-only: no native desktop client, and mobile means the web app in a phone browser — workable, not delightful. And the control is real but concentrated: you are the security team, the backup operator, and the person who notices at 11 p.m. that the certificate expired.
Local-first: the device is the source of truth
Local-first inverts the topology. The database lives on your phone or laptop — in Endearist’s case as a local store you can export to plain Markdown — and the application is built to be complete without any network at all. Sync across devices is optional and end-to-end encrypted (AES-256-GCM, keys that never leave your devices), routed either through the vendor’s relay or through storage you already control: iCloud, Google Drive, WebDAV. Whatever carries the traffic sees ciphertext.
What this buys you is the absence of an ops burden rather than the presence of a server. Nothing to patch, nothing publicly addressable, no attack surface beyond the device you already secure with a passcode and disk encryption. The privacy floor is high by default — which matters, because defaults are what most people actually run.
What it costs you is a different dependence: on the vendor’s app binary. There’s no AGPL codebase to fork this afternoon, no community fork waiting if development stops. Honest local-first vendors compensate structurally, and you should demand that they do: exports in open formats you can test during a trial, offline operation that makes a vendor shutdown an inconvenience instead of an emergency, and a written source-release pledge that the code goes public on shutdown or acquisition. With those three in place, the dependence has a floor under it. Without them, “local-first” is just a cache with good marketing.
Self-hosted (e.g. Monica)
Your server, your database, AGPL code you can read and fork. Free software plus ~€30 of VPS over three years. Web-only interface; no native mobile or desktop apps. The recurring price is operational: patches, upgrades, TLS, tested backups — for as long as the data matters. Best-in-class control for people who run servers as a craft.
Local-first
Primary copy on your device; fully functional offline; optional E2E-encrypted sync through a relay that sees only ciphertext. Native apps, zero ops, high privacy floor by default. The dependence shifts to the vendor’s app — mitigated by open exports, offline operation, and a source-release pledge. Verify all three before trusting it.
Threat models, honestly
“More private” is meaningless without naming the adversary, so name them.
Vendor business-model drift — the realistic one: pricing pivots, acquisitions, features moving behind paywalls, plaintext data quietly feeding an AI roadmap. Both architectures defend well. Self-hosting removes the vendor from the data path; local-first removes the plaintext from the vendor’s reach. This, not espionage, is the threat most people are actually buying protection against.
Server compromise. Here the architectures genuinely diverge. Self-hosting concentrates risk on one machine whose security equals your diligence — excellent if maintained, dreadful if not. Local-first has no server of yours to breach; an attacker needs your physical device, which a passcode and full-disk encryption already defend.
Device loss. The inversion of the previous case. The self-hosted server doesn’t care if your phone drowns. A local-first primary copy does — so encrypted sync or scheduled backups aren’t optional extras; they’re the survival plan for the device-loss scenario.
Your own future negligence. The least flattering adversary and the most reliable one. Self-hosting assumes you’ll still be patching and restore-testing backups in year three; local-first assumes you’ll keep a second copy somewhere. Both assumptions fail sometimes — but they fail differently. A forgotten local-first backup costs you data only if the device also dies; a forgotten server patch exposes data while everything appears to work fine.
Legal and jurisdictional exposure. Data on a rented VPS lives in a datacenter subject to that host’s compliance machinery. Data on your personal device sits behind stronger practical and, in many jurisdictions, legal protections. Edge-case territory for relationship notes — but it points the same direction as the rest: fewer third parties holding anything at all.
Who should pick which
Pick self-hosting if operating servers is something you do anyway — homelab, VPS, monitoring you check with morning coffee — and you want a broad web-based record with code you can audit and fork. Monica has earned its position as the default answer there since 2017.
Pick local-first if you want the same custody of your data with none of the operating: native apps, offline by default, encrypted sync when you choose to turn it on. That’s the configuration we think fits most people who care about privacy but will never lovingly maintain a Linux box — and most people who think they’ll maintain one, eighteen months from now.
And the choice isn’t a marriage. Because both architectures live or die by open exports, you can start local-first this afternoon, graduate to a self-hosted system when the homelab itch arrives, or run both in parallel — a comprehensive web record on your server, a lighter local app in your pocket. The only configuration with no exit is the one this whole comparison exists to avoid: plaintext relationship notes in a cloud someone else controls, exportable on their terms.
FAQ
What is the difference between self-hosted and local-first software?
Where the primary copy of your data lives. **Self-hosted** means the application runs on a server you operate — a VPS or home server — and your devices talk to it over the network. **Local-first** means the primary copy sits on the device in your hand; a server, if any, only carries encrypted sync traffic between your own devices. Both remove the vendor's cloud as the system of record — by different routes with different chores.
Is self-hosting more private than local-first?
Only if the operating is done well. A **well-maintained** self-hosted server — patched, firewalled, backed up — is as private as it gets. A neglected one is a personal data breach on a public IP address, waiting. Local-first removes that failure mode: there is no server of yours to misconfigure, and with **end-to-end encrypted sync** the vendor's infrastructure only ever sees ciphertext. The honest ranking depends on your discipline, not on the architecture diagram.
What does running a self-hosted CRM actually involve?
Recurring, unglamorous work. Operating-system updates, application upgrades (and their occasional breaking migrations), **TLS certificate renewal**, database backups you actually test, and monitoring so you notice problems before an attacker does. Budget a few hours per month, more when a major upgrade lands. None of it is hard for someone who enjoys servers — all of it is mandatory, because an unpatched box exposed to the internet decays into a liability.
How much does self-hosting Monica cost?
The software is free — **Monica is open source under AGPL v3**, with Docker and manual installs documented. The running cost is the machine: a small VPS at around $1 per month puts the three-year total near **€30**, against roughly **€270** for Monica Cloud at $9 per month over the same period. The real price is time: setup once, then maintenance hours every month for as long as the data matters to you.
Can I run a self-hosted CRM on a Raspberry Pi or home server?
Yes — Monica's stack (PHP/Laravel with a **MySQL** database) runs fine on a Pi-class machine or any homelab box, and keeping the server inside your own network shrinks the attack surface compared to a public VPS. The trade is availability: a home server behind a residential connection is harder to reach securely from outside, so plan for VPN access (WireGuard, Tailscale) if you want your CRM on your phone away from home.
Is end-to-end encrypted sync as private as no sync at all?
Not quite, but close — and the gap is technical, not practical, for most threat models. With true **E2E encryption** (say, AES-256-GCM with keys that never leave your devices), the sync relay sees ciphertext and metadata like timestamps and approximate data volume, never contents. No sync at all removes even that metadata. If your threat model includes adversaries doing traffic analysis, keep sync off. For everyone else, E2E sync is the sane default.
What happens if a local-first vendor shuts down?
The decisive property: a local-first app **keeps working offline**, so a dead vendor costs you future updates, not your database. What to verify before committing — exports in open formats (CSV, Markdown, JSON, or a readable database file), and ideally a written **source-release pledge** promising the code goes public on shutdown or acquisition. With those in place, the worst case is migrating at your leisure rather than racing a server shutdown deadline.
Do local-first apps work across multiple devices?
Yes, through sync — and the privacy question is *whose* sync. The good pattern is optional, end-to-end encrypted replication between your devices, either through the vendor's relay (seeing only ciphertext) or through storage you already control, like **iCloud, Google Drive, or WebDAV**. The thing to check: that sync is genuinely optional, and that turning it off leaves a fully functional single-device app rather than a crippled one.
Which architecture is better for GDPR?
For purely private relationship notes, the GDPR's **household exemption** generally applies to your activity either way — personal, non-commercial use isn't regulated processing. The practical difference: self-hosting makes you the operator of an internet-facing system holding other people's data, so a breach is *your* incident to handle. Local-first keeps the data on hardware in your pocket with nothing publicly addressable. Fewer moving parts, fewer ways to become an accidental data controller of a leak.
Can I switch between self-hosted and local-first later?
Yes, if both ends respect open formats — which is exactly why export quality should gate the initial choice. Monica exports a **SQL dump plus JSON**; local-first tools worth using import CSV or JSON and export the same. Contacts and notes move cleanly; what rarely survives intact is structure like custom fields and activity logs, so expect an evening of tidying. Migrating between honest tools is a chore. Migrating out of a walled garden is a crisis.
Do I need to be technical to use either option?
For self-hosting, honestly yes — comfort with a terminal, Docker, DNS, and backups is the entry ticket, and the requirement never expires because maintenance never does. For local-first, no: the app installs like any other, data lands on your device by default, and encryption keys are handled for you. That asymmetry is the point. Local-first is how the privacy properties of self-hosting reach people who will never rent a VPS — by design rather than by ops effort.