Infrastructure runs exclusively in Iceland and the EU — clear residency, open source stacks, and direct engineering support from the same team that handles our cybersecurity engagements.
Managed hosting
Your infrastructure. European residency, hands-on operations.
Fully managed hosting for organizations that handle sensitive work — deployed across Iceland and EU datacentres with strong privacy norms. Open source. No vendor lock-in. Operated by the same team that validates security controls for public media and mission-driven organizations.
Built for organizations with something to protect.
Three types of clients. One common need: infrastructure where data residency, transparency, and operational control match how sensitive the work actually is.
Press freedom & journalism
Newsrooms covering government, national security, or sensitive investigations. Organizations that protect sources and need communications infrastructure with predictable jurisdiction and strong confidentiality defaults.
Investigative units · independent media · press freedom NGOs
Nonprofits & NGOs
Mission-driven organizations handling donor data, beneficiary information, or operations in politically sensitive contexts. European residency and predictable costs — without enterprise hosting overhead.
Human rights orgs · advocacy groups · international NGOs
Privacy-first organizations
Legal practices, healthcare nonprofits, security researchers, and advocacy networks where confidentiality is a professional or operational necessity — and a clearer residency story matters to clients and partners.
Legal aid · healthcare nonprofits · security researchers
How we secure your infrastructure
Every layer independently verified. Nothing implicitly trusted.
This isn't rebranded cloud hosting. The infrastructure is purpose-built for organizations where a breach is a mission problem — with security decisions made at every layer, not bolted on after the fact.
Data residency
Infrastructure hosted in Iceland and the EU — consistent residency from DNS to backups, with providers chosen for press freedom protections and transparent governance.
Zero trust access
Encrypted mesh between all nodes. Every request passes two independent gates — network identity and user identity. SSO with enforced MFA, tenant isolation at every layer.
Encryption at rest
Full-disk encryption on all nodes with keys stored in a separate secrets manager. End-to-end encryption enforced in all communication channels by default.
Resilience & recovery
4-hour recovery point. Infrastructure rebuildable from code in under 4 hours. Multi-provider architecture — no single vendor failure takes down your services.
Application catalog
A curated set of tools. Everything we offer, we support well.
We host a small number of applications deliberately. If you need something outside this catalog, we'll scope it as a custom deployment or refer you to the right provider.
MX
Matrix / Element
Replaces: Slack · Teams · Signal (org-scale)
End-to-end encrypted messaging, file sharing, and voice calls for teams. E2EE enforced server-side — message content unreadable without client keys. Federation disabled by default when teams need tighter operational control.
Mid + Bespoke
BW
Bitwarden
Replaces: 1Password · LastPass · Bitwarden Cloud
Credential management for teams. Application and VPS plans use Bitwarden Cloud managed through our MSP portal — centrally managed, tiered pricing. Bespoke plans get Bitwarden Server self-hosted on our EU/Iceland footprint.
All plans
WB
Static site hosting
Replaces: Netlify · Vercel · Cloudflare Pages
Static sites and web applications served from EU/Iceland infrastructure with straightforward routing — no surprise cross-border hops. TLS via Let's Encrypt. Genuinely zero maintenance once deployed — no runtime, no database, nothing to break.
All plans
NC
Nextcloud
Secure cloud storage & document exchange
Private file storage and collaboration for newsrooms, legal teams, and NGOs handling sensitive documents. Full data residency in Iceland/EU — no third-party indexing, no cloud provider scanning your files. Scoped per deployment to match your operational security requirements.
Bespoke only
SD
SecureDrop
Secure whistleblower submission system
On-premises deployment of SecureDrop following Freedom of the Press Foundation guides. Physical hardware, air-gapped workflows, and Tor-only submission — built for newsrooms and organizations that accept sensitive tips from anonymous sources. We handle procurement, configuration, and staff training.
This is a physical deployment at your facility — not hosted on our cloud infrastructure. Currently available in the greater Los Angeles / Southern California area only.
Bespoke only
+
Custom deployments
Threat-model-driven infrastructure for at-risk organizations
Open source applications deployed on our Iceland/EU footprint, scoped around your specific threat model and operational requirements. Built for organizations where infrastructure choices have security implications — not generic app hosting.
Bespoke only
What we refer instead of hosting
Email
Self-hosted email has deliverability complexity disproportionate to its value as a managed service. We recommend Proton Mail for Business (Switzerland) or Tutanota for Teams (Germany) — both with strong privacy reputations and European operations.
Video conferencing
For privacy-sensitive video we recommend Whereby (Norwegian) or a self-managed Jitsi instance. WebRTC call quality issues are difficult to support remotely and are often network-dependent — not something we can reliably manage as a hosted service.
Application availability by plan
ApplicationAppVPSBespoke
Bitwarden
Cloud MSP / self-hosted Server
Static site hosting
Web, docs, landing pages
self-managed
Matrix / Element
Secure messaging
self-managed
Nextcloud
File storage & collaboration
self-managed
SecureDrop
On-premises whistleblower system
Onion service
High-sensitivity access pattern
Custom application
Any containerized app
self-managed
Plans
Three ways to work with us.
From a single managed application to dedicated infrastructure to a fully bespoke deployment — choose the level of control you need.
Managed app
Application
One or more applications on shared EU/Iceland infrastructure. We manage everything — you use the app.
No long procurement. No account managers. You work directly with your engineer.
01
Scoping brief
A 45-minute call to understand your threat model and what you're trying to protect. We design for your situation — not a generic template.
02
Proposal
Written proposal with architecture, pricing, timeline, and contract terms. Clear data ownership clauses — your data stays yours. Signed before work begins.
03
Deployment
Infrastructure deployed in 2–4 weeks. Bespoke plans include penetration testing before handover. We don't hand over credentials until the stack passes validation.
04
Onboarding
Staff onboarding covering operational security and correct platform use. Monthly security briefing. Direct escalation — you always reach your engineer.
"Rafael worked with us on a purple team engagement to validate our detections and test whether our response SLAs held up against realistic attack scenarios. The engagement clearly showed where detections and processes worked as expected and where gaps existed, backed by concrete evidence rather than assumptions."
Rahman Shah — Director of Cybersecurity, PBS
Get in touch
Start with a scoping brief.
Tell us about your organization and what you need to protect. We'll come back with a clear picture of what the right setup looks like — no sales process, no pressure.
Response within one business day
You work directly with your engineer — no account managers
All inquiries treated as confidential
We do not use CRM software or share inquiry details
Also need to validate your defenses?
Our cybersecurity practice — penetration testing, purple team engagements, SOC co-management — serves the same clients. Infrastructure is only part of the picture.
