№ 04 / Pillar
Security included, not upsold.
The same baseline ships with every tier. The thing that changes between tiers is how fast we pick up the phone.
In every tier
✓
Phishing-resistant sign-in
Every account requires more than a password. Hardware-key option available, time-based codes in the meantime.
✓
Strong password policy
Minimum length, no reuse, blocked-list check against known-breached passwords on every change.
✓
Encrypted in transit, always
Every page, every API call. Certificates auto-renew, no admin scrambling.
✓
Encrypted off-site backup
Daily snapshots. Off-site copy in a second EU region. Encryption keys are yours; we can't read your backups.
✓
Quarterly access review
A report listing every active user and what they have access to, sent to your admin every three months.
✓
GDPR-compliant DPA
Standard contractual clauses, processor obligations, sub-processor list. All published.
✓
Built-in password manager
Open-source, self-hosted, signs in with the same login as the rest of the suite.
Differs by tier
Same baseline; what scales up is response time and audit depth.
Core
Mesh
Fleet
Response SLA
1 business day
4 business hours
1 business hour
Audit report
·
Quarterly access review
+ Quarterly compliance audit
Where your data lives
EU by default,
no annexes.
Core, Mesh and Fleet all run on EU infrastructure (currently Germany, at Contabo Nürnberg). Your data sits inside the EU jurisdictional perimeter, under GDPR, NIS2, and the EU Charter of Fundamental Rights, with the contract governed by Luxembourg law and the CNPD as supervisory authority. The DPA reflects this by default, with no schedule II "international transfer" annex required.
For context
United States
CLOUD Act · 2018 · FISA 702 · renewed 2024
Extra-territoriality regimes that compel US-incorporated providers to disclose data held abroad, and authorise programmatic surveillance of non-US persons.
Equivalents
Elsewhere
Other jurisdictions carry similar shapes (China, UK, Russia, others). If foreign-jurisdiction extra-territoriality matters to your threat model, ask. We'll walk through the specifics for your sector and DPA expectations.