№ 04 / Pillar
Security included, not upsold.
The same baseline ships with every tier. The thing that changes between tiers is how fast we pick up the phone.
In every tier
✓
Phishing-resistant sign-in
Every account requires more than a password. Hardware-key option available, time-based codes in the meantime.
✓
Strong password policy
Minimum length, no reuse, blocked-list check against known-breached passwords on every change.
✓
Encrypted in transit, always
Every page, every API call. Certificates auto-renew, no admin scrambling.
✓
Encrypted off-site backup
Daily snapshots. Off-site copy in a second EU region. Encryption keys are yours; we can't read your backups.
✓
Quarterly access review
A report listing every active user and what they have access to, sent to your admin every three months.
✓
GDPR-compliant DPA
Standard contractual clauses, processor obligations, sub-processor list — published.
✓
Built-in password manager
Open-source, self-hosted, signs in with the same login as the rest of the suite.
Differs by tier
Same baseline; what scales up is response time and audit depth.
Core
Mesh
Fleet
Response SLA
1 business day
4 business hours
1 business hour
Audit report
—
Quarterly access review
+ Quarterly compliance audit
Where your data lives
EU by default,
no annexes.
Core, Mesh and Fleet all run on EU infrastructure (currently Germany — Contabo, Nürnberg). Your data sits inside the EU jurisdictional perimeter — under GDPR, NIS2, and the EU Charter of Fundamental Rights, with the contract governed by Luxembourg law and the CNPD as supervisory authority. The DPA reflects this by default — no schedule II "international transfer" annex required.
For context
United States
CLOUD Act · 2018 · FISA 702 · renewed 2024
Extra-territoriality regimes that compel US-incorporated providers to disclose data held abroad, and authorise programmatic surveillance of non-US persons.
Equivalents
Elsewhere
Other jurisdictions carry similar shapes (China, UK, Russia, others). If foreign-jurisdiction extra-territoriality matters to your threat model, ask — we'll walk through the specifics for your sector and DPA expectations.