№ 04 / Pillar
Security included, not upsold.
Every tier ships with the same security baseline — because "advanced threat protection costs extra" is exactly the trick we're trying to undo.
In the box · every tier
✓
Enforced MFA
TOTP at first login. No exceptions. WebAuthn / passkeys arriving Q3.
✓
Password policy
Minimum length, history, breach check via Have-I-Been-Pwned at change time.
✓
TLS-only · HSTS
All traffic encrypted in transit. Cert-manager + Let's Encrypt, auto-renewed.
✓
Encrypted backup
Daily snapshots, restic-encrypted, off-site copy in second EU region.
✓
Quarterly access review
Report listing every active user and their group memberships, sent to admin.
✓
GDPR-compliant DPA
Standard contractual clauses, processor obligations, sub-processor list — published.
✓
Vaultwarden
Self-hosted Bitwarden-compatible password manager. SSO via Keycloak.
✓
Incident response SLA
Response within 1 business day (Cloud) → 1 business hour (Sovereign).
Compliance posture
EU-only data, your jurisdiction, your DPA.
We do not transfer your data outside the European Union. Sovereign-tier customers choose the country of hosting (Belgium, France, Luxembourg or Germany). DPA reflects this by default — no schedule II "international transfer" annex required. NIS2 cooperation: yes; CLOUD Act exposure: none.