Security you can verify,
not just believe.
Everything on this page describes measures that are actually in place. Where an industry certification doesn’t exist yet, we say so.
Infrastructure
EU-owned, EU-operated.
Customer sites, DNS and email run on infrastructure we operate ourselves in German datacenters (Falkenstein and Nuremberg, via Hetzner). There is no US hyperscaler in the serving path, and site data does not leave the EU. Even fonts are self-hosted — visitor IPs aren’t shipped to third parties for a typeface.
Isolation
Every customer site runs in its own container with its own runtime, users and resource limits — not a shared cPanel process pool.
Network discipline
Default-deny firewalls, admin planes reachable only over mutual-TLS or hardware-key SSH, and signed webhooks for anything inbound.
Automated patching
Security updates roll out across the fleet automatically, with daily vulnerability scanning and alerting to the operations team.
Your data
Encrypted, backed up, and yours.
Encryption
TLS on every site and every internal admin surface; backups encrypted at rest before they leave the host.
Backups
Nightly restore points with one-click self-service restore — replicated every night to storage in a second region (Nuremberg), physically separate from the Falkenstein infrastructure that runs your site.
GDPR
A published Data Processing Agreement with a full sub-processor register — who touches what, where, and on what transfer basis.
Read the DPA & sub-processor register →DNSSEC
Cryptographically signed DNS available on our EU nameservers, so answers for your domain can’t be forged in transit.
Account security
Passkey-first, phishing-resistant.
veldhost Manage supports passkeys and hardware security keys as a first-class login method, with authenticator 2FA and recovery codes behind them. Administrative access to the platform itself requires hardware keys — there is no password-only path into the control plane.
API access uses scoped tokens (read / deploy / manage / DNS), and anything that spends money or deletes data always requires an interactive confirmation.
In practice
- · Passkeys / YubiKeys on customer accounts
- · Enforced hardware-key login for administrators
- · Scoped, revocable API tokens
- · Session-guarded destructive actions
- · Encrypted secrets at rest (env values, credentials)
Certifications
veldhost does not currently hold ISO 27001 or SOC 2 certification. Rather than imply otherwise with borrowed badges, our security practices are documented on this page and in the Data Processing Agreement, and our operational track record is public on the status page.
Responsible disclosure
Found a vulnerability? Email security@veldhost.eu. Reports are acknowledged within one business day; please give us reasonable time to fix an issue before publishing, and don’t access data that isn’t yours while testing.