We zitten in een publieke testfase — kijk gerust rond, maar bestellen kan nog niet. Bestellen kan vanaf 1 oktober 2026.
Security

Security you can verify,
not just believe.

Everything on this page describes measures that are actually in place. Where an industry certification doesn’t exist yet, we say so.

Infrastructure

EU-owned, EU-operated.

Customer sites, DNS and email run on infrastructure we operate ourselves in German datacenters (Falkenstein and Nuremberg, via Hetzner). There is no US hyperscaler in the serving path, and site data does not leave the EU. Even fonts are self-hosted — visitor IPs aren’t shipped to third parties for a typeface.

Isolation

Every customer site runs in its own container with its own runtime, users and resource limits — not a shared cPanel process pool.

Network discipline

Default-deny firewalls, admin planes reachable only over mutual-TLS or hardware-key SSH, and signed webhooks for anything inbound.

Automated patching

Security updates roll out across the fleet automatically, with daily vulnerability scanning and alerting to the operations team.

Your data

Encrypted, backed up, and yours.

Encryption

TLS on every site and every internal admin surface; backups encrypted at rest before they leave the host.

Backups

Nightly restore points with one-click self-service restore — replicated every night to storage in a second region (Nuremberg), physically separate from the Falkenstein infrastructure that runs your site.

GDPR

A published Data Processing Agreement with a full sub-processor register — who touches what, where, and on what transfer basis.

Read the DPA & sub-processor register →

DNSSEC

Cryptographically signed DNS available on our EU nameservers, so answers for your domain can’t be forged in transit.

Account security

Passkey-first, phishing-resistant.

veldhost Manage supports passkeys and hardware security keys as a first-class login method, with authenticator 2FA and recovery codes behind them. Administrative access to the platform itself requires hardware keys — there is no password-only path into the control plane.

API access uses scoped tokens (read / deploy / manage / DNS), and anything that spends money or deletes data always requires an interactive confirmation.

In practice

  • · Passkeys / YubiKeys on customer accounts
  • · Enforced hardware-key login for administrators
  • · Scoped, revocable API tokens
  • · Session-guarded destructive actions
  • · Encrypted secrets at rest (env values, credentials)

Certifications

veldhost does not currently hold ISO 27001 or SOC 2 certification. Rather than imply otherwise with borrowed badges, our security practices are documented on this page and in the Data Processing Agreement, and our operational track record is public on the status page.

Responsible disclosure

Found a vulnerability? Email security@veldhost.eu. Reports are acknowledged within one business day; please give us reasonable time to fix an issue before publishing, and don’t access data that isn’t yours while testing.