Everything a procurement officer checks — said straight.
Data residency in Sweden, a checkable security model, green Nordic infrastructure, and certification programs we describe exactly as they are. Nothing inflated.
All data lives in our region in Falkenberg, under Swedish and EU law. No US Cloud Act, no third-country problem. We are a Swedish company with Swedish staff.
GDPR-compliant by design
Per-tenant isolation
A dedicated OpenStack project per tenant, with credentials managed and rotated by OpenBao. No shared keys. This is a concrete, verifiable point — not a phrase.
Active in V1
100% renewable power
Our own hardware runs in a 100% renewable Nordic data center in Falkenberg, with waste-heat recovery into district heating. The energy belongs to the facility; the stack and the servers are ours.
Via a green colo facility
Certification
Said exactly like it is.
"Certified" is reserved for certificates we actually hold. Until the audits are done we say "program in progress". GDPR is regulatory compliance — not a certificate.
Framework
Status
Wording we use
ISO 27001
Program in progress
"Certification program begins August 2026." Never "ISO 27001-certified" before the certificate exists.
SOC 2
Program in progress
"Program begins August 2026." Never "SOC 2-compliant" before the report has been issued.
GDPR
Posture
"GDPR-compliant by design — all data resident in Sweden, under EU and Swedish law." No target date, no "GDPR certification".
Trust block for procurement: "Built to ISO 27001 and SOC 2 controls; certification program begins August 2026. GDPR-compliant by design, with all data resident in Sweden."
Security model
What you actually get.
Isolation
Project per tenant
Your own OpenStack project, your own network domain, your own failure domain. You only share the building.
Credentials
OpenBao-managed
Rotated, never shared, never in plaintext in a config. Per-tenant secrets isolation.
Encryption
At-rest & in-transit
AES-256 on storage, TLS 1.3 on all external traffic.
Audit
Async audit log
Every action in the control plane is logged. Exportable to your own SIEM.
Access
RBAC + API keys
Four built-in roles + custom. Fine-grained access per team and resource.
Operations
Quota enforcement
Hard quotas per tenant — a neighbor's burst can't starve your Planet.
Data residency & sub-processors
Where your data lives, and who touches it.
Area
Location
Note
Compute & storage
SWE · Falkenberg
Our own hardware in green colo. One region today.
Control plane & metadata
SWE
The Kepler layer runs in Sweden.
Backups / snapshots
SWE
Stays within Sweden.
Identity (Logto)
EU
Sub-processor — EU-hosted.
Object storage (partner)
EU/UK
S3 via European partner: UK (eu-west-1/3) · Frankfurt (eu-central-2) · Amsterdam (eu-central-1).
Sub-processor list
See RFP pack
Full list in the RFP pack (section 07); DPA on request.
Uptime: 99.3% as standard — SLA packages up to 99.95% are available. The 2023 plan for a Stockholm region (Västberga) is not live — we only list regions that actually exist. Multi-region is roadmap.
Procurement? The pack is ready to attach.
Capability matrix, security model, data residency, sub-processors and SLA — as a printable one-pager.
Straight to the point: Falkenberg is our only region today. Until multi-region exists: take volume snapshots and export backups off-site — we're happy to show you how. And you're never locked in: no fixed-term contract, API export of everything, standard OpenStack under the hood. More regions are on the roadmap.
Procurement coming up? We'll walk through the capability matrix point by point with you — 30 min, replies within 4 hours on weekdays. A site visit in Falkenberg works too.Book a procurement walkthrough →
Ready for your procurement.
Download an RFP pack with capability matrix, security model, data residency, sub-processors and SLA — ready to attach.