Written for the person who has to answer the security questionnaire.

Where your data lives

Sovereign Workspace runs as a single docker compose stack on a server you choose. We don't operate a cloud. We don't hold copies. We don't have access. The community reference deployment runs on a Hetzner box in Germany — but nothing about the product requires Hetzner, or Germany, or any specific provider.

A self-hosted install means you are the data controller and the data processor. There is no cross-border transfer to document and no Standard Contractual Clauses to negotiate. Schrems II is not relevant when the data never leaves your infrastructure.

Identity & authentication

Keycloak is the single identity provider for the whole stack. An admin creates a user once in Keycloak. That user then signs into Sovereign Workspace, sees their own Nextcloud drive, and edits documents in Collabora — all without a second password, a "Connect Nextcloud" step, or an OAuth dance. When the user leaves, you disable the Keycloak account once and they lose access everywhere.

• OIDC and SAML for external identity providers.
• WebAuthn / FIDO2 — passkeys and hardware security keys (YubiKey, SoloKey, Titan).
• PKCS#11 smart-card capability for government-issued eIDs.
• Argon2id password hashing.
• Short-lived JWT access tokens with refresh rotation.

Licensing — nothing finalised yet

What is most likely: an OSI-approved European open-source licence for the community workspace, with EUPL-1.2 as the leading candidate. An open-core model on top — with the enterprise tier source-available to paying customers and code held by a neutral third-party escrow provider — is under consideration.

What is guaranteed by the architecture, independent of any licence decision, is that the product is self-hosted on your own infrastructure, does not send telemetry to us, and does not depend on any US cloud service for core operation.

See the roadmap for what's live today and what's still in development.

Audit

Every authentication event, admin action, and policy change is logged with timestamp, actor, action, and target. Logs are exportable to CSV and to syslog / SIEM in the enterprise tier. The commercial tier adds tamper-evident hash-chained audit and long-retention compliance export bundles.

Backup & recovery

You back up what you host. Because everything sits on your server, standard filesystem, database, and object-storage backup tooling works without modification — restic, borgbackup, pg_dump, rsync, your existing backup infrastructure. The platform does not impose its own opaque backup format.

Certification roadmap — future, not claimed

Formal certifications — BSI C5 (Germany), SecNumCloud (France), Common Criteria, EN 301 549 accessibility — are on the roadmap. We will list them here when they are issued. Until then, we will not claim them.

Roadmap →

Frequently asked

Where does my data live?

On the server you choose — your own hardware, a European cloud (Hetzner, OVH, IONOS, Infomaniak), or a rack in your office. Sovereign Workspace runs as a single Docker Compose stack. There is no Sovereign-Workspace-operated cloud silently holding copies. If you self-host, the data is yours, physically.

Is the source code auditable?

The licensing model is pre-incorporation and not yet finalised. Our current intention is to release the community workspace as open source — EUPL-1.2 is the leading candidate — and to make any future enterprise tier source-available to paying customers under commercial licence, backed by third-party code escrow. None of these specifics are locked; they will be finalised at incorporation.

Do you send telemetry back to your servers?

No. The workspace does not phone home. No anonymous usage data, no crash-reporting, no analytics. A self-hosted deployment runs against the Keycloak, Nextcloud, and Collabora instances you control. We do not see any of your traffic.

How is authentication handled?

Keycloak is the single identity provider. Supported: OIDC, SAML, WebAuthn/FIDO2 (passkeys, hardware keys), and PKCS#11 smart cards. Passwords are hashed with Argon2id. Session tokens are signed JWTs with short expiry and refresh rotation.

What about GDPR?

GDPR-aligned by architecture. Data minimisation, purpose limitation, and storage limitation are baked into the control plane. Because you self-host, you are the data controller and the data processor — there is no transfer to a third country to worry about. Schrems II is not a concern when the data never leaves your infrastructure.

Is the product certified (BSI C5, SecNumCloud, Common Criteria)?

Not yet. Formal certifications are on the roadmap — see the roadmap page. Until they ship, the honest position is: EU-hosted, GDPR-aligned, open-core, inspectable. We will not claim certifications we have not earned.

What happens if your company disappears?

The company does not exist yet — see the Impressum for the pre-incorporation stance. Once incorporated, we intend to publish the community workspace as open source (EUPL-1.2 leading candidate); at that point, even if we vanish, the code remains. For any future enterprise tier, we intend third-party code escrow; provider and trigger terms will be set alongside the commercial SKU.