Competences

For us, data sovereignty is engineering practice, not a buzzword. We advise on Schrems II, GDPR, BSI C5 and ISO 27001 and translate legal requirements into concrete architectures in which your personal data demonstrably stays inside your jurisdiction.

To achieve that we combine open-source building blocks only — Kubernetes, Proxmox, OpenStack, Nextcloud, Keycloak, Authentik, MinIO — with European hosting options or your own data center. Every component is open, auditable and free of hidden data flows.

Our approach is deeply tailored to your organisation: we start with a sovereignty assessment, identify US cloud dependencies, critical data flows and processing contracts, derive a prioritised roadmap and accompany the rebuild all the way into production. You retain full control over data, processes and source code — with clear handovers and complete documentation.

A hyperscaler exit is more than lift-and-shift. We analyse your AWS, Azure and GCP estates for proprietary services, identify lock-in points (managed databases, IAM, messaging, KMS) and map them onto sovereign open-source equivalents.

From that we derive a prioritised migration plan with clear phases, rollback paths and measurable risk and cost KPIs. Workloads move stepwise into a private Kubernetes or OpenStack platform, orchestrated through Argo CD, secured with Cilium, observable through Prometheus, Loki and Grafana.

The process is tailored to your business operations: cutovers run blue/green, critical interfaces operate in parallel, data is migrated consistently. In the end you receive a fully documented platform your team can operate — without US cloud dependency, without data-transfer risk, with full cost transparency.

A sovereign identity provider is the backbone of any modern platform. We integrate Keycloak or Authentik as the central IdP for internal applications, customer portals and partner federation — including OAuth2, OpenID Connect, SAML 2.0, LDAP and forward-auth.

Multi-factor authentication with TOTP, WebAuthn/Passkeys and FIDO2, fine-grained RBAC, self-service password reset and brokering to existing directories (Active Directory, LDAP) come as standard. We migrate existing setups from Microsoft Entra ID, Okta or Auth0 to sovereign open-source alternatives — without US cloud dependency.

The IdP gets deeply integrated into your application landscape: SSO for SaaS tools, OIDC logins in CI/CD pipelines, federation with business partners, secure API access. Everything on your infrastructure, everything auditable, with clear handover and training processes for your team.

Reproducibility is the foundation of every sovereign platform. We deliver infrastructure exclusively as code — Terraform or OpenTofu for cloud and on-prem APIs, Ansible for configuration management, GitLab CI / Argo CD for delivery.

Modules, policies (OPA/Sentinel) and pipelines are designed to be reusable, reviewed and auditable. Every change runs as a pull request with automated plan, security scan and four-eyes review — so compliance requirements like BSI Grundschutz, ISO 27001 or NIS2 do not have to be retrofitted later.

We adapt the IaC setup to your organisation: repository layout, naming conventions, secrets handling via Keycloak/Authentik-backed OIDC logins or Vault alternatives, plus an onboarding path for your team. Outcome: infrastructure that keeps running without us — adjustable and auditable at any time.

Anyone taking responsibility for data and availability needs real visibility. We build observability stacks completely on open source: Prometheus for metrics, Loki for logs, Tempo/Jaeger for traces, Grafana as the central UI, Alertmanager for a clear alerting model.

SLOs, error budgets and runbooks are worked out together with your teams, versioned in GitOps and embedded into your existing processes (incident response, change management). The result is an SRE setup that understands your business logic and does not just ship generic dashboards.

Again: tailored, not off the shelf. We start with a reliability assessment, define critical user journeys, derive matching SLIs and integrate the tooling such that your data stays in your systems — GDPR-compliant and free of external telemetry.

True sovereignty starts where your data physically lives. We design and build on-premise platforms on bare metal with Proxmox VE, OpenStack or Kubernetes — including HA storage (Ceph, ZFS), redundant networks, UPS concepts and disaster-recovery sites.

Where own hardware is not the right fit, we deliberately choose European providers such as IONOS, OVH, plusserver or regional data centres with C5/ISO-27001 certification — and automate the entire setup via Terraform and Ansible so you can switch sites at any time.

The integration runs entirely on open source and is tailored to your processes: backup concepts with Restic/Borg/Veeam, GitOps deployments, IAM integration with Keycloak or Authentik and monitoring with Prometheus and Grafana — neatly documented, operable by your team and free of vendor lock-in.

We commit fully to open source: Kubernetes, Linux, PostgreSQL, Nextcloud, Keycloak, Authentik, Proxmox, Argo CD, Prometheus, Grafana and the wider CNCF ecosystem. No proprietary layer, no hidden telemetry, no subscription risk.

The result are platforms you actually understand and control — including source code, build pipelines and operational documentation. We do not glue the pieces together “as a service” but as a coherent system with clean interfaces, proper observability and reproducible provisioning via Terraform/OpenTofu and Ansible.

Each stack is tailored to your use case: we begin with a workshop on your regulatory, functional and operational needs, choose the matching open-source components and deliver a platform your team can run on its own — with training, runbooks and a clear handover path.

Zero Trust is, for us, a concrete architectural pattern, not a marketing slogan. We combine sovereign IAM (Keycloak or Authentik) with network segmentation (Cilium, eBPF-based policies), mTLS between services, signed container images (cosign, sigstore) and auditable CI pipelines.

On top come hardening measures aligned with BSI Grundschutz and CIS benchmarks: hardened Linux images, secret management, key rotation, certificate lifecycle and incident processes. Every component is open source and under your control.

We tailor the deployment to your risk and compliance profile — whether you are a critical-infrastructure operator, a NIS2-regulated organisation, a public agency or a mid-sized software company. You get a security setup that is verifiable, reproducible and operable for your team.

“Vendor Lock-out” is our counter-design to vendor lock-in: we build solutions where every single building block stays exchangeable. Each component receives clean, documented interfaces — OIDC instead of proprietary SSO, the S3 API instead of cloud-storage quirks, Postgres instead of hyperscaler DBaaS, OCI images instead of closed runtimes.

Platforms are built modular and fully automated: infrastructure as code, GitOps deployments, clearly separated responsibilities between network, compute, storage, IAM and applications. That makes it possible to swap storage from MinIO to Ceph, replace the IdP from Keycloak to Authentik, or migrate the compute layer from Proxmox to OpenStack — without touching the rest of the system.

In practice: no “big bang” risk if your requirements change, no hidden migration cost and no dependency on a single vendor roadmap. You decide when a building block is replaced — and we deliver the migration path right alongside it.

We plan, build and operate professional Wi-Fi infrastructure for demanding high-density scenarios — indoor and outdoor. Trade fairs, conference centres, stadiums, universities, manufacturing floors, warehouses, hospitals, hotels, campsites and festival grounds: anywhere hundreds or thousands of clients need stable, performant connectivity in parallel.

Our planning is based on real RF surveys (predictive and on-site, using Ekahau, iBwave or TamoGraph), 3D building models, spectrum analysis and capacity calculations per square meter and use case. We work with vendors like Cisco Meraki, Aruba, Juniper Mist, Ubiquiti UniFi, MikroTik as well as sovereign open-source solutions such as OpenWrt and OpenWiFi — including clean VLAN/SSID architecture, 802.1X with Keycloak/Authentik-backed RADIUS, WPA3 Enterprise, band steering, fast roaming (802.11r/k/v), outdoor point-to-point links and PoE concepts.

Operations are tailored too: central monitoring with Prometheus, Grafana and LibreNMS, automated configuration via Ansible/Terraform, clear runbooks for on-site events, 24/7 support during critical events and seamless integration with your existing sovereign platform. The result is a Wi-Fi that holds up even at full capacity — GDPR-compliant, free of forced cloud dependencies and fully under your control.