From the physical layer to the API surface, every component of the Servercrust platform is designed with security as a first-class requirement โ not bolted on after the fact.
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
24 / 7
Infrastructure monitoring
< 72h
Incident notification SLA
Encryption is applied at every layer โ whether your data is moving across the network or sitting on a storage volume.
All data moving between your browser, our API, and your servers is encrypted with TLS 1.3. Older, insecure protocols are rejected entirely.
Persistent storage volumes and database backups are encrypted at rest using AES-256. Keys are managed separately from the data they protect.
Password-based root access is disabled by default on all new instances. SSH key pairs are enforced, and keys are never stored server-side.
API keys, tokens, and credentials in the control panel are stored hashed. Plaintext secrets are never logged or persisted beyond initial creation.
DDoS mitigation, private networking, and hardware firewalls are standard on every plan โ not optional add-ons.
Protection layers
Volumetric, protocol, and application-layer attacks are automatically detected and scrubbed at the network edge โ before traffic reaches your server.
Resources within the same region can communicate over an isolated private network, invisible to the public internet and not traversing shared links.
Traffic is routed to the nearest healthy PoP via anycast, reducing both latency and the blast radius of any single network-level event.
Every server sits behind a stateful hardware firewall. You define the rules โ only the ports you explicitly allow are ever exposed.
We align our practices with internationally recognised frameworks for data protection and security governance โ even while we work toward formal certification.
Your data stays in the region you choose โ Nairobi or Frankfurt. We do not replicate customer data across regions without explicit opt-in.
Internal access to customer infrastructure follows least-privilege principles. Production access requires multi-factor authentication and is fully audit-logged.
We collect only what's needed to deliver and bill for services. Personal data handling is documented in our Privacy Policy and never sold to third parties.
Security events trigger an internal runbook. Customers affected by incidents that impact their data are notified within 72 hours of confirmation.
Our compliance direction
Servercrust's internal security controls are designed in alignment with ISO 27001, SOC 2 Type II, and GDPR principles. Formal certification processes are underway. Enterprise customers can request our current security documentation package by contacting our team.
Request security documentationSecurity defaults aren't something you have to opt into โ they come standard with every Servercrust product, from the hypervisor to the management plane.
We take security reports seriously. If you believe you've discovered a vulnerability in our infrastructure or platform, please disclose it responsibly โ we'll investigate promptly and keep you updated.
For enterprise security questionnaires, compliance documentation requests, penetration testing authorisation, or any other security-related enquiry, our team is available to help.