Online office & communications protected from open Internet
Plug into your own private cloud in a box
Cloud Storage, Office, E2EE Chat, & Conferencing + E2EE Mail
Cloud / VPS, Dedicated, & Private Bare-Metal Hardware Supported
Ready-to-Deploy Virtual Appliance & Dedicated Hardware
Pre-Configured for Enterprise Speed & Security
We did the heavy lifting of integrating the open-source ecosystem so you don’t have to be a systems architect to administer your infrastructure. Don’t know what an edge router, LUKS/dm-crypt, the Matrix protocol, or STUN/TURN clusters are? No problem.
✱
Enterprise WireGuard Built-In
Your core data engines – Nextcloud, Matrix, VaultWarden — run entirely behind a private, enterprise-grade WireGuard network layer. Your infrastructure remains completely hidden from public scanning, preventing external sniffing and automated credential attacks.
Apps sync natively to your private cloud once the Defguard VPN is active, ensuring your data is only accessible within your secure, sovereign network boundaries.
✱
Identity & Access Management (SSO)
Centralize your organizational identity with automatic provisioning across all integrated applications. Revoke credentials or off-board access instantly from a single control point.
Employees and contractors manage their own device enrollment via a secure, self-service portal, utilizing email-delivered tokens or QR-based onboarding to minimize administrative overhead.
✱
Air-Gapped E2EE Communications (Defederated by Default)
Matrix 1:1 messaging, group spaces, and Element video calls are fully encrypted end-to-end utilizing the Olm/Megolm cryptographic ratchet and DTLS-SRTP.
To prevent corporate espionage and metadata leakage, the communication core is completely defederated by default – creating a strict, air-gapped internal communications loop for your team that is entirely severed from public Matrix servers.
✱
Full-Disk Encryption at Rest
LUKS/dm-crypt volumes protect your stored data assets at rest. A lightweight SSH server is natively compiled directly into the initramfs boot stage, allowing you to securely unlock your dedicated server remotely via a secure passphrase or keyfile during system reboots.
✱
Hyper-Converged Infrastructure
The stack incorporates native container orchestration directly on the host OS or via a dedicated bare-metal hypervisor. Seamlessly manage all applications on a single dedicated OVH/Hetzner or on-premises rack server using software-defined overlay and bridged isolation networks.
✱
Encryption in Use (Hardware Enforced)
When provisioned on dedicated hardware featuring compatible AMD EPYC (SEV) or Intel Xeon (TME) processors, the architecture supports live memory encryption. This safeguards your active application data and keys from sophisticated side-channel attacks or rogue physical access at the data center level.
✱
Resource Efficient
We prioritize memory-safe Rust implementations wherever possible. A minimal deployment of our sovereign stack uses as little as 1.4 – 1.8 GB of RAM at idle, keeping your cloud instance or dedicated hardware free to scale resources when heavy workloads hit.
We do however recommend a minimum configuration of at least 4 vCPUs + 8 GB RAM, and a typical configuration of 6 vCPUs (dedicated) + 12 GB RAM or greater.
✱
Intelligent Split-Tunneling
Defguard, the enterprise VPN control plane, automatically pushes policy-driven split-tunneling configurations to your devices. This ensures only traffic destined for your private infrastructure enters the encrypted WireGuard tunnel, while standard internet traffic bypasses the appliance for optimal speed and zero added latency.
For protecting all your Internet traffic, the Network Security Appliance can be provisioned in conjunction with the Sovereign Appliance.
✱
Environment Agnostic
Our stack is defined declaratively, using standard Docker orchestration, a private WireGuard overlay, and persistent storage compatible with local, SAN, or object storage.
This ensures full portability—allowing you to migrate seamlessly between cloud, dedicated, or bare-metal servers, and providing a clear path for repatriating your data from public clouds back to your private infrastructure.
Application-layer orchestration of open source applications
The shift to hyper-converged sovereign infrastructure
Architectural details, operational models, and cryptographic boundaries. If you have a specific technical deployment requirement not covered below, contact engineering directly.
What exactly is the Sovereign Appliance?
Traditional self-hosting requires manual orchestration—forcing teams to independently deploy, patch, and cryptographically isolate disparate virtual machines for chat, storage, identity management, and routing.
RemoteRails introduces Application-Layer Hyper-Convergence. We collapse core infrastructure—enterprise file sync & share, end-to-end encrypted communications, and zero-knowledge credential vaults—into a unified, single-tenant deployment stack. One automated initialization. Zero networking overlap. Complete cryptographic isolation.
Is my data entirely private?
Yes, once we complete setting up the appliance in your cloud account or on your dedicated server, we will organize a “key ceremony” where we transition exclusive control of the server to you with a SSH and LUKS key rotation. You can grant (and revoke) temporary access to us in the future (e.g. to perform updates & maintenance) by re-adding our SSH keypair and an ingress firewall rule.
The zero-knowledge components, such as passwords in Vault and Matrix chats are protected by a Master Password or Recovery Key known only to the user. We recommend printing out a hard copy of these credentials and storing it in a physical safe.
How are software updates handled?
Most components of the stack can be updated by simply updating the image tag, pulling the latest version from the container registry, and restarting.
Certain core applications (Nextcloud) and infrastructure layers (Defguard, Traefik) require sequential major-version upgrades and precise database schema migrations. We handle this orchestration seamlessly through our managed maintenance packages to ensure zero data disruption.
We recommend always having a complete backup prior to applying any updates.
How are backups handled?
Because of the diverse environments our customers deploy on, backups are highly adaptable. They can be handled via automated cloud snapshots, rsync to backup storage over SSHFS, or a Restic/BorgBackup pipeline to S3-compatible object storage.
For enterprise customers with especially demanding RPO requirements, custom solutions – such as near-real-time WAL streaming of Postgres DBs using WAL-G, or ZFS snapshot send/receive over SSH are available.
Ready to Secure Your Infrastructure?
View system requirements and deployment paths here.