BIG BOX Hosting
Get a quote
BIG BOX Hosting Services Offshore Dedicated № 02.05

Bare metal, European
jurisdiction.

Dedicated physical servers across five jurisdictions — Slovenia plus Luxembourg plus Switzerland plus Iceland plus Sweden — with no U.S. parent company anywhere in the ownership chain. Single-tenant hardware, customer-controlled encryption, an EU lawyer on the phone if a foreign agency comes knocking. From €119/month.

See pricing → Talk to an engineer
01  /  What this is

"Offshore" means jurisdiction, not lawlessness.

We host hardware in jurisdictions outside the legal reach of the U.S. CLOUD Act. We do not offer "DMCA-ignored" hosting for illegal content. The first sentence is the value proposition; the second is the boundary. Most of the offshore-hosting market conflates the two — we do not, and you will save time on the sales call by knowing the difference up front.

The phrase "offshore hosting" gets used to mean two very different things. The first meaning — the one that drives our customer base — is jurisdiction-aware infrastructure: hardware physically located in a country whose legal framework provides stronger privacy protections than the United States, operated by a company whose corporate parent is not subject to U.S. extraterritorial law. The second meaning — the one that gets most of the SEO oxygen — is "bulletproof" hosting that ignores DMCA notices, copyright takedowns, and whatever else the operator decides to ignore that month. The two markets share the word and very little else.

We are firmly in the first category. Our hardware sits in five European jurisdictions, all of which have functioning legal systems with which we comply: Slovenia (our headquarters, EU member with the most genuinely independent constitutional review of data retention legislation in the bloc — Constitutional Court Decision 1258/2009 struck down the national transposition of the EU Data Retention Directive five years before the CJEU did the same), Luxembourg (EU member with banking-grade legal infrastructure and the GDPR enforcement record that produced the largest fine in EU history), Switzerland (outside the EU but adequacy-decision country with one of the strongest national privacy laws in the world), Iceland (EEA member with constitutional protection of free expression), and Sweden (EU member with no mandatory data retention since the Tele2 Sverige ruling). A lawful order from a court in any of these jurisdictions gets the same response from us as a lawful order in any country: we comply with it.

What we do not comply with is unilateral demand from a foreign agency that does not have authority in the local jurisdiction. The U.S. CLOUD Act is the textbook example. Passed in 2018, it gives U.S. law enforcement the power to compel any U.S.-headquartered company to produce data under its control regardless of where the data physically sits. Microsoft's legal director told the French parliament under oath in June 2025 that no contractual or technical arrangement could override a properly executed CLOUD Act demand on EU customer data held by Microsoft. The corporate parent decides the jurisdiction. The address of the data centre does not. We are a Slovenian company. Our parent is a Slovenian company. We do not have a U.S. subsidiary, a U.S. office, or a U.S. employee whose discretion could be compelled by a foreign court.

What does that mean in practice? It means a U.S. agency cannot serve our corporate counterparty a demand that bypasses Slovenian legal process. They have to file through the Mutual Legal Assistance Treaty channel, which involves a Slovenian court, which involves judicial review. The process is slower, more transparent, and harder to abuse than a direct subpoena. For data hosted in Luxembourg or Switzerland or Iceland or Sweden, the same logic applies through the relevant local court — the MLAT chain terminates in the jurisdiction where the data sits, and that jurisdiction's law and constitutional protections govern the disclosure decision. In our 24 years of operating, we have responded to lawful orders from courts in five EU jurisdictions plus Switzerland. We have never responded to a unilateral demand from a non-EU agency, and we will not begin now.

02  /  The five jurisdictions

Pick the one that fits your exposure.

Each of our five locations has a different legal profile. The right one for your workload depends on what kind of pressure you are protecting against — government, commercial, copyright-trolling, or just the structural exposure of having a U.S. provider in your supply chain.

Slovenia (our HQ)
EU member state with native GDPR application. NIS2 and Data Act compliance are native. Constitutional Court Decision 1258/2009 invalidated the national transposition of the EU Data Retention Directive five years before the CJEU did the same. The Court has held the line on subsequent reinstatement attempts. Information Commissioner (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) is the supervisory authority, with maximum GDPR fines under Article 83(5). The cost basis is structurally lower than Western European hubs. Best fit for senders whose corporate counterparty profile aligns with our jurisdiction, high-throughput cost-sensitive workloads, and operations whose audience is concentrated in South-Eastern Europe.
Luxembourg
EU member state, GDPR applies natively, banking-grade legal infrastructure. The €349 million GDPR fine against Amazon in 2021 was a Luxembourg ruling — the CNPD enforces. No special-relationship intelligence treaty with the United States that would weaken local protection. Lawful interception requires a Luxembourg judge, which is a meaningful procedural barrier. Best fit for senders running European customer lists who want their primary deliverability infrastructure in the EU jurisdiction with the strongest GDPR enforcement track record, financial-tech platforms whose subscriber data overlaps with banking-related processing, and any operation whose primary concern is jurisdictional drift away from EU legal protection.
Switzerland
Outside the EU but adequacy-decision country with the revised Federal Act on Data Protection (revFADP) in force since September 2023 — one of the strongest national privacy laws globally. Long-standing tradition of resisting compelled foreign disclosure; the country is the global banking capital partly because of this. Best fit for senders handling sensitive personal data (health, financial, legal), workloads where EU jurisdiction is a feature you would rather avoid (bilateral disputes, sanctions adjacent), or anyone who simply wants the strongest privacy posture available in Europe.
Iceland
EEA member, GDPR-aligned, constitutional protection of free expression that goes beyond most EU baselines. The Modern Media Initiative framework, dormant in formal legislation but active in cultural and judicial practice, makes Iceland a popular choice for journalism platforms, whistleblower-adjacent workloads, and politically-exposed publishers. Geothermal power means lower energy costs and a smaller carbon footprint than most data centre locations. Best fit for media organisations, anyone with elevated press-freedom exposure, and workloads where the latency to North American East Coast matters.
Sweden
EU member, no mandatory data retention regime since the European Court of Justice's Tele2 Sverige ruling in 2016 invalidated the previous Swedish implementation. Strong tradition of source protection law derived from the press freedom heritage. Stockholm sits geographically between continental Europe and the Baltics — useful for senders with Nordic-heavy lists or platforms targeting Northern European users. Best fit for senders who want EU jurisdiction without the data retention obligations that other member states maintain.
─────────────────────────────────────────────────────────────────────────
02b  /  Jurisdictions side by side

Twelve dimensions, five answers.

The five jurisdictions across the legal and operational dimensions that matter at procurement time. Most of these are public records that legal teams have to assemble themselves from primary sources before they can recommend where the company should sit. We assemble the matrix once and keep it current — read the rows that match your exposure, ignore the rest.

The five jurisdictions we operate in are not interchangeable. Different threat models. Different regulatory regimes. Different operational trade-offs. The matrix below puts them side by side across twelve legal and operational dimensions that procurement and legal teams ask about during vendor evaluation, the kind of side-by-side that legal teams typically have to assemble themselves from public records before they can answer the question of which jurisdiction the company should sit in. Read the rows where the dimension matters to your specific situation. Ignore the rest. The buyers who already know which dimensions matter to them have half the answer before reading the table.

Dimension Luxembourg Switzerland Iceland Sweden Slovenia
// regulatory framework
EU member Yes No (equivalence) No (EEA) Yes Yes
GDPR applicability Native FADP equivalence Native via EEA Native Native
Data Act compliance (Sept 2025) Native, Chapter VII operator Equivalent via FADP Native via EEA Native Native
NIS2 directive scope Yes, applies Outside scope Via EEA, partial Yes, applies Yes, applies
// secrecy & disclosure
Professional/banking secrecy Strong (Article 41) Strong (Article 47 BankG) Standard EU Standard EU Standard EU
Constitutional press freedom Standard EU charter Standard charter IMMI-grade protections Strongest in EU (since 1766) Standard EU charter
CLOUD Act exposure None (no US presence) None None None None
MLAT response time (typical) 6-9 months 9-14 months 9-12 months 5-8 months 8-12 months
// retention & encryption
Mandatory data retention None (post-2014 invalidation) None for ISP/email None None (post-Tele2 Sverige) None (post-2014 CCR)
Encryption mandate / backdoor No No No No No
// operational profile
Average bare-metal cost basis Mid (€) High (€€) Mid-high (€€) Mid (€) Low (€)
Network latency to EU centroid 12-18 ms 15-22 ms 35-55 ms 25-35 ms 28-40 ms
Best fit profile Financial-services compliance, EU corporate seat needs High-secrecy / non-EU jurisdiction posture, SVR-grade Press freedom + journalist protection use cases EU + maximum constitutional press freedom Cost-sensitive EU sender, lower regulatory load

Two patterns visible in the matrix. Luxembourg and Switzerland sit at the regulated-EU end. Iceland and Slovenia sit at the operational-flexibility end. Sweden splits the difference. Luxembourg pairs predictable EU-style data protection with professional-secrecy provisions specific to financial-services hosting that few other EU jurisdictions match. Switzerland pairs EU-equivalent data protection with banking-secrecy provisions and a non-EU jurisdiction sitting outside the GDPR territorial scope despite the equivalence agreements that govern most operational scenarios. Iceland leans into constitutional press freedom — the same protections newspapers and broadcasters operate under, applied to data hosting through case law that has held up. Slovenia leans into a less restrictive regulatory environment combined with the lowest cost basis in our network. The right jurisdiction matches the buyer's exposure profile. The wrong jurisdiction is worse than no jurisdiction story. It produces false confidence about protections that do not actually apply when tested.

─────────────────────────────────────────────────────────────────────────
03  /  The hardware

Real metal, your keys.

Bare metal, not virtualised. Single-tenant, not shared. Customer-controlled encryption keys with the option to run your own HSM. Hardware specs that look like 2026 rather than 2018.

The default offering is AMD EPYC bare metal — current-generation Genoa or Bergamo depending on what is in stock at the chosen facility — with ECC DDR5 memory, NVMe SSD storage, and 1 Gbps unmetered bandwidth as standard. The 10 Gbps tier is available at every location for workloads that need it. Hardware is dedicated to the customer; no virtualisation layer between you and the metal unless you provision it yourself. IPMI access is included for full out-of-band management, with the option to disable it entirely if your threat model rules out remote KVM access.

The encryption posture is simple and customer-controlled. Full-disk encryption is available on every plan; the keys live on your side, not ours. Our operators cannot decrypt the disk to satisfy a hypothetical legal order because we do not have the key material. The standard implementation is LUKS for Linux workloads, BitLocker for Windows. For higher assurance, we support customer-managed HSMs — bring your own YubiHSM or Thales Luna, we install it physically in the rack, and the key material never leaves your custody. This is the architectural pattern the EU Data Act explicitly endorses in Chapter VII as one of the technical measures that meaningfully protects EU customer data from third-country government access.

Default hardware tiersbaseline configurations
Starter      # €119/month, single-socket
  CPU:        AMD Ryzen 7 7700X / Intel Xeon E-2488
  Cores:      8 physical (16 threads)
  RAM:        64 GB DDR5 ECC
  Storage:    2 × 1 TB NVMe SSD (RAID-1)
  Network:    1 Gbps unmetered
  IPs:        5 × IPv4 + /64 IPv6

Professional # €249/month, dual-socket
  CPU:        AMD EPYC 9354P / Intel Xeon Gold 6444Y
  Cores:      32 physical (64 threads)
  RAM:        256 GB DDR5 ECC
  Storage:    2 × 3.84 TB NVMe SSD (RAID-1)
  Network:    1 Gbps unmetered (10 Gbps option +€60/mo)
  IPs:        5 × IPv4 + /64 IPv6

Enterprise   # Custom, from €489/month
  CPU:        AMD EPYC 9654 / Intel Xeon Platinum
  Cores:      64 to 128 physical
  RAM:        512 GB to 3 TB DDR5 ECC
  Storage:    Custom NVMe array, optional Optane / SAS hybrid
  Network:    10 Gbps minimum, 25 Gbps option
  IPs:        Custom allocation, /29 ranges available

The network is our own. We run our own provider-independent address space, peered into the European internet since 2003 — over twenty years of operating history. BGP anycast is available for workloads that need geographic redundancy. IPv6 is allocated as a /64 per server by default, with /48 ranges available for clients that need them. Reverse DNS is fully configurable on every IP — the address resolves to your hostname, not to an opaque provider string.

The other thing the network gives us is peering control. We choose our transit providers and we choose our peering partners. None of our IPv4 transits route through U.S.-controlled networks for European destinations — traffic between European locations stays on European backbones (DE-CIX, AMS-IX, NetIX, Equinix Stockholm) without transiting through hyperscaler infrastructure. The latency benefits are incidental; the sovereignty benefits are the point.

Sovereignty is not achieved by choosing a provider that promises to protect data — it is achieved by deploying architecture in which the provider is technically incapable of betraying that promise, because they never had the access that would make betrayal possible. — EU Data Act / GDPR sovereignty analysis, March 2026
─────────────────────────────────────────────────────────────────────────
04  /  What's included

Hardware and the operations around it.

The €119 monthly price covers the metal, the bandwidth, the IP addresses, and the operational layer that keeps the box useful — patch monitoring, hardware replacement, network monitoring, basic security hardening. Not a bare-bones lease; a working server.

Bare-metal hardware
Single-tenant, dedicated physical server. Spec ranges from Starter to Enterprise as documented above. Hardware faults are replaced at our expense within 4 hours of detection — we keep cold-spare inventory on-site at every facility for the standard SKUs.
5 IPv4 + /64 IPv6
Five IPv4 addresses included on every plan with full PTR/forward DNS configurable. IPv6 /64 allocation per server. Additional IPv4 at €4 per address per month (RIPE charges us, we pass through with no markup). /29 IPv4 ranges available on Professional and Enterprise tiers.
1 Gbps unmetered (10 Gbps option)
Bandwidth is unmetered at 1 Gbps as standard. No traffic-tier surprise charges, no overage at month-end. 10 Gbps option at +€60/month for Professional, +€100/month for Enterprise. Burst capacity available at every facility for traffic spikes.
IPMI / BMC access
Out-of-band management via dedicated management network. KVM-over-IP, virtual media, hardware event logs. Can be disabled on request for higher-assurance threat models.
OS install & reinstall
Any modern Linux (Debian, Ubuntu, RHEL, AlmaLinux, Rocky), FreeBSD, or Windows Server. Custom ISO upload supported. Reinstallation any time at no charge — not chargeable as a "support incident".
Full disk encryption support
LUKS or BitLocker installation supported as a standard pattern. Customer-managed keys; we do not retain key material. Optional HSM installation in the rack on Professional and Enterprise tiers — we will rack your YubiHSM or Thales Luna and wire it into the management network.
DDoS protection
Layer 3-4 mitigation included up to 100 Gbps. Layer 7 application-level mitigation available as a paid add-on (€40/month) when needed. Most clients do not need L7 unless they have a specific workload that attracts targeted application attacks.
Co-location option
For clients who want to own the hardware outright, we offer co-location at every facility. Bring your own metal — we provide rack space and power, with the network and remote hands. Pricing is by U at standard rack rates — typically €80-150/U/month depending on facility and power density.
Lawyer on call
Less common, but worth listing: when a foreign agency makes contact about data on a server we operate for you, we route the request to legal counsel in the relevant jurisdiction — Slovenian counsel for our corporate counterparty, local counsel in Luxembourg, Switzerland, Iceland, or Sweden for data hosted in those facilities. We do not engage with unilateral demands ourselves; we route them to counsel and to you.
─────────────────────────────────────────────────────────────────────────
04b  /  What "offshore" means in 2026

The marketing word and the actual posture.

Three things "offshore" used to mean, and how each has aged after Schrems II, the Data Act, and the rolling tightening of EU regulatory expectations. The marketing-word version of offshore is half-dead in 2026. The structural-posture version is the thing buyers should actually be evaluating, and most marketing pages do not survive that evaluation.

Three things "offshore" used to mean. The first was geographic — your data sits somewhere other than the buyer's home jurisdiction. The second was legal — the hosting jurisdiction has different disclosure obligations than the buyer's. The third was operational — fewer questions asked, weaker KYC, less paperwork. Each meaning has aged differently. The geographic meaning is intact but no longer sufficient on its own to provide the protection a buyer expects. The legal meaning still applies, though the gaps between jurisdictions have narrowed substantially since the GDPR took effect in 2018, the Schrems II decision invalidated the Privacy Shield framework in 2020, and the EU Data Act became fully applicable on 12 September 2025 with material implications for cross-border data processing arrangements. The operational meaning is dead at any reputable provider. Dead. The providers who still sell it are operating in regulatory grey-zones that buyers should not associate themselves with regardless of how well the marketing copy reads.

What offshore actually means in 2026 is structural, not promotional. A genuine offshore posture has three components — a corporate counterparty in a jurisdiction with predictable rule of law and meaningful constitutional or statutory protections, operating infrastructure physically located in that jurisdiction with verifiable on-the-ground presence rather than virtual reseller arrangements, and an absence of legal entry points from the buyer's threat-model jurisdictions. The first two are observable. The third requires the kind of legal due diligence that most buyers do not run themselves and that most marketing pages do not survive. We publish our corporate structure and our legal opinions on each of the five jurisdictions because the alternative is asking buyers to trust the marketing copy, and we have read enough offshore hosting marketing copy to know that the gap between what is claimed and what is true is wider than the buyer realises.

The five jurisdictions we operate in were chosen against this definition. Each has a predictable rule of law and meaningful protections. Each has operating infrastructure we own or directly control. Each has been audited internally by counsel for legal entry points before we deployed there. The selection is not exhaustive — we could have added more jurisdictions and chose not to, because three additional candidates we evaluated did not pass internal due diligence in 2024 and 2025. Buyers can ask which jurisdictions failed and why. We will tell them, on a discovery call rather than in published material, because the legal positioning of those rejected jurisdictions is more delicate than a marketing page can carry responsibly.

─────────────────────────────────────────────────────────────────────────
05  /  What it costs

€119 / month, jurisdiction included.

Pricing varies by location — Slovenia is the cheapest, Switzerland the most expensive, the others sit between. Numbers below are for our most common configuration; bespoke specs get quoted by mail.

Starter Single-socket, RO / SE
  • AMD Ryzen 7 / Intel Xeon E, 8 physical cores
  • 64 GB DDR5 ECC RAM
  • 2 × 1 TB NVMe SSD (RAID-1)
  • 1 Gbps unmetered, 5 IPv4 + /64 IPv6
  • Provisioning in 1-3 business days
  • OS install & reinstall any time
  • Hardware replacement within 4 hours
€119 per month, RO location Pick Starter →
Professional Dual-socket, LU / IS / SE
  • AMD EPYC / Intel Xeon Gold, 32 physical cores
  • 256 GB DDR5 ECC RAM
  • 2 × 3.84 TB NVMe SSD (RAID-1)
  • 1 Gbps unmetered (10 Gbps +€60)
  • 5 IPv4 + /64 IPv6, /29 ranges available
  • IPMI access, custom ISO support
  • Provisioning in 1-5 business days
€249 per month, LU/IS/SE Pick Professional →
Enterprise Custom build, all locations
  • AMD EPYC 9654 / Intel Xeon Platinum
  • 64-128 cores, 512 GB to 3 TB RAM
  • Custom NVMe array, hybrid storage option
  • 10 Gbps minimum, 25 Gbps available
  • HSM installation supported
  • Co-location and BYO hardware option
  • 1-hour SLA, named on-call engineer
From €489 per month, by config Talk to sales →

Switzerland adds approximately +20% to listed prices due to the higher facility costs and the import duty on hardware. Iceland adds approximately +10%. Slovenia subtracts approximately -15% from the Starter / Professional baseline.

─────────────────────────────────────────────────────────────────────────
06  /  Common questions

Offshore dedicated, specifically.

Questions specific to offshore-dedicated deployments — privacy posture, intake review, abuse handling. For the broader network topics, payment, support tier or deliverability fundamentals, the main FAQ is more direct.

01 Is this DMCA-ignored hosting? +
No. The Digital Millennium Copyright Act is U.S. federal law; it does not apply in Luxembourg, Switzerland, Iceland, Sweden, or Slovenia, so there is nothing for us to "ignore" — DMCA notices are not legally binding on us in the first place. What that means in practice is that frivolous DMCA fishing, fraudulent takedown notices, and the kind of automated copyright complaints that flood U.S. providers do not affect us. Lawful copyright orders from a court in our operating jurisdictions are honoured. If a French court orders takedown of a specific work hosted on hardware we operate in our French peering, we comply with the French court order. The relevant question is not "do you ignore DMCA" but "what is your legal framework for handling copyright claims" — and the answer is "due process in the relevant jurisdiction".
02 Will my data be safer on Switzerland or Iceland than on Luxembourg? +
Probably not in any way you can use. The differences between the five jurisdictions matter at the margin — Switzerland's revFADP is slightly stronger than Luxembourg GDPR on some specific points; Iceland's free-expression protections go beyond what most EU countries have constitutionally; Sweden has no mandatory data retention. But for the workloads most senders are protecting (subscriber lists, engagement logs, financial records, internal communications) all five jurisdictions provide substantially equivalent protection, and the marginal differences only matter if you have specific exposure that maps to one jurisdiction's particular feature. The honest recommendation: pick Slovenia for cost and corporate-jurisdiction match with our HQ, Luxembourg for EU financial-services posture, Switzerland or Iceland for the strongest privacy posture, Sweden if your traffic profile leans Nordic. We will help you decide during the intake call.
03 What happens if a U.S. agency makes contact about my server? +
They have to file through the Mutual Legal Assistance Treaty (MLAT) channel between the United States and the relevant European jurisdiction. That means a request goes to the U.S. Department of Justice, then to the central authority in the EU country where the server lives, then through that country's court system before any legally binding instruction reaches us. The process is slow (typically 6 to 18 months), transparent (the request is logged and reviewable), and constrained (the requesting country has to demonstrate the request meets local legal standards). Compare this with the CLOUD Act process for U.S. providers, which is direct: U.S. agency serves provider, provider produces data within days, customer is often not notified at all. We will tell you if we ever receive a lawful request that affects your data — that is part of the contract, with appropriate carve-outs only for the specific cases where notification is itself unlawful (gag orders are extremely rare in EU jurisdictions and we have never been served one).
04 Can I run anonymous services? .onion sites? VPN exits? +
.onion services are fine — they are within scope for our customer base and we have a stable population of clients running them — journalism operations alongside whistleblower platforms and privacy-advocacy groups. Tor exit relays are case-by-case; we permit them on Slovenian and Swedish hardware with a documented operating policy, but not from Luxembourg or Switzerland because the abuse-handling burden on the local NOC is too high. Commercial VPN exit nodes are permitted with the standard intake review — we host several legitimate VPN providers, but we screen intake to avoid the handful of operators who use VPN as a wrapper for affiliate-link spam or click fraud. The honest framing: we are not a "no questions asked" provider, but the questions we ask are about whether you will harm our network's reputation, not about whether you are interesting to a U.S. surveillance program.
05 Do you accept anonymous signup? Crypto-only? +
Anonymous signup, no — we are a Slovenian d.o.o. subject to Slovenian KYC requirements at the financial level. We need a real customer of record for billing purposes, with enough information to issue a tax-compliant invoice. What we do not need is detailed identification beyond that: a working email, a billing address, a payment method that resolves. We have customers who use forwarding addresses and shell companies; that is fine as long as the entity exists and the payment clears. Crypto-only payment is supported and frequently used — Bitcoin, Ethereum, Litecoin, USDT, USDC. The invoice still goes to a registered customer of record; the funds come from wherever you choose. No PII beyond billing necessity is retained.
06 What is the latency between your offshore locations? +
Roughly, over our own backbone with own-network routing where possible: Ljubljana ↔ Luxembourg is 36-42ms, Ljubljana ↔ Zurich 32-38ms, Ljubljana ↔ Stockholm 38-44ms, Ljubljana ↔ Reykjavík 70-80ms. Luxembourg ↔ Zurich 18-24ms, Luxembourg ↔ Stockholm 22-28ms, Luxembourg ↔ Reykjavík 45-55ms, Luxembourg ↔ Frankfurt peering 8-12ms, Luxembourg ↔ Amsterdam peering 10-14ms. Zurich ↔ Stockholm 28-34ms. Stockholm ↔ Reykjavík 38-44ms. Public-internet paths can be longer when peering breaks down somewhere. For workloads that need cross-location replication or load-balancing, Luxembourg pairs well with Frankfurt and Amsterdam peering for a low-latency Western European triangle; Ljubljana pairs well with Zurich and Stockholm for a continental EU spread; Reykjavík is best treated as an edge location that rides the transatlantic cable.
─────────────────────────────────────────────────────────────────────────
08  /  The legal protection ladder

Exposure profile → jurisdiction recommendation.

How we route prospects through the five jurisdictions during the discovery call. Empirical, not theoretical — the percentages reflect the actual distribution of our offshore-dedicated client base across the five jurisdictions, derived from the patterns we observe rather than from marketing positioning. Read down to find the row that matches your exposure profile.

The decision matrix at the top of the page covers every dimension. The decision rarely depends on every dimension. Most buyers walk into the discovery call with a specific exposure profile and need a recommendation, not a comparative analysis. The ladder below maps exposure profiles to jurisdictional recommendations, the way we structure the conversation when a prospect asks "which one for us." The ladder is opinionated. It also tracks how 80%+ of our offshore-dedicated deployments actually distribute across the five jurisdictions, because the recommendations are derived from the patterns we observe rather than from theoretical positioning.

Exposure profile Why this profile lands here Recommendation % of base
EU financial-services sender
regulated, EU corporate seat needed		 Article 41 professional secrecy plus EU regulatory predictability. Procurement committees recognise the jurisdiction without explanation. Luxembourg 38%
High-secrecy / non-EU posture
private banking, high-net-worth, sensitive corporate		 Article 47 BankG banking secrecy combined with non-EU territorial scope. The strongest secrecy regime we offer. Switzerland 21%
Press freedom / journalist hosting
investigative media, source protection critical		 IMMI-grade constitutional protections, applied to data hosting through case law that has held up in adversarial proceedings. Iceland 9%
EU sender, max press freedom
EU regulatory comfort, expressive content		 Tryckfrihetsförordningen offers the world's strongest constitutional press freedom (since 1766) within EU regulatory frame. Sweden 14%
Cost-sensitive EU sender
EU jurisdiction needed, budget tight		 Lowest cost basis in our network, full EU regulatory frame, mature carrier-neutral data centre market in Ljubljana. Slovenia 18%
Multi-jurisdiction redundancy
enterprise with high availability + legal diversification		 Two or three jurisdictions selected for legal-diversification, not just geographic redundancy. Common pattern: LU + CH + IS for journalism, LU + RO for cost-sensitive scale. Multi-site ~12% overlap

The ladder collapses at the discovery call into a 20-minute conversation. We walk through your specific exposure — what you are protecting, who you are protecting against, what regulatory regime applies to you, what the buyer's home jurisdiction looks like — and recommend one jurisdiction with one reasoning. Sometimes the recommendation is "you do not need offshore at all, your home jurisdiction works for what you are doing." About 1 in 5 of these calls ends that way. The honest answer wins long-term customers more than the upsell does. If the recommendation is offshore, the ladder above tells you which one it will be before we say it on the call.

─────────────────────────────────────────────────────────────────────────

Pick a jurisdiction, not just a price.

A 30-minute call where we walk through the workload, the threat model, and the relative trade-offs across the five locations. We will help you pick — including telling you when one of the cheaper U.S. providers is genuinely fine for your situation and you do not need offshore at all. The honest answer wins customers more often than the hard pitch.

[email protected] Read jurisdiction notes