Business Privacy Stack - Offshore Self-Hosted Infrastructure

Replace commercial SaaS with self-hosted equivalents on your Iceland VPS: | Commercial Tool | Self-Hosted Alternative | Privacy Benefit | |---|---|---| | Google Workspace | Nextcloud + Collabora | No Google data access | | Slack/Teams | Matrix (Element) | E2E encrypted by default | | Gmail | Postfix + Dovecot + Roundcube | Your mail server, your rules | | Zoom | Jitsi Meet | No Zoom data collection | | Notion | Outline or Bookstack | No Notion data access | | Trello/Asana | Plane.so or Focalboard | No SaaS vendor access | | Salesforce/HubSpot | Twenty CRM | Client data on your server | | Google Analytics | Plausible | No Google visitor tracking | This stack on a 4 vCPU, 16GB RAM Iceland VPS serves a 20-50 person company. Annual VPS cost: approximately $1,500/year. Equivalent Google Workspace + Slack + Zoom for 20 people: $12,000-25,000/year.

Email is the most critical business communication channel. Self-hosted email requires more maintenance than Gmail but provides complete data control. iRedMail provides a complete mail server stack (Postfix + Dovecot + Roundcube + SpamAssassin) via installer: ```bash wget https://github.com/iredmail/iRedMail/releases/download/1.7.0/iRedMail-1.7.0.tar.gz tar xf iRedMail-1.7.0.tar.gz && cd iRedMail-1.7.0 bash iRedMail.sh ``` iRedMail setup wizard asks: server hostname, admin password, first domain, first email address. The installer configures everything including SPF/DKIM/DMARC. Critical requirements for deliverability: - PTR (reverse DNS) record matching your mail server hostname - request this from Anubiz Host support - SPF record in DNS: v=spf1 ip4:YOUR_VPS_IP -all - DKIM record in DNS (iRedMail generates this during install) - DMARC record: v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomain.com Without correct PTR record, most email providers will mark your email as spam.

At-rest encryption for business data: **File storage encryption:** Nextcloud's server-side encryption protects files stored on disk. Even if physical server access were obtained, files are encrypted. Key: manage encryption keys carefully - losing keys means losing data. **Database encryption:** PostgreSQL transparent data encryption (TDE) is complex. Simpler: encrypt the database volume (LUKS) and use SSL for database connections. Application-level encryption (encrypting specific fields before database storage) for the most sensitive data. **Communication encryption:** All Matrix rooms configured as end-to-end encrypted. This means even your Iceland server cannot read the message content - the server stores encrypted messages. Keys exist only on client devices. **Backup encryption:** All backups encrypted with GPG before transfer to backup location: ```bash # Create encrypted backup: tar czf - /var/data | gpg --symmetric --cipher-algo AES256 > backup_$(date +%Y%m%d).tar.gz.gpg ``` The backup file requires your GPG passphrase to decrypt. Store backups on a second VPS or object storage.