sh selfhost.tools

Security commitment

Managed access, fewer exposed controls.

selfhost.tools is built so customers use the hosted app while we handle the operational layer. We protect instance access, subscription records, support messages, and provisioning state as security-sensitive data.

Managed Security plan

$15.99/mo

Report a security issue Read privacy

Secure checkout. Private instance ready in 24 hours. Cancel anytime.

Private URL

24h setup

Managed ops

Security

We are GDPR compliant and support privacy and security requests through our contact process.

We are GDPR compliant and support privacy and security requests through our contact process.

Contact form

Send us a message.

Tell us what you want hosted, what you already bought, or what you need help with.

Security posture

Access stays focused on the app, not the infrastructure.

The service is designed to reduce exposed controls while keeping support, monitoring, and disclosure paths clear.

Access model

Customers receive the private app URL and login details needed to use the service. We do not expose server credentials, raw provider dashboards, or provisioning internals.

  • Private URL
  • App login details
  • No server credentials
  • Support contact

Managed operations

The managed plan includes operational safeguards for the hosted service, including backups, automatic updates, monitoring, and support.

  • Backups
  • Automatic updates
  • Security monitoring
  • Technical support

Responsible disclosure

Send security reports with enough detail for us to verify the issue. Do not access other customers' data, interrupt active accounts, or test beyond what is necessary to prove impact.

  • Affected URL
  • Steps to reproduce
  • Expected impact
  • Your contact email

Security commitment

How we protect access, data, and operations.

Data protection

GDPR compliance is part of the operating model.

We handle account, checkout, support, and instance-management data according to GDPR principles: clear purposes, limited collection, appropriate safeguards, and support for data subject requests.

Controller and processor roles

For account, billing, and support data, selfhost.tools acts as controller. For customer content inside a managed app, we generally act as processor for the customer.

Rights handling

We support requests to access, correct, delete, restrict, port, or object to processing where those rights apply.

Purpose limitation

We use customer data to provide managed hosting, process payment, provision instances, provide support, secure the service, and meet legal obligations.

Operational safeguards

We reduce customer exposure by keeping hosting controls out of the user path.

Customers should not need to manage infrastructure accounts to use a hosted open-source tool. That reduces accidental configuration changes and avoids exposing raw provider credentials.

Credential boundaries

Server, DNS, provider, and automation credentials are kept out of the customer console and are never sent through public pages.

Provisioning state

Hosted tool URLs, subscription state, provisioning status, and tenant ownership are treated as sensitive operational records.

Monitoring and continuity

Backups, updates, monitoring, and support are managed as part of the subscription so customers can focus on the application.

Disclosure process

Report issues clearly and avoid harming other customers.

Security research must be limited, targeted, and non-destructive. If you believe you found a vulnerability, stop once you can show impact and send us the details.

Include evidence

Send the affected URL, the behavior you observed, reproduction steps, expected impact, and any relevant timestamps.

Do not access private data

Do not view, copy, modify, delete, or exfiltrate another customer's data, workflows, credentials, or subscription information.

No disruption

Do not run denial-of-service tests, spam forms, bypass payment, or attempt persistence in any system.

Security questions

Clear rules for safe reporting.

Security reports should be specific, non-destructive, and limited to the information needed to verify impact.

GDPR compliant

No server credentials

Responsible disclosure

Are you GDPR compliant?

Yes. selfhost.tools is GDPR compliant for the personal data we control and supports GDPR request handling for customers and users where applicable.

Do customers get server access?

No. Customers receive access to the hosted application. Server credentials, provider dashboards, and provisioning internals are not exposed to customers.

How do I report a security issue?

Use the contact form with the Security disclosure topic. Include the affected URL, impact, clear reproduction steps, and a contact email.

Can I run automated security testing?

Do not run disruptive scans, denial-of-service tests, spam, credential stuffing, or tests against other customers. Contact us first for anything beyond narrow verification.