What is privacy-grade hosting?

Privacy-grade hosting describes infrastructure where the operational properties actually support a sophisticated threat model rather than marketing the appearance of privacy. The distinguishing properties: structural no-KYC (provider has no identity database to leak), self-hosted cryptocurrency payment infrastructure (no third-party processor intermediation), AS-level infrastructure ownership (no upstream visibility), jurisdictional structure that resists cross-border legal pressure, encrypted operational communications, and audit-resistant data handling. Generic "offshore hosting" marketing without these structural properties does not produce privacy-grade infrastructure.

What businesses actually need privacy-grade infrastructure?

VPN operators, encrypted messaging platforms, privacy-focused SaaS (password managers, encrypted note services, anonymous tools), journalism platforms handling source material, security researchers, opposition political infrastructure in restrictive jurisdictions, whistleblower platforms, cryptocurrency privacy tools, certain legal services handling sensitive client data, and businesses operating under regulatory threat from hostile actors. Most businesses do not need this tier; for those that do, the structural properties are operationally non-negotiable.

How does ASH differ from generic offshore hosting?

Three operational differences. First, structural no-KYC: we have not built a customer identity database, so we cannot apply verification retroactively even if pressured. Many offshore providers market no-KYC but maintain identity data they may produce under sufficient pressure. Second, self-hosted crypto infrastructure: our BTCPay Server runs on our own Bitcoin Core node, our Monero acceptance runs through our own daemon, no third-party processor sees transaction metadata. Third, AS-level ownership in primary jurisdictions: we operate our own Autonomous System numbers and IP ranges rather than reselling from larger upstreams who would have visibility into our customer traffic.

What does "AS-level ownership" actually mean for privacy?

An Autonomous System is the unit of independent network operation in the global routing system. Providers operating their own AS number announce their own IP ranges to the internet directly, peer with upstreams as networks, and control their own infrastructure routing. Providers reselling from upstreams operate within the upstream's AS and route through upstream infrastructure. The upstream sees all customer traffic at the routing level, can apply traffic analysis, can be pressured to produce data about specific IP usage. AS-level providers operate at the same layer as their upstreams rather than within them.

How is self-hosted BTCPay different from accepting Bitcoin via processor?

A processor (BitPay, Coinbase Commerce, OpenNode for Lightning) sits between the customer and the merchant. The processor sees the customer's wallet, the merchant identity, the transaction amount and timing, the IP address making the payment, and other metadata. The processor maintains this in their database and is subject to legal process for that data. Self-hosted BTCPay connects the customer wallet directly to the merchant's own Bitcoin Core node. The only record is what the public blockchain already exposes, plus whatever the merchant chooses to retain internally. For threat models including processor-level surveillance, the difference is operationally significant.

What about court orders and law enforcement requests?

We respond to lawful process from the jurisdiction where the relevant infrastructure operates. We do not respond to extraterritorial requests that lack force in our operating jurisdictions. We do not produce customer data we do not have: we have no government ID database, no payment processor records linking customer wallets to identities, no logs of customer-side operational traffic. The data minimization approach is structural rather than policy-based: we cannot produce what we have not collected.

How do you balance privacy with operational requirements?

We need to know enough to operate the service: the email customer used at signup, the infrastructure resources they purchased, the cryptocurrency address that paid for service. We do not need to know government identity, real name, physical address, or beyond what is necessary for service operation. The boundary is operational necessity. We collect the minimum data required to operate the customer relationship and structurally cannot collect more even if pressured.

What jurisdictions does ASH operate in for privacy-grade customers?

Bulgaria (EU, GDPR-aware), Romania (EU, less aggressive enforcement than Western EU), Moldova (non-EU, slow legal process), Panama (Latin American, jurisdictional distance from EU/US), Hong Kong (Asia-Pacific specific characteristics), Singapore (Asia-Pacific business jurisdiction), Ukraine (specific operational considerations given ongoing situation). Customers select pop based on their threat model and audience. Multi-pop deployments distribute risk across jurisdictions.

Structural · Self-hosted · AS-level · Data minimization

Hosting for Privacy-Grade Businesses
infrastructure where the privacy properties are structural.

Most "privacy-focused hosting" markets the appearance of privacy without the operational properties to support it. For businesses where threat models actually matter, the gap between marketing and reality produces failures at exactly the moment when failures are most costly.

Quick answer

Privacy-grade business hosting describes infrastructure with operational properties that actually support sophisticated threat models: structural no-KYC (no identity database to leak), self-hosted cryptocurrency payment (no processor intermediation), AS-level infrastructure ownership (no upstream visibility), jurisdictional structure resisting cross-border legal pressure, encrypted operational communications, and data minimization in customer records. Generic offshore hosting markets the appearance of these properties without the structural reality. Customer profiles needing genuine privacy-grade hosting include VPN operators, encrypted messaging platforms, journalism infrastructure, privacy-focused SaaS, opposition political operations, whistleblower platforms, and cryptocurrency privacy tools.

Key facts about privacy-grade hosting

Structural vs presentational no-KYC: Structural means the provider has not built an identity database. Presentational means the provider markets no-KYC but maintains data they may produce under pressure. The distinction matters in adversarial situations.
Processor-mediated vs self-hosted crypto: BTCPay Server with provider's own Bitcoin Core node is structurally different from accepting Bitcoin via BitPay, Coinbase Commerce, or similar processors. Processors maintain databases linking wallets to merchant identities.
AS-level operations: Provider operates own Autonomous System number and IP ranges. Routing visibility stays within provider rather than flowing through upstream networks. Different from reseller models.
Data minimization: Provider collects only operational necessity (email used at signup, infrastructure ordered, crypto address that paid). No government ID, real name, physical address, phone verification.
Encrypted operational communications: Support via PGP-encrypted email, Signal, Telegram (with caveats about Telegram's e2e being optional), Matrix. Avoid plaintext channels for sensitive operational discussions.
Jurisdictional diversity: Operate in multiple jurisdictions outside customer's home country. Customer can place infrastructure in jurisdiction with appropriate distance from threat actors.
Legal process posture: Provider responds to lawful process from operating jurisdictions. Does not honor extraterritorial requests without force in operating jurisdictions. Does not produce data the provider does not have.
Operational transparency: Provider documents their actual posture rather than marketing aspirational claims. Customers can verify operational properties before committing.

Why marketing-grade privacy hosting fails real threat models

The privacy-focused hosting segment has substantial marketing investment relative to actual operational depth. Many providers market the visual signifiers of privacy (lock icons, words like "secure" and "anonymous") without operational properties that support sophisticated threat models.

The failure modes are predictable when actual threat models are tested.

The KYC-after-signup pattern

Provider markets no-KYC. Customer signs up. Provider operates normally for some period. Then provider requests government ID verification, often citing "compliance" or "fraud prevention." The customer either provides ID (defeating the privacy premise) or loses service (losing whatever data was deployed). The pattern is documented across multiple competitors in the segment with paid review channels obscuring the organic customer reports.

The processor-mediated crypto leak

Provider accepts Bitcoin. Customer assumes this provides payment privacy. Provider actually uses BitPay, Coinbase Commerce, or similar processor under the hood. Processor maintains database linking customer wallet, merchant identity, transaction details, and customer IP address. Under sufficient legal pressure, the processor produces this database. The customer's "anonymous" Bitcoin payment is fully traceable.

The reseller upstream visibility

Provider markets independent operation. Provider actually resells from larger upstream (LeaseWeb, Hetzner, OVH, others). Upstream operates the actual infrastructure and sees all customer traffic at the routing layer. Upstream may be subject to legal process the provider is not. The customer's traffic flows through infrastructure the customer's chosen provider does not actually control.

The jurisdictional theater

Provider markets exotic jurisdiction (Seychelles, Belize, Vanuatu). Customer assumes this provides legal distance from threats. Provider's actual infrastructure operates in conventional jurisdiction (US, EU, Singapore) where legal process has standard force. The corporate registration in the exotic jurisdiction is paper-only without operational infrastructure to match.

The data retention drift

Provider markets minimal data collection. Provider actually retains substantial operational logs (login times, IP addresses, support correspondence, payment metadata). Under legal pressure, provider produces logs they claimed not to keep. The marketing claim and operational reality diverge.

The structural properties that produce real privacy

Genuine privacy-grade infrastructure has operational properties that are structural rather than presentational. The properties are difficult to fake because they require actual operational investment.

No customer identity database

The provider has not built systems to collect, store, or retrieve customer identity information. Government ID, real name, physical address, phone numbers are not collected at any point in the customer lifecycle. The data minimization is enforced by the absence of data infrastructure, not by policy that could be reversed under pressure. This property is testable: customers can attempt to provide identity information and observe whether the provider has fields to accept it.

Self-hosted cryptocurrency payment

The provider operates their own BTCPay Server connected to their own Bitcoin Core full node. Customer wallets connect directly to the provider's node. No third-party processor sits in the path. The only data leaving the provider's infrastructure during payment is what the public blockchain itself exposes. Monero payments use the provider's own Monero daemon for the same reason. Customers can verify this property by examining the payment flow in the provider's interface and confirming the absence of third-party processor branding.

Autonomous System ownership

The provider operates their own AS number and IP ranges. The provider's BGP announcements identify them as the origin AS for their IP ranges. Peering relationships with internet exchanges and tier-1 providers happen at the provider's AS rather than through an upstream. This is verifiable via public BGP data (bgp.tools, RIPE, ARIN, others). Customers can look up the provider's IP ranges and verify the origin AS matches the provider's published AS number.

Multi-jurisdiction operational footprint

The provider operates actual infrastructure in multiple jurisdictions rather than maintaining paper presence. Verifiable through traceroute analysis, BGP advertisement, infrastructure documentation. The infrastructure produces operational latency characteristics that match the claimed locations. Customers can verify by deploying test infrastructure and measuring latency to known geographic points.

Data minimization at protocol level

The provider's customer support communications, billing systems, and operational records collect minimum necessary data. Support tickets are not retained indefinitely. Payment records exist for accounting necessity but do not retain unnecessary metadata. Operational logs are aggregated rather than per-customer where possible. The principle of "what we don't have, we can't produce" guides system design.

Encrypted communication channels

Operational communications support PGP-encrypted email, Signal, and other encrypted channels. The provider's team uses these channels rather than just supporting them as optional. Customers can communicate sensitive operational details (specific configurations, threat-relevant operational changes) without producing readable transit records.

What "privacy-grade business" actually means

Not every business needs privacy-grade infrastructure. For most, generic hosting is operationally adequate. The customer profiles that genuinely benefit have specific characteristics.

Direct adversarial threat model

The business has identifiable adversaries who would actively work to compromise the business's operations: hostile governments, organized criminal operations, well-resourced corporate competitors with legal aggression history, harassment campaigns. The threat is not theoretical.

Custodial responsibility for sensitive data

The business holds data whose compromise would significantly harm users or third parties: encryption keys, journalism source material, opposition political organizing, financial data of users in hostile jurisdictions, legal client communications.

Regulatory threat in operating jurisdiction

The business operates in a jurisdiction where regulators may take adverse action against the business or its users: certain cryptocurrency operations under unclear regulatory frameworks, journalism critical of host country government, opposition political work under authoritarian governments.

Operational continuity under pressure

The business needs to continue operating even when legal or regulatory pressure mounts against it. Privacy-grade infrastructure provides operational resilience that ordinary hosting does not, because the infrastructure cannot be compelled to produce data it does not have or terminate service without specific cause in its operating jurisdiction.

The categories of privacy-grade customers we serve

VPN operators

VPN services need infrastructure that does not log user activity at the upstream layer. Self-hosted infrastructure (rather than reseller models) provides this property. Jurisdictional placement matters for the VPN provider's legal posture. Multi-pop deployment supports global VPN customer base.

Encrypted messaging platforms

Matrix homeservers, XMPP servers, custom messaging platforms, Signal-adjacent services. Infrastructure carries encrypted user communications. The infrastructure provider's posture on data retention and legal process directly affects user privacy.

Privacy-focused SaaS

Password managers, encrypted note services, anonymous communication tools, secure file sharing platforms. The product itself depends on privacy properties that require infrastructure aligned with the product positioning.

Journalism platforms

News organizations operating investigative journalism, source protection systems (SecureDrop deployments), reader databases that could expose sources, internal collaboration tools handling sensitive material. Particularly relevant for journalism critical of governments or powerful corporate actors.

Security researchers

Researchers studying malware, threat actors, surveillance technology. The research itself may attract adversarial attention. Research infrastructure (sandboxes, analysis systems, communications) benefits from privacy-grade properties.

Opposition political operations

Political organizing in jurisdictions where the operating government is hostile to the organization. The infrastructure cannot be located in the hostile jurisdiction. Privacy-grade properties protect organizers and supporters.

Cryptocurrency privacy tools

Mixing services (where legally operated), privacy coin infrastructure, wallet services emphasizing privacy properties, exchanges in jurisdictions where the operator's posture matters. Infrastructure aligns with the product's privacy positioning.

Legal services handling sensitive client data

Attorneys representing clients facing serious adverse parties, immigration practitioners handling sensitive client information, criminal defense in restrictive jurisdictions, civil rights organizations representing vulnerable populations.

What privacy-grade hosting does not provide

Privacy-grade properties have specific operational scope. Customers should understand the boundaries.

Not protection against active operational compromise

The infrastructure provider's posture does not protect customers from compromises at the application layer. Vulnerable customer applications, weak credentials, social engineering against customer-side staff, supply chain attacks against customer software all bypass infrastructure-level privacy properties. The customer remains responsible for their own operational security.

Not legal immunity for the customer

Customers operating activities illegal in their home jurisdiction face legal exposure in their home jurisdiction regardless of where infrastructure operates. Privacy-grade hosting raises the operational cost of investigation but does not provide legal cover for activities the customer's home jurisdiction prohibits.

Not protection against state-level adversaries

Nation-state intelligence operations have capabilities that exceed what any commercial hosting provider can defend against. NSA-tier adversaries can compromise infrastructure at the BGP layer, intercept communications at submarine cable landing points, or apply legal pressure across jurisdictions through diplomatic mechanisms. Privacy-grade hosting protects against most adversaries but not against the most resourced ones.

Not absolute anonymity

The customer's operational practices produce identifying information even when the infrastructure provider does not collect it directly. Login patterns, configuration choices, customer-side software behavior, social engineering of customer staff, traffic analysis at upstream points beyond the provider's control. Privacy-grade hosting is one layer in operational security, not the entire posture.

Not protection against customer mistakes

Customers who reveal their identity through their own operations (using personal email at signup, paying with traceable financial instruments, accessing infrastructure from identifiable locations without privacy tools) undermine infrastructure-level privacy properties. The provider's posture matters; the customer's posture also matters.

The verification practices for evaluating privacy-grade providers

Customers should verify operational properties rather than accepting marketing claims. Several verification practices apply.

Verify AS-level ownership

Look up the provider's IP ranges on bgp.tools, RIPE, or ARIN. Confirm the origin AS matches the provider's published AS number. Examine the AS's peering relationships and announcement history. Providers reselling from upstreams will not have their own AS announcing their customer IP ranges.

Verify cryptocurrency payment flow

Initiate a test purchase. Examine the payment instructions. Look for processor branding (BitPay, Coinbase, etc.) versus self-hosted indicators (custom payment interface, direct wallet addresses on provider's own domain). Examine the destination wallet address pattern (processor wallets versus provider-controlled wallets).

Test the signup flow

Examine what data the signup flow actually collects. Required fields are diagnostic. A provider with structural no-KYC has no field for government ID even as an optional. A provider with presentational no-KYC may have hidden verification steps that appear only under specific conditions.

Verify jurisdictional claims

Run traceroute to provider's customer-facing infrastructure. Confirm the actual network path terminates in the claimed jurisdiction. Examine the provider's legal documentation (terms of service, privacy policy, AUP). Check for jurisdiction-specific compliance signals appropriate to the claimed jurisdiction.

Read organic customer reviews

Trustpilot organic reviews provide a more representative customer experience picture than sponsored review channels. Look for patterns of customers reporting unexpected requests (ID verification, additional documentation), unexplained service suspensions, refund refusals. Patterns across multiple organic reviews are diagnostic of operational reality.

Engage on encrypted channels before committing

If the provider supports PGP, Signal, or Matrix for support, test these channels with operational questions before committing infrastructure. Response quality and willingness to discuss operational details in encrypted channels is diagnostic of provider posture.

Our specific posture and what it means for customers

Structural no-KYC

Signup requires email address only. No name, address, phone, or government ID field exists in our customer onboarding. We have not built a KYC database. We cannot apply identity verification retroactively because we have no system designed for it. Customers can verify this by attempting signup; the only field is email.

Self-hosted BTCPay Server

Bitcoin payments connect customer wallets to our BTCPay Server instance running on our own Bitcoin Core full node. Lightning Network payments use our own LND node. No BitPay, no Coinbase Commerce, no third-party processor. The only third party seeing the transaction is the Bitcoin network itself.

Self-hosted Monero acceptance

Monero payments connect to our own Monero daemon. We participate in the Monero network as a node operator. The transaction has the privacy properties Monero provides at the protocol level without additional intermediation.

AS-level operations in primary jurisdictions

We operate our own AS number with IP ranges allocated through standard registry processes. Our BGP announcements identify our AS as origin for our IP ranges. We peer with internet exchanges and transit providers at our AS level. Verifiable through public BGP data.

Multi-jurisdiction infrastructure

Bulgaria, Romania, Moldova, Panama, Hong Kong, Singapore, Ukraine. Each pop has actual infrastructure with measurable network characteristics matching the claimed location. Customers select pops based on their threat model and audience requirements.

Encrypted communication support

PGP keys published for our support staff. Signal and Matrix available for sensitive operational discussions. Telegram available with explicit note that Telegram default chats are not end-to-end encrypted; we recommend secret chat for sensitive material.

Legal process posture

We respond to lawful process from our operating jurisdictions. We do not honor extraterritorial requests without enforcement mechanism in our operating jurisdictions. We do not produce data we do not have: no government ID database, no payment processor records, no logs beyond operational necessity.