Your data stays yours.
Nanobox is a young product, so we won’t pretend to hold certifications we don’t. What we can tell you plainly is how your data is handled, on your own servers or on ours. For how we handle personal data, see our Privacy Policy.
Self-host
You buy the license, get the full source, and run Nanobox on your own infrastructure with Docker. We can’t access your instance, and security in your environment is ultimately in your hands.
Hosted
We run Nanobox for you on the Hosted plan (flat pricing, never per-seat). We operate the infrastructure, but the data in your instance is still yours, exportable anytime.
How it works, both ways
The same product, two ways to run it. Here’s what each door means for the things that matter most.
Data ownership
There's no scenario where we hold your data hostage. The difference is only where it lives.
Your data lives on your infrastructure, in a database you control, with full access to every row. We never see it, and there's nothing for us to leak. Stop paying us and nothing switches off.
We operate the instance, but the data is yours. Export it anytime in standard formats. We never sell it, never use it to train anything (there are no AI features), and there's no lock-in if you decide to move to self-host.
Backups
Backups are yours to run, on your schedule, to your storage, which is exactly the control some teams want. If you'd rather not, our done-for-you launch can set up automated backups for you as part of getting you live.
We take automated, off-site backups of Hosted instances so a single failure can't lose your data. Retention and restore details are documented for Hosted customers.
Encryption
Traffic to your instance is served over TLS (HTTPS) once you point a domain and certificate at it. Encryption at rest depends on the disks and database you deploy to, which is under your control.
All traffic to the Hosted service is encrypted in transit with TLS. Data at rest sits on managed infrastructure operated by our hosting partner; we can share disk-level specifics with Hosted customers on request.
Where Hosted data lives
If you self-host, your data is wherever you deploy it, so this only concerns the Hosted plan.
Hosted instances and their backups run on Hetzner infrastructure in the EU. This matches the infrastructure listed on our Privacy Policy.
Sub-processors
To run the Hosted service we rely on a small set of vendors. Each is engaged under terms requiring appropriate safeguards, and the list is kept consistent with our Privacy Policy and DPA.
- Payments: Stripe, Inc. (subscription billing; we don’t store full card numbers).
- Hosting & infrastructure: Hetzner, EU (compute, database, and backup storage).
- Transactional email: a transactional email provider (receipts, security and account notices).
Self-hosted instances don’t use these for your business data, you bring your own infrastructure and email if you want them.
Responsible disclosure
Found a security issue in Nanobox? We want to hear about it. Reach us through our contact page with the details and steps to reproduce, and we’ll acknowledge your report and work with you on a fix. Please give us a reasonable chance to address it before any public disclosure. We don’t currently run a paid bounty program.
We don’t claim certifications such as SOC 2, ISO 27001, or HIPAA compliance. If a formal certification matters for your purchase, tell us, and we’ll be straight with you about where we are.