1. Home
  2. Plans
  3. Compliant Hosting

Compliant Hosting

For regulated & high-assurance buyers

Hosting you can put in front of a compliance team.

Compliant Hosting is for organizations that must keep a WordPress or custom web estate and prove how it is controlled: regulated bodies, government, financial co-operatives, and the agencies that serve them. Choose the tenancy that fits, add the compliance module your regulator requires, and get documentation your auditors can hold in hand. Operated by the same small team, on the same hardened stack, for 18 years.

Start with the question your regulator asks

What are you protecting?

Compliance is driven by the kind of data you hold, not by a tier you climb. Pick the driver that fits, on either tenancy. Most regulated buyers need more than one, and the modules stack.

Cardholder data

PCI-aligned module

You take payments. We enforce a hosted or tokenizing gateway so no card data is stored at rest, segment the environment, run quarterly external scans, and hand you the SAQ-A readiness pack and a hosting-side responsibility matrix.

Scope a PCI engagement →

Personal & citizen data

Data-Protection / PII module

You hold members', customers', or citizens' personal records. We deliver encryption at rest with managed key custody, upload-dir hardening, retention enforcement, a breach-response SLA, and a signed DPA. Aligned to the Barbados DPA 2019, GDPR, and the Cayman DPA.

Scope a Data-Protection engagement →

Whole-org assurance

ISO 27001-aligned module

Your board or a procurement team wants a recognized standard. We map our controls to ISO 27001 Annex A and SOC 2 TSC, run continuous evidence collection and machine-speed defense, and give you a signed security addendum now and the certificate when it lands (target Q1 2027).

Scope an ISO 27001 engagement →

Not sure, or need two of these? That is the normal case. Tell us what you hold and we will map it to the right tenancy and modules on a call.

Tenancy · shared, segmented

Compliant Shared

For a regulated site that does not need a dedicated box. The same hardened stack, segmented for tenant isolation (PCI-DSS Appendix A1), with encryption at rest, a signed DPA, and immutable logging. Priced as a risk-uplift, not by vCPU. Add the module(s) your regulator requires.

The assurance entry point

Segmented, audit-ready shared hosting

When your regulator needs documented controls but the workload does not justify a single-tenant server. Consult-onboarded, then sized with a quiet capacity option underneath.

From $350/mo
base tier · plus the module(s) your regulator requires · annual prepay available
  • Segmented multi-tenant isolation (PCI-DSS Appendix A1)
  • Encryption at rest and a signed data agreement (DPA)
  • Immutable logging and the controls your auditor tests
  • Capacity sized Small, Standard, or Large — not by spec sheet
  • Stack PCI, Data-Protection, and ISO 27001 modules as required
Talk to us about Compliant Shared Compare with Dedicated
Capacity
S / M / L
sized to load, chosen on a call
Shared tenancy
Compliant Shared
From $350/mo
segmented · encrypted · documented
Residency
UK / EU
in-region on request
Tenancy · single-tenant

Compliant Dedicated

A dedicated, single-tenant UpCloud cloud server for data that should not sit on shared infrastructure: sovereign records, financial-institution data, high-assurance estates. A scoped environment built to your requirements on a discovery call, not bought from a cart.

Flagship tier · consult only

Single-tenant, sized to your workload

A dedicated environment built to your compliance requirements, with the documentation and assurance an institutional auditor asks for. One tier to start, sized to you.

From $1,995/mo
plus a one-time onboarding engagement · annual prepay available
  • Dedicated single-tenant cloud server, sized to workload
  • Signed security addendum (ISO 27001 Annex A + SOC 2 TSC)
  • At-rest encryption, key custody, immutable audit logs
  • UK or EU residency, signed DPA and SCCs
  • Machine-speed defense, named incident-response contact
Book a discovery call See the controls we operate
Single tenant
Dedicated cloud server
From $1,995/mo
No shared neighbors · sized to workload
Certification
ISO 27001
Roadmap Q1 2027 · addendum now
Residency
UK / EU
London or Frankfurt · DPA + SCCs
Where we actually stand

We lead with controls you can audit, not a logo.

A certification badge is a snapshot. What your compliance team can actually test is the set of controls a provider operates and can evidence on demand, and how fast it responds when something moves. That is what we put first. Today WebOps operates a documented control set, backed by a signed security addendum mapping each control to ISO 27001 Annex A and SOC 2 TSC, on infrastructure that is itself ISO 27001 certified and PCI-DSS compliant.

We are equally direct about the rest: WebOps does not yet hold its own ISO 27001 certificate, and we are on a funded roadmap to earn one, targeted for Q1 2027. Until then, the addendum, our controls documentation, and our independent vulnerability-scan and penetration-test results are evidence your auditors can hold in hand, not a promise to take on faith.

What Compliant Hosting delivers

The things an institutional auditor asks for.

Built on the stack we already run, hardened and documented for buyers whose data carries a regulatory obligation. Available on either tenancy; the depth scales with the module and the box.

Tenancy that fits the risk
Segmented shared for sites that do not need their own server; a dedicated single-tenant cloud server when data should not share infrastructure. No multi-tenant blast radius on Dedicated.
Documented controls
A signed security addendum mapping the controls we operate to ISO 27001 Annex A and SOC 2 Trust Services Criteria.
Encryption with key custody
Encryption in transit and at rest, with a documented key-management story: where keys live, who has access, how they rotate.
Immutable audit logging
Write-once audit logs (Plesk admin, SSH auth, WAF, intrusion detection) shipped to object-locked storage with one-year retention.
UK or EU data residency
London or Frankfurt residency for adequacy under the Cayman DPA and GDPR; in-region available on request. Signed DPA and Standard Contractual Clauses for any US transfer.
Machine-speed defense
An AI-operated defense layer watches alerts, parses logs, and drafts mitigations continuously. AI proposes, humans approve anything destructive or irreversible.
Named incident response
A named incident-response contact and a documented SLA. You know who answers, and how fast, before anything goes wrong.
Independent testing
Quarterly external vulnerability scans and an annual third-party penetration test, with results shared on request.
Choosing a tenancy

Compliant Shared, or Compliant Dedicated?

Both run the same hardened, documented stack and take the same regime modules. The difference is isolation and the depth of the assurance — pick by the sensitivity of the data and what your auditor requires.

Capability Compliant Shared Compliant Dedicated
Hardened, fully managed WordPress stack
WAF, intrusion detection, malware scanning, encrypted backups
Encryption at rest + signed DPA
Stack PCI / Data-Protection / ISO 27001 modules
TenancySegmented multi-tenantSingle tenant
Tenant isolation standardPCI-DSS Appendix A1Dedicated cloud server
Immutable audit loggingShared retention1-year, dedicated
Named incident-response contactStandard SLANamed + elevated SLA
Quarterly vuln scans + annual pen testOn requestIncluded
ISO 27001 certification roadmapVia ISO moduleTarget Q1 2027
PriceFrom $350/mo + modulesFrom $1,995/mo
Why machine-speed matters

The disclosure-to-exploitation window is now minutes.

Vulnerabilities are discovered and weaponized at machine speed. A host relying on a human on call responds in hours. Ours watches New Relic alerts, parses access logs, fingerprints attack patterns, and drafts fleet-wide mitigations continuously, so we respond at the speed the threat actually moves. The guardrail is deliberate: additive, reversible defenses can deploy automatically, but anything destructive or fleet-wide is reviewed by a person first. That boundary is what makes machine-speed defense safe enough to put in front of a private bank.

How an engagement runs

From discovery call to documented go-live

No surprises for your compliance team. Each step produces something they can review.

1
Discovery

We scope your requirements

A call to understand the buyers, the data, the regulatory frame (Cayman DPA, GDPR, PCI, sector rules), residency requirements, and what evidence your compliance team needs to see. That call decides the tenancy and the modules.

2
Build & document

We provision and harden

Shared-segmented or single-tenant in your chosen region, at-rest encryption and key custody configured, audit-log shipping enabled, controls documented, security addendum and DPA drafted for signature.

3
Go-live & evidence

We migrate, then keep the evidence flowing

Zero-downtime migration, named incident-response contact assigned, continuous evidence collection running. Surveillance and the ISO 27001 program proceed from there.

Let's scope your environment.

A discovery call, an honest read of what your compliance team needs, and a scoped build on the right tenancy with the right modules. If we are not the right fit for your requirements, we will tell you, and point you toward who is. Sourcing regulated or high-net-worth clients as an agency? We host the compliant layer and you keep the relationship.

– Ryan Davis, founder. Operating WordPress infrastructure since 2007.
Book a discovery call See the controls we operate
Reply within 1 business hour No certificate we don't hold Free migration in and out, no lock-in