The freistilbox dashboard now allows you to submit custom TLS certificates directly to our hosting infrastructure. We’ve added a form to the website details page where you can paste your certificate, private key, and chain directly. Hit submit and deployment starts right away. The form validates your input, so you’ll know immediately if something is missing or malformed.

This works for any certificate type, whether it’s a wildcard cert covering multiple subdomains or an extended validation (EV) cert with the green address bar. If Let’s Encrypt fits your setup, use it. If not, you now have self-service.

There’s one important detail to know: If you already have a custom cert deployed on freistilbox, using the new feature might require a switch to our new edge routers. Get in touch, and we’ll move you over so you can manage renewals and new certificates yourself going forward.

This isn’t a major feature, but a nice quality-of-life improvement for customers who can’t use Let’s Encrypt for some of their websites. If you’re one of these customers, next time you need to add or update a certificate, head to the website details page in the freistilbox dashboard and paste it in!

Conventional hosting comparison guides focus on storage space, bandwidth, and price. For membership sites, those numbers don’t tell you much.

A membership website restricts some or all of its content to registered users, typically in exchange for a subscription fee or sign-up. Think of online course platforms, professional communities, news sites with paywalls, or software documentation portals — any site where logging in unlocks something the public can’t see.

That has real consequences for hosting. A conventional website serves the same pages to everyone; a membership site has to track who each visitor is, what they’re allowed to see, and serve them something different. Every page load does more work: more database queries, more dynamic content, less that can be cached. The hosting platform has to be built for that.

Database performance tuned for CMS patterns

One thing we learned early building freistilbox: MySQL’s default configuration is not set up for Drupal or WordPress. Both CMSes have complex schemas and generate a lot of queries — a single page render can easily trigger dozens, sometimes hundreds. Membership plugins add more, because now every query also needs to check whether this visitor has access.

Hardware matters here, and not in the way most hosting plans advertise. Plans that lead with “50 GB database storage!” are measuring the wrong thing. Storage volume is rarely the constraint; storage speed is. We’ve used solid state drives since before that was standard, and our database servers carry enough RAM to keep frequently accessed data in memory. Even the fastest NVMe drive is slower than RAM — so the more that fits in the buffer pool, the fewer disk reads happen.

Getting the most out of that hardware takes careful configuration. MySQL has a lot of performance knobs, and setting them well requires knowing what kind of workload you’re tuning for. Because we only host Drupal and WordPress, we know that workload well.

Smart page caching that respects authentication

With a conventional website, logged-in users are a small minority — usually a handful of editors. A content cache can store almost every page the application renders, and serve it directly for repeat requests, which can speed up delivery by orders of magnitude.

Membership websites flip that ratio. Most visitors have accounts and have to log in to reach their content. Even if a page only differs by a username in the top corner, the session cookie is there, and many hosting platforms will refuse to cache anything once they detect it. The result: every page load hits the application, every time.

freistilbox handles this differently, based on a set of rules we’ve built over the years. Static pages, CSS, JavaScript, images, and PDFs always go through the cache. Known cookies unrelated to a visitor session, such as those for analytics or consent banners, don’t prevent caching either. Only requests that genuinely require the application to respond bypass the cache. Our web operations experts maintain and update those rules as CMS versions and plugins evolve — and for the requests that do reach the application, the object cache picks up from there.

Object caching for database-heavy workloads

A well-tuned cache and fast database servers get you a long way. There’s one more layer worth adding.

When a logged-in member loads a page, Drupal or WordPress has to assemble it from scratch — pulling content, checking permissions, running membership logic, applying theme templates. That can mean dozens or hundreds of database queries for a single page. The object cache lets the CMS store the result of that work in memory: fully rendered blocks, navigation elements, access-controlled content fragments. Next time someone requests the same element, it’s served from RAM instead of rebuilt.

Simple lookups — is this user authenticated, what tier are they on — benefit too, but that’s the smaller part of the story. The bigger win is not rebuilding the same complex page components on every request. We use Valkey, the open source fork of Redis, as our object cache. It’s gradually replacing Memcached, which we’ve been offering for more than a decade.

Redundancy and uptime guarantees

If your website is the platform your business runs on, downtime isn’t just an inconvenience — it’s lost revenue and lost trust. People can’t sign up, can’t access content they’ve paid for, can’t even hand over their email address. Whether they come back later is an open question.

99% uptime sounds reasonable. It isn’t. That still allows for 14 minutes of downtime per day, or more than 7 hours per month. A single bad deployment window or hardware failure can clear that bar and leave your members locked out for hours.

Building for actual reliability means designing the platform with redundancy from the start — not bolting it on after the fact. We’ve been doing this since 2010, and it shapes every decision about our infrastructure. Hardware fails; we plan for it. When something breaks, the architecture contains the impact. Customers at our base service level consistently see uptime of 99.5% and above.

As proof, here’s a current screenshot of our uptime monitoring, with the website names blurred out:

Expert support that understands your stack

When something breaks on a membership site, the problem usually isn’t obvious. It could be a caching rule that’s serving the wrong content to logged-in users. A query that’s slow only under load. A plugin that’s fighting with a PHP configuration. You need someone who can actually look at the problem, not someone reading from a script.

At freistilbox, support comes from the engineers who built and run the platform. They know Drupal and WordPress, and they know the membership plugins. When you report a problem, they can dig into logs, adjust cache rules, or change database settings on the spot.

If your site is business-critical and you need guaranteed response times around the clock, our Premium SLA covers 24/7 emergency support. Your site goes down at 2am the night before a launch — there’s someone to call.

Privacy and control over your data

Membership sites hold sensitive data: names, email addresses, payment details, records of what content each member has accessed. Your members trust you with that, and they expect you to handle it carefully. Your hosting provider is part of that picture.

We are an EU-based business, and freistilbox runs exclusively on servers in the EU. Member data stays in the EU, which keeps you on solid ground with GDPR. The EU’s data protection rules are among the strictest in the world, so this matters even if you and your members are based elsewhere — you’re getting a high baseline by default.

For agencies building membership sites for clients, this has moved from nice-to-have to expected. Clients ask about data residency. Their legal teams want clear answers. Being able to say “Hosted by an EU business, GDPR-compliant” closes that conversation.

Popular membership plugins for WordPress and Drupal

The checklist above applies regardless of which membership plugin you’re running. These are the most widely used options for WordPress and Drupal, and all of them will work well on freistilbox:

WordPress

• Paid Memberships Pro — a well-established plugin with a broad range of membership levels, payment gateways, and content restriction options.
• MemberPress — popular for course creators and subscription sites, with built-in LMS features.
• Restrict Content Pro — a leaner option focused on content restriction and subscription management.
• WooCommerce Memberships — the right choice if your membership is tied to a WooCommerce store.
• Ultimate Member — strong community and profile features, often used for directory or community sites.

Drupal

• Commerce License — grants access to licensed content or functionality through Drupal Commerce.
• Group — handles content access by group membership, suitable for multi-organisation or community platforms.
• Protected Pages — a simpler option for restricting access to specific pages by role or password.

Case study: Monospace Mentor

Apart from my day job, I run a DevOps and SRE learning platform called Monospace Mentor. I offer courses, a member community called The Server Room, and 1:1 mentorship sessions. The website is built on WordPress with Paid Memberships Pro, and I host it on freistilbox — not just because I’m the CTO, but because a site that loses signups during a live session is a real problem for me, the same as any other customer.

Monospace Mentor is exactly the kind of site this article is about. Members log in to access gated course content, the community space, and booking links for mentorship calls. Every page load involves permission checks — is this user a member, and which tier? Paid Memberships Pro and WordPress together generate a steady stream of database queries to answer that question. Valkey handles the object caching, which means fully assembled page components — menus, content blocks, access-controlled fragments — are stored in memory and reused rather than rebuilt from database queries on every load.

On the caching side, Varnish serves the public marketing pages and their asset files fast while correctly stepping aside for logged-in sessions. Members get their individual content; anonymous visitors get cached pages. That split happens automatically, managed at the platform level.

The part I care about most is reliability. I’m still building up the community, which means every signup matters. If someone clicks through to join during a live session or after seeing a post, I can’t afford for the site to be down or slow at that moment. Thanks to our redundant infrastructure, I simply don’t have to think about it. No maintenance windows to plan around, no performance tuning to do, no security patches to apply. That time goes into the content and the community instead.

Let’s discuss your requirements

If you’re evaluating hosting for a membership site on Drupal or WordPress, we’ll look at your specific setup and tell you honestly whether freistilbox is the right fit. Get in touch and we’ll take it from there.

We’ve seen this scenario play out dozens of times over the last 16 years. A plugin quietly logs every search query. A redirect table that started with 50 entries and now holds 50,000. A watchdog table nobody thought to check. The site grew gradually—but the database hit a wall all at once.

The tricky part is that queries which worked fine with 1,000 rows can choke on 50,000. Tables that took milliseconds to scan now take seconds. And because the growth happened slowly, there was no single moment where something “changed.” The site simply reached an inflection point where database “sins” came home to roost.

In our online documentation, we’ve put together a guide titled “Database Best Practices“ covering the most common database issues we see on freistilbox: unbounded table growth, query anti-patterns, import mistakes. It provides guidance on index creation and cleanup strategies. We’ve also added two CMS-specific guides: one about WordPress-specific issues such as wp_options bloat, and one with Drupal-related advice like taming the watchdog table.

If your site is showing signs of database trouble, reach out—we’re happy to help you track down the cause.

As most businesses, we’re going to power down our activities over the coming holidays. At the end of another successful year of making sure our customers’ websites get to impress their visitors, we’ll take a break to recharge our batteries for the coming one.

That’s why we will provide limited customer support from Wednesday, 24 December 2025, to Tuesday, 6 January 2026.

What we won’t power down is our servers. Our 24/7 ops on-call roster will deal with any issue in our hosting infrastructure swiftly. The same engineers will also handle emergency support requests from customers with a Premium SLA or freistilbox Enterprise plan.

We will handle all other support requests coming in during this time frame when we’re back to normal operation in January.

For the 16th time, we thank all our customers for a year of fun and productive DevOps collaboration. For us, that is a gift we get to enjoy the whole year. We wish all of you a happy time.

Merry Christmas, and a happy new year!

Your freistilbox team

Access Control Lists are available to early-access customers starting today and will be generally available to all customers on December 8.

What Are Access Control Lists?

Access Control Lists—or ACLs—let you define rules for which IP addresses can reach your websites. You can create allow lists, deny lists, or both, giving you fine-grained control over who gets through the door and who gets turned away.

How It Works

ACLs work at the edge of our infrastructure, which means unwanted requests get blocked before they even reach your content cache, let alone your application servers. This keeps your site fast and responsive for legitimate visitors while reducing unnecessary load on your stack.

Setting up an ACL is straightforward. You define a list of IP addresses or CIDR ranges, specify whether those addresses should be allowed or denied, and assign the list to one or more of your sites. Changes take effect within minutes.

You can create multiple lists for different purposes and apply them as needed. A site might use one list to block known bad actors and another to restrict access during a staging phase.

Practical Use Cases

Blocking Bot Networks

Some bots are helpful—search engine crawlers, uptime monitors, and the like. Others are not. Scrapers, credential stuffers, and DDoS participants can hammer your site with thousands of requests per minute. With an ACL deny list, you can block entire IP ranges associated with malicious traffic and stop the problem at the source.

Restricting Access to CDN Nodes

If you’re using a content delivery network like Myra or Fastly, you might want to ensure that all traffic flows through the CDN rather than hitting your origin directly. An ACL allow list lets you permit only your CDN’s IP ranges, so direct requests to your origin get rejected. This protects your site from attacks that try to bypass CDN-level protections.

Staging and Development Environments

Sometimes you need to keep a site private while you’re still working on it. Instead of relying solely on HTTP authentication or application-level access controls, you can use an ACL to limit access to your office network or VPN. Only requests from approved IP addresses will get through.

Client-Specific Access

Working on a project that only certain people should see? Add their IP addresses to an allow list and keep everyone else out until launch day.

Getting Started

You’ll find the new Access Control Lists section in your freistilbox dashboard. From there, you can create lists, add IP addresses or ranges, and assign lists to your sites.

If you’re not sure which IP addresses to block, your site’s access logs are a good place to start. Look for patterns—repeated requests from the same ranges, unusual user agents, or traffic spikes that don’t match real user behaviour.

Need help setting things up? Our team is here to assist. We’ve dealt with every kind of traffic problem over the past 15 years, and we’re happy to help you figure out the right approach for your situation.

Your Sites, Your Rules

Access Control Lists give you another layer of control over how your websites handle incoming traffic. Whether you’re defending against bots, tightening security around your CDN setup, or just keeping a staging site private, ACLs make it simple.

Log in to your dashboard and give it a try. And as always, please let us know what you think—your feedback helps us build the features you actually need.

Why We’re Doing This

Running web applications at scale for 15 years has reinforced something we’ve believed from day one: the best hosting solutions don’t happen in isolation. They emerge from real conversations between people who understand both the technical challenges and the business goals behind every website.

Since we launched freistilbox in 2010, we’ve built our reputation on collaboration. We function as your external SRE team, handling the complex infrastructure work so you can focus on building great websites for your clients. This collaborative approach has always been central to how we work, but we’ve realized we can make it even more effective.

The best solutions come from understanding your specific challenges. When a client’s traffic spikes unexpectedly, when you’re troubleshooting a performance issue at 2 AM, or when you’re planning a major site launch – these are the moments when having direct access to our expertise makes all the difference.

We want to know what keeps you up at night, to understand the pressure you face when a client’s campaign goes viral, or when a WordPress update breaks something critical. And we intend to share what we’ve learned from managing thousands of Drupal and WordPress sites over the past decade and a half.

Introducing freistilbox Connect

freistilbox Connect is our new customer communication platform, built on Discourse – the same forum software that powers communities for organizations like Mozilla, Let’s Encrypt, and other leading technology companies. Think of it as your direct line to our team, but with the added benefit of learning from other experienced developers facing similar challenges.

Here’s how it works: each customer gets their own private forum space and dedicated chat channel. This isn’t a generic support ticket system where your question disappears into a queue. It’s a persistent space where you can discuss technical issues, request features, share insights, and build relationships with both our team and fellow customers.

What Makes Connect Different

Private but Connected: Your forum is private to your team and ours, but you can also participate in broader community discussions. You get the security of private communications with the knowledge-sharing benefits of a community.

Persistent Conversations: Unlike email threads that get buried or chat messages that scroll away, Connect maintains a searchable history of every discussion. When you’re facing a similar issue six months from now, the solution is already documented and waiting for you.

Real Expertise: Our responses come from the same team that built and maintains our hosting platform. When we answer a question about MySQL optimization or Varnish configuration, we’re drawing from years of hands-on experience managing these systems at scale.

Feature Requests That Actually Matter: Have an idea for improving our platform? Connect gives you a direct channel to share suggestions and see how they fit into our roadmap. We’ve always valued customer feedback, but now we have a better way to capture and act on it.

Beyond Technical Support

Connect isn’t just for troubleshooting. Use it to discuss upcoming projects, get advice on architecture decisions, or share lessons learned from recent deployments. Our goal is to be your trusted advisor for all things related to web operations and DevOps.

Planning a high-traffic product launch? Start the conversation early and we can help you prepare. Evaluating new tools or techniques? Tap into our experience with similar implementations. Dealing with a tricky client requirement? Let’s brainstorm solutions together.

Office Hours: Face-to-Face Problem-Solving

Sometimes the best conversations happen when you can see each other’s faces. That’s why we’re also launching Office Hours – regular video sessions where you can join Markus for casual discussions about whatever’s on your mind.

These aren’t formal presentations or sales pitches. They’re open conversations where you can ask questions, share challenges, discuss industry trends, or simply introduce yourself to other members of the freistilbox community. Markus brings over a decade of customer success experience and has seen just about every hosting challenge you can imagine.

What to Expect

Office Hours are open to all customers and happen via video call. We’ll announce sessions in advance through Connect, and you’ll be able to join whether you have a specific question or just want to listen and learn from others.

Maybe you’re curious about our approach to security monitoring. Perhaps you want to understand how we handle traffic scaling during peak events. Or perhaps you just want to meet the people behind the platform that keeps your sites running. All of these are perfect reasons to join.

The format is intentionally flexible. Some sessions might focus on specific technical topics if there’s common interest. Others might be open Q&A where we tackle whatever questions arise. The agenda is driven by what you need most.

Why This Is Relevant for Your Business

As a web developer or agency owner, you’re constantly balancing technical excellence with business demands. Your clients expect their websites to be fast, secure, and always available. Your team needs to deliver projects on time and within budget. And you need to stay ahead of evolving technologies and best practices.

Having direct access to hosting experts who understand these pressures gives you a significant advantage. When you can quickly resolve performance issues, when you can confidently recommend solutions for complex requirements, when you can prevent problems before they impact your clients – that’s when you become the trusted advisor your clients rely on.

Connect and Office Hours are designed to make you more effective at what you do best. Instead of spending time wrestling with server configurations or troubleshooting infrastructure issues, you can focus on building great user experiences and growing your business.

The Technology Behind Connect

We chose Discourse because it represents the best of modern community platforms. It’s open source, actively maintained, and designed specifically for meaningful discussions rather than quick exchanges. The platform includes features like email integration, real-time notifications, mobile apps, and powerful search capabilities.

The chat functionality provides a space for quick questions and informal discussions, while the forum format is perfect for more detailed technical conversations that benefit from structured responses and documentation.

Getting Started

Connect is available to all freistilbox customers at no additional cost. We believe that great customer relationships are fundamental to great hosting, not an optional extra.

By now, you should already have received an email invitation that provides you with access to your private forum space and instructions for joining community discussions. Our team is already active on the platform and ready to help with any questions about getting set up.

Office Hours sessions will be announced through Connect, so joining the platform is the best way to stay informed about upcoming opportunities to connect face-to-face with our team.

Looking Forward

This is just the beginning. We have plans to expand Connect with additional features based on your feedback and needs – platform status updates, expanded documentation resources, and new ways to share our development plans across our customer community.

The success of these initiatives depends on your participation. The more you engage, share your experiences, and ask questions, the more valuable these platforms become for everyone.

We’ve spent 15 years perfecting the technical side of managed hosting. Now we’re investing in perfecting the human side – the relationships, communication, and collaboration that turn good hosting into great partnerships.

Ready to Connect?

Your expertise combined with our infrastructure experience creates something powerful. When you understand our platform deeply, and we understand your challenges clearly, we can solve problems faster and build better solutions together.

Join freistilbox Connect today and become part of a community where technical excellence meets genuine collaboration. Whether you’re a longtime customer or considering freistilbox for your next project, we’re excited to work more closely with you.

The web development landscape continues to evolve, but one thing remains constant: the best outcomes happen when smart people work together. Let’s build something great.

Questions about Connect or Office Hours? Our team is standing by to help you get started.

Picture this: You’re reviewing a client’s WordPress site after a routine security audit, and everything looks clean. Plugins are updated, themes are current, and the admin dashboard shows no red flags. Yet something feels off. Page load times are slightly slower, and there’s an unusual pattern in the server logs. After digging deeper, you discover malicious code running on every single page load, completely invisible to standard WordPress admin interfaces.

Welcome to another headache for agency developers: Attackers are now exploiting the WordPress mu-plugins directory to hide malicious code in plain sight, and traditional security scans often miss it entirely.

Why This Is Relevant for Your Agency (And Your Clients)

As security researchers at Sucuri first documented in February 2025, threat actors have discovered that WordPress’s “Must-Use Plugins” directory is the perfect hiding spot for persistent malware. Unlike regular plugins listed on the familiar Plugins admin page, mu-plugins operate behind the scenes: They get executed on every page request without any visible indication to site administrators.

For agencies managing dozens or hundreds of client sites, this represents a particularly insidious challenge. Malicious code can steal credentials, inject spam content, or redirect visitors to phishing sites, all while remaining completely hidden from your standard maintenance routines. Even worse, because mu-plugins can’t be disabled through the WordPress admin interface, infected sites require direct file system access to clean up.

The business implications are serious. A compromised client site doesn’t just damage their reputation—it reflects directly on your agency’s technical competence and can undermine years of trust-building.

Understanding the mu-plugins Attack Vector

Must-use plugins live in the wp-content/mu-plugins directory and serve legitimate purposes in WordPress installations. They’re designed for site-wide functionality that should never be accidentally disabled; custom security rules, performance optimizations, or environment-specific configurations, for example.

Here’s what makes them attractive to attackers:

Stealth Operation: MU plugins don’t appear in the standard plugin list, making them invisible during routine admin reviews.

Automatic Execution: MU plugin files are loaded on every page request, guaranteeing the malicious code will run.

Persistence: Even if other malware is cleaned up, MU plugins often get overlooked during remediation efforts.

The malicious files often masquerade with innocent-looking names like wp-cache.php or security-check.php, making them appear as legitimate functionality rather than threats.

Why Architecture Matters More Than Ever

This mu-plugins vulnerability highlights a fundamental truth about WordPress security: the traditional approach of patching vulnerabilities after deployment is inherently reactive. Attackers will always find new vectors, and site administrators will always be playing catch-up.

On freistilbox, our immutable deployment architecture eliminates this entire class of attacks. Once your WordPress code is deployed to our application boxes, it can’t be modified any more. Malicious actors can’t inject mu-plugins or any other code because all application code on freistilbox is read-only. The only way for code changes to happen is through the website’s Git repository. This creates a clear audit trail and makes unauthorized modifications impossible.

This isn’t just a security feature; it’s a business advantage for agencies. You can confidently promise clients that their sites are protected against this type of attack. Not because you’re constantly monitoring for threats, but because the hosting architecture makes these attacks technically impossible in the first place.

Moving Forward

The mu-plugins attack vector is just the latest reminder that WordPress security requires thinking beyond individual vulnerabilities. Each new threat reinforces the value of architectural solutions over tactical patches.

As you evaluate your current client hosting arrangements, consider whether your infrastructure is built to prevent entire categories of attacks, or whether you’re constantly reacting to the latest security bulletin.

What’s been your experience with WordPress security challenges at the infrastructure level? We’d love to hear how you’re approaching these evolving threats with your agency clients.

Maybe you’re exploring Drupal 11, which requires PHP 8.3 or higher. Or perhaps, you’d just like to keep up with the latest version of the language. In any case, we got you covered!

To launch a new website with PHP 8.3, simply select it in the website settings on the freistilbox dashboard. Bumping the PHP runtime version of an existing website works the same way. In case you experience issues with the new version, downgrading to an older one is just as simple and quick. As always, our site reliability engineers are there if you need help switching to PHP 8.4.

We made it our job to focus on these technical details so you can focus on your business.

Quickly after the new US administration took office, its actions started impacting established agreements between the United States of America and EU states. It’s becoming more clear every day that President Trump’s decisions on international political and economic matters will have significant impact on both bilateral and multilateral agreements. One of them is the EU-US Data Transfer Agreement, and it’s at a substantial risk of breaking down.

In March 2025, the German trade newspaper Handelsblatt reported a warning issued by the German Industry Association (BDI). The BDI raised concerns that if U.S. President Donald Trump cancels the Transatlantic Data Privacy Framework, it could harm businesses and create legal uncertainty. The chief counsel of the German Industry and Trade Chamber (DIHK) shares these concerns, stating that a failure of the Privacy Framework would have “grave consequences”.

The EU-US Data Transfer Agreement

The EU-US Data Transfer Agreement is a framework which, according to the European Commission’s Q&A document, “provides EU individuals whose data would be transferred to participating companies in the US with several new rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data). In addition, it offers different redress avenues in case their data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.”

Since 1995, EU law restricts the export of personal data outside the EU to ensure that personal information owned by EU citizens is not exposed to lax privacy standards in other jurisdictions. The law makes exemptions when the country to which personal information is exported offers a level of data protection that is “essentially equivalent” to that of the EU. In 2018, the General Data Protection Regulation (GDPR) strengthened EU privacy law and human rights law even further.

Meanwhile, the legal regime of the United States is substantially different, with national security and surveillance laws such as the Foreign Intelligence Surveillance Act Section 702 (FISA702) and Executive Order 12.333 which allow the government and its agencies extensive access to data stored by US tech firms like Amazon, Microsoft, and Google.

This fundamental difference in privacy standards has been causing tensions and legal conflicts to this day, including the annulment of two previous EU-US data transfer agreements by the EU Court of Justice in its Schrems I and Schrems II rulings.

To restore legal grounds for transatlantic data transfers, the EU Commission in 2023 introduced the Transatlantic Data Privacy Framework (TADPF). It was subsequently formally adopted in the Commission’s Implementing Decision (EU) 2023/1795. This decision, which allows EU businesses to transfer data freely to US providers, relies solely on Executive Orders and assurances from the US government. A key role in this rationale lies with the Privacy and Civil Liberties Oversight Board (PCLOB), whose responsibility it is to monitor the US government’s compliance with surveillance restrictions and privacy commitments.

The new framework has been heavily criticized by data protection and civil liberties experts. One of the main points these experts highlight is the lack of a strong codification of the safeguards underpinning the TADPF in US statutes. As there was no congressional majority to pass such legislation, it is only based on an Executive Order of former president Joe Biden. This shaky legal foundation leaves the TADPF at risk of being dismantled by a simple Executive Order of US President Trump.

Crumbling foundations

This risk is not just theoretical. The US government decided on January 20th that all Executive Orders of the previous administration are to be reviewed within 45 days and potentially nullified. This includes Executive Order 14086, on which the EU’s adequacy decision is based.

At the end of January 2025, President Trump dismissed three Democratic members of the PCLOB, the primary oversight body that ensures compliance with privacy commitments under the Transatlantic Data Privacy Framework. With these three members removed, there are now valid concerns about the board’s independence and effectiveness. In consequence, as privacy advocates are pointing out, this may jeopardize the legality of transatlantic data flows. If a reassessment of the adequacy of the Data Privacy Framework by European regulators leads to its suspension, it can cause substantial disruptions to thousands of businesses whose transatlantic data transfers rely on this very framework.

It’s time to choose domestic alternatives

According to analytics firm Synergy, the market share of US-based cloud services in Europe is about 70%. Meanwhile, none of their European competitors has been able to surpass the 2% mark. The easiest way for European website owners and web agencies to regain a solid legal foundation for their data processing is to shift this imbalance.

Choosing a European data centre location alone isn’t sufficient. As long as the business entity operating the data centre is under US jurisdiction, it must obey surveillance laws like FISA, regardless of where in the world the data in question is stored. There is a clear legal advantage in choosing an EU-based hosting and infrastructure provider. (And given the latest introduction of tariffs by the US administration, probably an economic one, too.)

With freistilbox, we offer an alternative to US-based cloud services and hosting platforms. It ticks all the boxes not only in terms of performance and reliability, but also when it comes to data protection. We are an EU business registered and headquartered in Ireland. Since we started our business in 2010, we’ve been running our whole hosting infrastructure in data centres that are not only located in EU countries, but also in turn owned and operated by EU businesses.

Our customers can enjoy peace of mind, knowing that their data processing is in full compliance with GDPR regulations, without any risk of its legal foundation being shattered on a whim.

To learn more about what freistilbox can do for your hosting peace of mind, get in touch!

You might ask what that story is, and what purpose a hosting company may have, other than simply running websites. Over the recent months, we made a big investment to answer this crucial question.

When we launched our hosting platform in 2010, its mission was not to “serve web pages” like the many other hosting companies out there, but to serve website owners and builders. Having just left my management job at a big hosting provider, I wanted us to not just provide our customers with “webspace” but with something rare: peace of mind. Towards this goal, freistilbox not only employs the technology required for high availability and top performance, we combine it with something most other hosting providers do not, and cannot offer: direct collaboration between our hosting experts and our technical counterparts on the customer side, the web developers. Instead of distancing ourselves behind some kind of tech support system, we’ve been offering direct, effective DevOps collaboration for one and a half decades now.

It is this collaborative approach that makes freistilbox what it is. And it was time that our branding reflected this unique value proposition through and through. I’ll be honest: marketing has never been our strength. We’ve always prided ourselves in serving our customers so well that they did the marketing for us. But over time, we realized that our website did not support them nearly enough in telling their clients about their great experience with freistilbox. That’s why in summer last year, we set out to rebuild our brand and marketing strategy. Supported by a renowned agency, we went through a lengthy discovery and branding process, whose result you are now looking at. We hope you like it!

But while refreshing our look and messaging was an important task, now that it’s done, we can once more focus on what’s essential. Our purpose hasn’t changed; it’s still serving the people who build and run remarkable websites. With this mission in mind, here are some of the ideas we’re going to tackle this year:

• A community platform that will serve as the central communications hub both between us and our customers and between our customers
• A high-performance object storage system that provides a cloud-native way for storing asset files and other data
• An improved deployment process that makes our GitOps approach even more flexible and useful
• An observability add-on that simplifies exposing the many useful insights hidden in system performance metrics and application logs
• Extending the integration between our customer dashboard and the hosting infrastructure, reducing friction and wait times for users

Now that we have this beautiful new website, we will use it more regularly to catch you up on our progress towards these and other goals.

We’re also starting a newsletter to provide you with updates and information that will help you make the most out of our managed hosting platform for Drupal and WordPress.

From us at freistilbox: We wish you the best of success for 2025, and we’re ready to help you achieve it.