Trust, Security & Escrow

Procurement-grade detail on how your system is protected — legally, technically, and contractually. If you need a signed DPA, a completed security questionnaire, or the Codekeeper verification certificate, email hello@rolloutit.net.

The escrow guarantee

What is deposited

The full platform source code and all deployment scripts — infrastructure configuration, build pipelines, environment templates — are deposited with the escrow agent. The deposit covers everything needed to build and run the system independently.

Escrow agent

We use Codekeeper (codekeeper.co), an independent software escrow agent. Codekeeper stores the deposit in its own secure vault, entirely separate from Rollout IT's infrastructure.

Deposit cadence

Deposits are automatic — Codekeeper connects directly to our Git repository and captures every release without manual steps. There is no gap between a release shipping and the escrow being updated. You may request a Codekeeper verification certificate at any time.

Release triggers

Codekeeper releases the deposit to you if any of the following occur:

  • Rollout IT (or Runios IT Ltd.) becomes insolvent or enters formal winding-up proceedings.
  • Rollout IT ceases operations relevant to this service.
  • Rollout IT fails to provide contracted support for 60 or more consecutive days. Written notice is required; a 30-day cure period applies before the trigger is confirmed. Codekeeper verifies independently.

What you can do after release

With a released deposit you may run the system yourself or engage any third-party contractor to maintain or operate it. Your perpetual licence continues in full — no expiry and no further payment owed to Rollout IT.

Security

Encryption in transit

All traffic between your users and the system is encrypted using TLS 1.2 or higher. Older protocol versions are rejected at the load-balancer.

Encryption at rest

Data stored on disk — database volumes, backup archives, file storage — is encrypted using AES-256. Keys are managed by Hetzner's managed KMS. Bring-your-own-key (BYOK) is available on request.

Backups

Daily automated backups, encrypted at rest, with a 30-day retention window. A second copy is stored in a separate EU region. Recovery-point objective (RPO) and recovery-time objective (RTO) are both 24 hours or better. Hot standby is available on request for customers with stricter availability requirements.

Data residency

Your instance is hosted on Hetzner Cloud, Germany (EU). No data leaves the EU without your explicit written instruction. All subprocessors are either EU-based or operate under Standard Contractual Clauses (SCCs).

Single-tenant, isolated instances

Each customer receives a dedicated, isolated instance — separate database, separate compute, separate storage. There is no shared schema or shared runtime between customers. Cohort members co-fund the same core product, but each runs their own isolated instance: no customer's data or private features are visible to another.

GDPR and DPA

We act as data processor for the personal data your system handles. A Data Processing Agreement (DPA) is available on request — email hello@rolloutit.net.

Subprocessors

We use a minimal, audited set of subprocessors. We notify customers at least 30 days in advance of any material change.

SubprocessorPurposeLocation
Hetzner Cloud GmbHHosting, compute, storageGermany (EU)
Supabase (EU/Frankfurt)Managed databaseGermany (EU)
ResendTransactional emailEU SCC
CloudflareCDN, DDoS protection, DNSEU SCC
CodekeeperSoftware escrowEU

Contract basics

10-year founder price lock

Founding-cohort customers pay a service fee that is contractually fixed for 10 years from the date of the cohort agreement. No annual escalators, no seat-based add-ons. Hosting costs are included at normal usage levels. If your usage grows significantly, any incremental infrastructure cost is passed through at cost price — shown to you in advance, before it applies. The service fee itself never rises.

What the flat annual fee covers

Included, on one invoice, with no additional charges:

  • Hosting and infrastructure (your isolated instance).
  • Security updates and dependency patching.
  • Monitoring, alerting, and incident response.
  • Daily backups and restoration on request.
  • Bug fixes and small modifications up to 2 engineering hours per month.

New features or integrations beyond the agreed core scope are quoted separately — always before any work starts.

Contract term and termination

The service contract is annual, renewable automatically. Either party may terminate with 30 days' written notice. There is no lock-in penalty.

Data export

You may request a full export of your data at any time, at no charge, in standard machine-readable formats: CSV, JSON, PostgreSQL dump, and raw file attachments. On termination we deliver the export within 30 days of your request.

If you stop paying

If payment lapses, you have a 30-day grace period during which the instance stays fully live. After that the instance is suspended but your data is retained for a further 30 days, during which a free full export is available on request. After 60 days total the instance is decommissioned and all data — including backup copies — is securely erased within the rolling 30-day backup cycle. A deletion certificate is available on request. Your perpetual licence and escrow rights are not affected by non-payment.

Quick answers

What exactly is in escrow?
The full platform source code and all deployment scripts are deposited automatically with Codekeeper via a direct Git connection on every release. On a qualifying release trigger you receive everything needed to run the system yourself or with any third-party contractor, under your perpetual licence.
When would the escrow release?
Escrow releases on: insolvency or formal winding-up of Rollout IT; ceasing operations relevant to this service; or failure to provide contracted support for 60 or more consecutive days (written notice required, 30-day cure period applies). Codekeeper verifies each trigger independently.
What can I do with the escrow release?
You may run the system yourself or engage any third-party contractor to maintain or operate it. Your perpetual licence continues in full — no expiry, no further payment owed to Rollout IT.
Where is my data hosted, and does it leave the EU?
Your instance runs on Hetzner Cloud in Germany (EU). No data leaves the EU without your explicit written instruction. All subprocessors are EU-based or operate under Standard Contractual Clauses.
What does the flat annual fee actually include?
Hosting, security patching, monitoring, daily backups, incident response, bug fixes, and small modifications up to 2 engineering hours per month — all included, all on one invoice. New features or integrations beyond the agreed scope are quoted separately before any work starts.
What happens to my data if I stop paying or cancel?
If payment lapses you have a 30-day grace period during which the instance stays fully live. After that it is suspended but your data is held for a further 30 days. You may request a free full export at any point — CSV, JSON, PostgreSQL dump, and files. After 60 days total the instance is decommissioned and data is securely erased (including from all backup copies), with a deletion certificate available on request. Your escrow and licence rights are unaffected.

Questions or procurement requests?

Need a completed security questionnaire, a signed DPA, or the Codekeeper verification certificate for your procurement team? Email us directly — we turn these around quickly.

hello@rolloutit.net

Runios IT Ltd. · Company reg. 18-09-113648 · EU VAT HU26368560 · Privacy policy