Trust

Architecture, not slogans.

Your cloud. Your admin keys. Your data path. Your bill. Four structural answers — read them through, then quote them to your lawyer.

Read the architecture →

Four structural answers you can verify, not just trust.

No flags, no badge walls, no slogans. Each answer is a property of how the system is built.

  • Ownership

    Your cloud. Your admin keys. Your kubeconfig. Your install repository. The admin password is yours — not ours, not shared, not escrowed. The worker bootstrap is outbound-only, so there is no inbound network path from us into your environment.

  • Provider parity

    AWS · Azure · GCP · Hetzner · IONOS · OVH · Scaleway · on-prem · your own. One package, the same render path on every provider. Migrating between providers is a git push to a new repository target.

  • Pricing transparency

    We charge for the platform. You pay your infrastructure provider directly. No markup on compute — which means no incentive for us to push you toward one provider over another. Talk to the founders for numbers.

  • Real-customer proof

    Code Zero ships its software onto customers’ own infrastructure on Akua. Anonymized regulated pilots run in finance, healthcare, and logistics. Named where consent has landed, descriptive where it hasn’t — and never a fabricated count.

The board question

Can someone in another country shut off our IT?

No. The cluster runs on your infrastructure and the admin keys are yours. The bootstrap is outbound-only — there is no inbound network path from us into your environment. If we disappear, the software keeps running.

The exit path

What happens if Akua disappears?

Your cluster, your data, and your admin keys all stay yours. The export path is open by architecture: open package format, OCI images, plain git. Take the export and run it anywhere your operations team can run a cluster.

The audit trail is the architecture.

Not a separate “audit log” feature you have to trust — the same primitives that run the system record it.

Every write to main
Arrives as a reviewed proposal carrying a typed, signed, reviewable diff.
Every long-lived resource
Has a supervised entity with deterministic, recorded state transitions.
The trail itself
Is the git history plus the entity event log. There is nothing to reconstruct after the fact.

Named regulations. Named answers.

The regulation, not the badge — with the specific architectural answer for each.

  • DORA

    In force since January 2025. Article 28 requires ICT third-party risk management and a gapless information register. The per-install repository plus the reviewed-proposal flow populate that register by architecture.

  • EU AI Act

    Documented audit paths for AI in credit and insurance from August 2026. The supervised-entity pattern produces deterministic event logs by architecture — the audit path is a property of the system, not a policy bolted on.

  • DSGVO

    Data sits on your infrastructure, under your admin keys, reached only by an outbound-only bootstrap. The architecture is the answer — there is no badge to argue about.

The honest table.

Each certification named with its actual status. No line-up of logos standing in for the work.

SOC 2 Type II
In progress
ISO 27001
On roadmap
BSI-C5
On roadmap
DSGVO
Structural — the architecture answer above, not a badge

Talk to the people who built it.

This page’s reader is usually the one who wants a conversation before any commitment — so when you book, you get a founder.

  • Marcus Klingler

    Marcus Klingler

    A DACH-finance and Frankfurt School background.

  • Robin Braemer

    Robin Braemer

    Work at STACKIT and SumUp, and a CODE University thesis on this exact problem.

Read the architecture.
Then quote it to your lawyer.

This page’s reader is the most likely to want a founder conversation before committing. Book one — you’ll get one.