restorable

Evidence, weekly · Signed by your key

The backup that
proves it can restore.

This is what lands in your inbox every Monday. A signed receipt from last night's restore test, running in an isolated container. Your auditor verifies it independently.

Get started → See how it works
Apache-2.0 agent EU-only data path Customer-held keys
restorable Verified
rcpt_01jt3k7m2w · Transparency log #147

Postgres restore verified.
All 47 application checks passed.

● signed
Sourceneon · eu-central-1 · db_customer_prod Enginepostgres 16.2 · libc 2.39 Size4.7 GB · 147 tables · 312 indexes Duration02:17 restore · 00:43 checks · 00:04 sign Checks47 / 47 passed Signed byed25519:hackerman-ab
✓ Independently verifiable restorable-verify --pubkey agent.pub rcpt_01jt3k7m2w.intoto.json
2026-04-19T04:02:51Z

Zero US vendors in
the data path.

Hetzner
Scaleway
OVH
Bunny
Brevo
Mollie

Untested backups are the norm.
pg_restore is nobody's cron job.

Your cron job writes dumps to S3. When did someone last run pg_restore against them? For most teams, the honest answer is never. Or once, accidentally, during a prod incident.

The green checkmark on your backup job means the upload succeeded. It doesn't mean the restore will succeed at 3 AM. Schemas change. Extensions drift. Collations break silently after a libc update. Nobody finds out until it matters.

14%

of IT leaders are confident their data can be recovered in minutes.

2025 State of SaaS Backup report

Where Restorable fits.

Neon, Supabase, AWS RDS, MongoDB Atlas, Crunchy Bridge. Your provider already backs up your database. Keep that on. We handle the part they skip.

Your provider does this already

  • Continuous backups and point-in-time recovery.
  • Durable, often cross-region storage.
  • On-demand restore into production, fast.
  • Integrated with your existing infrastructure.

Primary backup is cheaper and faster to recover than any third-party layer. Don't turn it off.

Restorable adds this

  • Scheduled restore tests. Weekly. End-to-end, in an isolated container. Runs your application-level checks.
  • Signed, independently verifiable evidence. DSSE receipts. Your auditor verifies them against your public key. No Restorable API required.
  • Customer-held keys. Backups are encrypted with your age keys before they leave your infrastructure. We store ciphertext. That's the whole relationship.
  • Independent offsite copy. Your encrypted backup lives in Scaleway FR, outside your provider's blast radius. Satisfies the 3-2-1 rule's offsite criterion. If your provider has a week-long outage, you still have your data and the keys to decrypt it.
  • Weekly evidence email. One sentence your CTO, board, or auditor can read and believe.

We back up databases. Postgres and MongoDB. Not Stripe, not GitHub, not Linear. Different product, different vendor.

Five steps, running in your infrastructure.

  1. 01

    Install the agent

    Open-source Go binary, Apache-2.0. Runs on Podman (rootless, default), Docker, Kubernetes, or systemd. Next to your application. Your security team reads every line before it ships.

  2. 02

    Agent encrypts backups with your keys

    Age encryption before upload. Our servers see ciphertext. Customer-held keys, no managed-keys tier, no exceptions.

  3. 03

    Weekly restore test

    Agent pulls the ciphertext. Decrypts. Spins up a fresh Postgres or MongoDB container. Runs pg_restore or mongorestore. Executes your application-level checks: row counts, index presence, NULL assertions. SQL or aggregation, whatever you can express.

  4. 04

    Signed receipt, transparency log

    Each restore produces a DSSE envelope signed by your Ed25519 key, appended to a per-org transparency log. Auditors verify inclusion, consistency, and signature independently, using the open-source restorable-verify CLI.

  5. 05

    Weekly evidence email

    One human-readable email per week. Pass rate, failure details, links to signed receipts. Forward it. Or let your auditor subscribe.

04 · What you forward to your auditor

The receipt, in miniature.

Keys in mono, verdict in emerald, signature at the bottom. Every signed receipt follows this shape. What you see here is a static example of what a live one looks like.

restorable 2026-04-19 · rcpt_01jt3k7m2w · issued hackerman-ab
subject
Postgres restore verified. All checks passed.
claim
A full pg_restore ran in an isolated container in Scaleway FR at 04:02 UTC. 47 application-level assertions executed, 47 passed. Receipt appended to the transparency log at index #147 and signed by your Ed25519 key.
engine
postgres 16.2 · pg_dump 16.2 · libc 2.39
source
neon · eu-central-1 · db_customer_prod
size
4.7 GB compressed · 18.3 GB expanded · 147 tables · 312 indexes
duration
02:17 restore · 00:43 checks · 00:04 sign
checks
row_count(users)=48291 · row_count(orders)=912844 · pk_integrity · null_assertions · 44 more
attestation
none (self-hosted) · agent v0.5.1 · reproducible hash 8f3c1a0d…
verdict
✓ verified · appended · signed

No US vendors anywhere in the data path.

Hetzner. Scaleway. OVH. Mollie. Brevo. Bunny. Every service in the data path is EU-operated. Your security questionnaires about CLOUD Act exposure, Schrems II, and US subprocessors get a clean, one-line answer.

Your encrypted backup sits in Scaleway FR. Outside your provider's infrastructure. Outside US CLOUD Act reach. Offsite and sovereign in one place.

NIS2

Third-party ICT risk review and cyber-resilience obligations. Signed restore evidence is the kind of control auditors cross-reference.

DORA

Operational-resilience regime for EU financial entities. Demonstrable backup recovery is a named control. Our receipts produce the evidence auditors reference.

C5 · SecNumCloud

BSI C5 and French SecNumCloud procurement labels. We're documenting against them from day one. Useful when selling into German and French regulated markets.

The regulators are doing this marketing for us. Every US-operated backup vendor is on the wrong side of the trend. We didn't have to manufacture the tailwind.

Three plans. No free tier.

Prices are monthly. Annual prepay saves 17% (two months free). Storage overage billed transparently.

Starter

One database. Peace of mind.

€199 /month

or €1,990 /year (2 months free).

  • 1 database (Postgres or MongoDB)
  • Daily backups, weekly restore test
  • 30-day retention (min 7 days)
  • 200 GB ciphertext storage included
  • Checks: custom SQL queries during restore tests
  • Weekly evidence email
  • Email support
Get started
Workhorse

Pro

Evidence for your compliance team.

€399 /month

or €3,990 /year (2 months free).

  • Up to 5 databases, any supported engine
  • Hourly backups, weekly plus on-demand restore tests
  • 90-day retention (min 30 days)
  • 2 TB ciphertext storage included
  • Checks: custom SQL queries during restore tests
  • Compliance pack. DPA template, SOC2 CC6.7 mapping, ISO 27001 A.8.13 mapping.
  • Evidence email to multiple recipients, on-demand
  • Priority email and private Slack channel
Get started

Team

Unlimited scale. Audit-grade.

Talk to us

Negotiated pricing. Annual.

  • Unlimited databases, any supported engine
  • Hourly restore tests, custom retention (min 30 days)
  • 10 TB ciphertext storage included
  • Checks: custom SQL queries during restore tests
  • ISO 27001 A.8.13 mapping + audit support
  • Priority ops SLA
  • Dedicated onboarding session
Book a call →

Storage overage. €0.40/GB per month on Starter, €0.25 on Pro, €0.20 on Team. Cold-tier storage (90+ day retention) priced separately.

Built by an infrastructure engineer, not a marketer.

Simon Nordberg. 20+ years in platform engineering, across Spotify, Volvo Cars, ATG, and others.

Résumé →

  • Apache-2.0 open-source agent. Your security team reads every line. Reproducible builds so they can verify the binary matches the source.
  • Public wire-protocol spec. Independent verifier CLI. Auditors validate receipts without touching Restorable's infrastructure.
  • Cryptographic continuity. Receipts signed by your Ed25519 key remain verifiable forever, across infra changes and vendor changes. Even if we get acquired. We're a bootstrapped EU company with no intention of selling.
  • No managed-keys tier. The architecture makes "we cannot read your data" a fact, not a promise.
  • Immutable retention. Every backup is locked at upload with S3 Object Lock in Compliance mode. No one can delete it before retention expires. Not us, not an attacker with root on our servers.

Common questions.

I already have Supabase / Neon / RDS backups. Why do I need this?
Same reason you flow-test fire sprinklers instead of only installing them. Your provider creates backups. We verify they restore with your schema today, not a year ago when they last passed. Different job, not a competitor. Keep your provider on.
Who else uses this?
You'd be among the first. Restorable is new. The first cohort of customers trades structured feedback for a direct line to the founder and a say in what ships next. A small, loud cohort that shapes what this becomes.
Can I use this for MongoDB only?
Yes. MongoDB support is in beta (production-ready but recent). Postgres is the most battle-tested engine today.
So you're an offsite backup?
Architecturally, yes. The ciphertext sits in Scaleway FR, outside your provider's blast radius, encrypted with your keys. You can restore from our copy using the open-source agent if you need to. But offsite storage isn't what you're paying for. You're paying for the weekly restore test, the signed receipts, and the evidence pipeline. For cheap offsite bytes, use BackBlaze or a Scaleway bucket directly. For proof the bytes are usable, that's us.
Is this open source?
The agent, verifier, core library, and wire-protocol specification are Apache-2.0. Published when the first external customer signs a receipt. The orchestrator and dashboard stay closed. Rule: anything you need to verify our claims is public.
What if you get acquired?
Every receipt you've collected remains independently verifiable against your public key, regardless of what happens to us. The verifier is open source. No network dependency on Restorable. That's deliberate.
What analytics do you run on this site?
Self-hosted Plausible on ping.hackerman.co. No cookies. No cross-site tracking. No personal data stored. Standard server-side access logs rotate after 30 days. No third-party analytics, no US vendors anywhere in the analytics pipeline. Same rule as the product.
How is this priced compared to SimpleBackups or SnapShooter?
Higher. Those are commodity backup tools. None run scheduled restore tests. None produce signed receipts. None hold your keys instead of theirs. None are EU-operated. The gap isn't feature count. It's verification.

How to start.

Sign up, pick a plan, install the agent. Your first signed receipt arrives the same day.

Get started → or book a call