restorable

Evidence, weekly · Signed by your key

The backup that
proves it can restore.

This is what lands in your inbox every Monday. A signed receipt from last night's restore test, running in an isolated container. Your auditor verifies it independently.

Book a 30-min call → See how it works
Apache-2.0 agent EU-only data path Customer-held keys
restorable Verified
RCT-2026-04-19-00147 · Transparency log index #147

Postgres restore verified.
All 47 application checks passed.

● signed
Sourceneon · eu-central-1 · db_customer_prod Enginepostgres 16.2 · libc 2.39 Size4.7 GB · 147 tables · 312 indexes Duration02:17 restore · 00:43 checks · 00:04 sign Checks47 / 47 passed Signed byed25519:hackerman-ab
✓ Independently verifiable restorable-verify --receipt RCT-2026-04-19-00147
2026-04-19T04:02:51Z

Zero US vendors in
the data path.

Hetzner
Scaleway
OVH
Bunny
Brevo
Mollie

Untested backups are the norm.
pg_restore is nobody's cron job.

Your cron job writes dumps to S3. When did someone last run pg_restore against them? For most teams, the honest answer is never. Or once, accidentally, during a prod incident.

The green checkmark on your backup job means the upload succeeded. It doesn't mean the restore will succeed at 3 AM. Schemas change. Extensions drift. Collations break silently after a libc update. Nobody finds out until it matters.

14%

of IT leaders are confident their data can be recovered in minutes.

2025 State of SaaS Backup report

Where Restorable fits.

Neon, Supabase, AWS RDS, MongoDB Atlas, Crunchy Bridge. Your provider already backs up your database. Keep that on. We handle the part they skip.

Your provider does this already

  • Continuous backups and point-in-time recovery.
  • Durable, often cross-region storage.
  • On-demand restore into production, fast.
  • Integrated with your existing infrastructure.

Primary backup is cheaper and faster to recover than any third-party layer. Don't turn it off.

Restorable adds this

  • Scheduled restore tests. Weekly. End-to-end, in an isolated container. Runs your application-level checks.
  • Signed, independently verifiable evidence. JWS receipts. Your auditor verifies them against your public key. No Restorable API required.
  • Customer-held keys. Backups are encrypted with your age keys before they leave your infrastructure. We store ciphertext. That's the whole relationship.
  • Independent offsite copy. Your encrypted backup lives in Scaleway FR, outside your provider's blast radius. Satisfies the 3-2-1 rule's offsite criterion. If your provider has a week-long outage, you still have your data and the keys to decrypt it.
  • Weekly evidence email. One sentence your CTO, board, or auditor can read and believe.

We back up databases. Postgres, MongoDB, MySQL when it lands. Not Stripe, not GitHub, not Linear. Different product, different vendor.

Five steps, running in your infrastructure.

  1. 01

    Install the agent

    Open-source Go binary, Apache-2.0. Runs on Docker, Kubernetes, or systemd. Next to your application. Your security team reads every line before it ships.

  2. 02

    Agent encrypts backups with your keys

    Age encryption before upload. Our servers see ciphertext. Customer-held keys, no managed-keys tier, no exceptions.

  3. 03

    Weekly restore test

    Agent pulls the ciphertext. Decrypts. Spins up a fresh Postgres or MongoDB container. Runs pg_restore or mongorestore. Executes your application-level checks: row counts, index presence, NULL assertions. SQL or aggregation, whatever you can express.

  4. 04

    Signed receipt, transparency log

    Each restore produces a JWS receipt signed by your Ed25519 key, appended to a per-org transparency log. Auditors verify inclusion, consistency, and signature independently, using the open-source restorable-verify CLI.

  5. 05

    Weekly evidence email

    One human-readable email per week. Pass rate, failure details, links to signed receipts. Forward it. Or let your auditor subscribe.

04 · What you forward to your auditor

The receipt, in miniature.

Keys in mono, verdict in emerald, signature at the bottom. Every signed receipt follows this shape — what you see here is a static example of what a live one looks like.

restorable 2026-04-19 · rct-2026-04-19-00147 · issued hackerman-ab
subject
Postgres restore verified. All checks passed.
claim
A full pg_restore ran in an isolated container in Scaleway FR at 04:02 UTC. 47 application-level assertions executed, 47 passed. Receipt appended to the transparency log at index #147 and signed by your Ed25519 key.
engine
postgres 16.2 · pg_dump 16.2 · libc 2.39
source
neon · eu-central-1 · db_customer_prod
size
4.7 GB compressed · 18.3 GB expanded · 147 tables · 312 indexes
duration
02:17 restore · 00:43 checks · 00:04 sign
checks
row_count(users)=48291 · row_count(orders)=912844 · pk_integrity · null_assertions · 44 more
attestation
none (self-hosted) · agent v0.4.2 · reproducible hash 8f3c1a0d…
verdict
✓ verified · appended · signed

No US vendors anywhere in the data path.

Hetzner. Scaleway. OVH. Mollie. Brevo. Bunny. Every service in the data path is EU-operated. Your security questionnaires about CLOUD Act exposure, Schrems II, and US subprocessors get a clean, one-line answer.

Your encrypted backup sits in Scaleway FR. Outside your provider's infrastructure. Outside US CLOUD Act reach. Offsite and sovereign in one place.

NIS2

Third-party ICT risk review and cyber-resilience obligations. Signed restore evidence is the kind of control auditors cross-reference.

DORA

Operational-resilience regime for EU financial entities. Demonstrable backup recovery is a named control. Our receipts map directly.

C5 · SecNumCloud

BSI C5 and French SecNumCloud procurement labels. We're documenting against them from day one. Useful when selling into German and French regulated markets.

The regulators are doing this marketing for us. Every US-operated backup vendor is on the wrong side of the trend. We didn't have to manufacture the tailwind.

Three plans. No free tier.

Prices are monthly. Annual prepay saves 17% (two months free). Storage overage billed transparently.

Starter

One database. Peace of mind.

€149 /month

  • 1 database (Postgres or MongoDB)
  • Daily backups, weekly restore test
  • 30-day retention
  • 50 GB ciphertext storage included
  • Weekly evidence email
  • Email support
Get in touch
Workhorse

Pro

Compliance-grade evidence.

€349 /month

  • Up to 5 databases, any supported engine
  • Daily backups, weekly plus on-demand restore tests
  • 90-day retention
  • 500 GB ciphertext storage included
  • Compliance pack. DPA template, SOC2 CC6.7 mapping, ISO 27001 A.8.13 mapping.
  • Evidence email to multiple recipients, on-demand
  • Priority email and private Slack channel
Talk to Simon
10 seats

Founding

Everything in Pro. Lifetime lock. Founder time.

€197 /month

Prepaid annually (€2,364). Locks in 30% off Pro for life.

  • Everything in Pro
  • 30% lifetime discount. Locked as we raise prices.
  • Weekly 30-minute founder call for the first 12 weeks
  • Direct Slack DM to Simon. Influence on roadmap priorities.
  • Money back if your first restore test doesn't produce a verified receipt within month 1.
  • Optional named case study at GA
Claim a seat →

Storage overage. €0.40/GB per month on Starter, €0.25 on Pro and Founding. Cold-tier storage (90+ day retention) priced separately.

Managed Confidential (Phase 5). Add-on at €199/month per source when we ship AMD SEV-SNP hosting in Scaleway. Optional. Self-hosted stays the default.

Built by an infrastructure engineer, not a marketer.

Simon Nordberg. Ex-Spotify Cloud Storage Product Area lead, running storage, databases, and caching across all of R&D. 20+ years in platform engineering. Built Crossplane platforms at Volvo Cars. Ran engineering as CTO at Urb-it.

Résumé →

  • Apache-2.0 open-source agent. Your security team reads every line. Reproducible builds so they can verify the binary matches the source.
  • Public wire-protocol spec. Independent verifier CLI. Auditors validate receipts without touching Restorable's infrastructure.
  • Cryptographic continuity. Receipts signed by your Ed25519 key remain verifiable forever, across infra changes and vendor changes. Even if we get acquired. We're a bootstrapped EU company with no intention of selling.
  • No managed-keys tier. The architecture makes "we cannot read your data" a fact, not a promise.

Common questions.

I already have Supabase / Neon / RDS backups. Why do I need this?
Same reason you flow-test fire sprinklers instead of only installing them. Your provider creates backups. We verify they restore with your schema today, not a year ago when they last passed. Different job, not a competitor. Keep your provider on.
Who else uses this?
You'd be among the first 10. The founding offer exists so early customers trade structured feedback for a lifetime discount. Not a growth hack. A small, loud cohort that shapes what this becomes.
Can I use this for MongoDB only?
Yes. MongoDB support is in beta (production-ready but recent). Postgres is the most battle-tested engine today. MySQL is next. Redis and ClickHouse are deferred until demand proves itself.
So you're an offsite backup?
Architecturally, yes. The ciphertext sits in Scaleway FR, outside your provider's blast radius, encrypted with your keys. You can restore from our copy using the open-source agent if you need to. But offsite storage isn't what you're paying for. You're paying for the weekly restore test, the signed receipts, and the evidence pipeline. For cheap offsite bytes, use BackBlaze or a Scaleway bucket directly. For proof the bytes are usable, that's us.
Is this open source?
The agent, verifier, core library, and wire-protocol specification are Apache-2.0. Published when the first external customer signs a receipt. The orchestrator and dashboard stay closed. Rule: anything you need to verify our claims is public.
What if you get acquired?
Every receipt you've collected remains independently verifiable against your public key, regardless of what happens to us. The verifier is open source. No network dependency on Restorable. That's deliberate.
What analytics do you run on this site?
Self-hosted Plausible on ping.hackerman.co. No cookies. No cross-site tracking. No personal data stored. Standard server-side access logs rotate after 30 days. No third-party analytics, no US vendors anywhere in the analytics pipeline. Same rule as the product.
How is this priced compared to SimpleBackups or SnapShooter?
Higher. Those are commodity backup tools. None run scheduled restore tests. None produce signed receipts. None hold your keys instead of theirs. None are EU-operated. The gap isn't feature count. It's verification.

How to start.

A 30-minute call. We walk through your stack, identify the databases worth watching, and figure out if Restorable fits. If it does, we set up the agent. If it doesn't, we both saved time.

Book a call → 30 minutes · no slides · EU hours
✓ this page is itself signed content page-hash: sha256:f3b753bb0f4bc9fe9e3b2c5a11d8e3c7dc9f054f45cfab232d4f51410db12b29
page-sig: 8c953111418cc230a9f56a85d0b7d8133b9d74365690328bb5f623b040f6d49a1f293776ef1b753bb5cf41dde6dbc9d84e3411cf35796bd019161c5aad659007
signed-by: hackerman-ab
built 2026-04-20T11:03:39.599Z
verify: restorable-verify --page https://restorable.app