Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program — BUSINESS plan free for life

Free download · A4 PDF · CISO / CTO grade

Encryption Control

Schrems II is not a policy choice. It is an architecture requirement, and most backup vendors fail it.

Get the technical brief

A no-fluff PDF written for CISOs, CTOs, and senior engineers. We send the link by email so you can find it again.

One email. Confirmation by mail. Unsubscribe with one click.

What's inside

The brief covers the architecture, the failure modes it blocks, the regulatory map, and the operator-level evidence an auditor will ask for. Roughly 10 to 14 dense pages.

  1. The threat model in concrete operator terms
  2. Architectural mechanism, with adversary-model reasoning
  3. Failure modes blocked, with named precedents
  4. Compliance map: specific rules, fines, reporting windows
  5. ROI math grounded in published numbers
  6. Vendor comparison on technical approach (not ARR)
  7. Onboarding shape and known scope limits
  8. Audit-ready evidence the architecture produces

Related solution pages

The same architecture, applied to specific buyer questions:

Migrate without risking your data

Moving between servers, clouds, or providers? Your encrypted backups travel safely. No exposure. No data loss.

Read more

Your keys. Your encryption. No exceptions.

Every backup is encrypted with keys you own. Not your vendor's keys. Not shared keys. Yours alone.

Read more

Every action logged. Nothing hidden.

Complete visibility into who did what, when, and why. Tamper-proof audit logs for every operation.

Read more

Sovereign by architecture, not by certificate.

You host it. You hold the keys. No US-jurisdictional provider can be compelled to hand over what they don't have.

Read more

Questions readers asked

Who is this brief written for?

A CISO, CTO, or senior infrastructure engineer evaluating the architecture. It assumes familiarity with backup workflows, filesystem fundamentals, and the regulatory landscape your stack already touches.

Is there a non-technical version?

Yes. After you submit your email, the same page links to a five-minute executive PDF you can forward to a CFO, IT director, or board member.

What happens to my email?

One confirmation email. You're added to our newsletter (one short post per month, all-product). Unsubscribe with one click. Your email lives in the EU by default per Rediacc's data-residency policy.

Why btrfs?

The brief explains in detail. The short version: btrfs makes immutability, copy-on-write snapshots, and incremental send/receive properties of the storage layer rather than of an application running on top of it. That changes what an attacker holding root credentials can defeat.

Does this apply to managed services like AWS RDS?

Not directly. The architecture covers self-managed compute with containerized databases on btrfs-backed volumes. If your recovery-critical estate sits in RDS or Aurora, the brief flags this explicitly and points to where the model does and doesn't apply.

About this brief

Rediacc is a Tallinn-based infrastructure protection company building btrfs-native backup and disaster recovery on commodity Linux. This brief was written by the engineering team, edited against an anti-AI-slop style guide, and reviewed for technical accuracy before publication.

Have a question we should add to this page? Tell us at hello@rediacc.com.

Download short brief (PDF)