The Client VPS
What Is a Client VPS?
Every practice on our platform gets their own dedicated virtual private server. This is not shared infrastructure — your data lives on its own isolated machine with dedicated resources, not in a multi-tenant database alongside other practices. You get the privacy of a dedicated server with the convenience of a managed service.
Server Specifications
Each Client VPS is provisioned with:
| Specification | Detail |
|---|---|
| Operating System | Ubuntu 26.04 LTS |
| Memory | 2 GB RAM |
| Storage | 20 GB SSD |
| Database | PostgreSQL 18 (isolated per practice) |
| Location | UK data centre (Fasthosts) |
| Connectivity | SSH reverse tunnel (encrypted) |
Your server is hosted with Fasthosts, a UK-based infrastructure provider. Your practice holds a direct account with them — this means you are their customer, not us. That direct relationship is your security superpower: you can verify your infrastructure at source, and if you ever choose to leave, your server comes with you.
Security Configuration
A Client VPS arrives hardened out of the box:
- Firewall (UFW): Default deny inbound. Only SSH and local PostgreSQL access are permitted. Everything else is blocked.
- Brute-force protection (fail2ban): Five failed SSH attempts trigger a one-hour ban. In testing, this alone has blocked hundreds of intrusion attempts.
- SSH hardening: Key-only authentication. Password login is disabled. Root login is restricted. Maximum three authentication attempts.
- Kernel hardening: IP spoofing protection, SYN flood cookies, ICMP redirect ignored, suspicious packet logging enabled.
- Automatic security updates: Critical patches are applied automatically as they are released.
- Monthly patching: A full system update runs on the first of every month, with a detailed log kept for audit purposes.
Connectivity
Your practice's data never travels over the public internet unprotected. An SSH reverse tunnel creates an encrypted, persistent connection from your Client VPS to the principal system. The database is only reachable through this tunnel — there is no public database endpoint, no open PostgreSQL port to the internet.
The tunnel is monitored every 15 minutes. If it drops, the system detects it within minutes and automatically reconnects.
Backup and Disaster Recovery
Backups are fully automated and require no action from you:
- Frequency: Nightly at 2:30 AM
- Encryption: GPG RSA 4096 — backups are encrypted before they touch disk
- Retention: 14 days of daily backups
- Contents: Full database dump, PostgreSQL configuration files, SSH tunnel keys, installed software manifest
- Verification: SHA256 manifest accompanies every backup
- Encryption keys: Backed up securely for disaster recovery
If the worst happens, a restore script is deployed on your server. Recovery is a single command.
Monitoring and Management
You do not need to SSH into a server to know it is healthy. Every Client VPS is monitored around the clock:
| What We Check | How Often | How You See It |
|---|---|---|
| Disk usage | Every 15 min | Dashboard |
| Memory usage | Every 15 min | Dashboard |
| CPU load | Every 15 min | Dashboard |
| Database health | Every 15 min | Dashboard |
| Tunnel connectivity | Every 15 min | Dashboard |
| Backup status | Daily | Dashboard |
| System uptime | Every 15 min | Dashboard |
Your practice has its own dashboard at /infrastructure/ showing all of this in real time, with alert thresholds that warn you before problems become critical.
How This Compares to Cloud Providers
| Feature | Typical Cloud Provider | VeriPath SIAAS |
|---|---|---|
| Patching | Automatic | Automatic (unattended-upgrades + monthly patching cron) |
| Firewall | Security groups | UFW default-deny + fail2ban + kernel hardening |
| Backups | Managed, often extra cost | GPG-encrypted, 14-day retention, included |
| Monitoring | Cloud dashboard (extra cost) | Free, built-in dashboard at /infrastructure/ |
| Database | Managed DB service | Isolated PostgreSQL 18 per client |
| Encryption | Provider-managed keys | GPG RSA 4096, keys you control |
| Infrastructure ownership | None — you are a tenant | Direct account with Fasthosts |
| Vendor lock-in | High — migration is expensive | Zero — your server, your data, portable |
The Sovereignty Difference
The industry norm is shared infrastructure in a public cloud. Your data lives alongside other tenants, behind a hypervisor you do not control, on hardware you cannot verify. If you want to leave, you export your data — if you can find the export button.
A Client VPS flips this model. Your practice has a direct commercial relationship with the infrastructure provider. Your server is yours. Your data never shares a database server with another practice. Your encrypted backups are stored on your infrastructure. And if you decide to move to a different platform, your server can be migrated or kept running independently — there is no lock-in.
This is the core of Sovereign Infrastructure as a Service: you get the convenience of a managed platform with the legal certainty and privacy of dedicated infrastructure.