Hacker News

Privacy doesn't mean anything anymore, anonymity does

2025-12-206:21458290servury.com

Privacy is when they promise to protect your data. Anonymity is when they never had your data to begin with.

Matteo M.

December 20, 2025

18,227 views

Every company says they "care about your privacy." It's in every privacy policy, every marketing page, every investor deck. But if I can reset your password via email, I know who you are. If I log your IP, I know where you are. If I require phone verification, I have leverage over you.

That's not privacy. That's performance art.

In 2025, "privacy" has become the most abused word in tech. It's slapped on products that require government IDs, services that log everything, and platforms that couldn't protect user data if they tried.

Real anonymity isn't a marketing claim. It's an architectural decision that makes it impossible to compromise users, even if you wanted to. Even if someone put a gun to your head. Even if a three-letter agency showed up with a warrant.

Let me show you the difference.

Here's how the average "privacy-focused" service actually works:

User Journey:
1. Enter email address
2. Verify email (now we have your email)
3. Create password (now we can reset it via email)
4. Add phone for "security" (now we have your phone)
5. Confirm identity for "fraud prevention" (now we have your ID)
6. Enable 2FA (more identity vectors)

Privacy Policy:
"We care deeply about your privacy and only collect 
necessary information to provide our services..."

Translation:
We have everything. We log everything. 
We just promise to be careful with it.

The problem isn't malice. Most services genuinely try to protect user data. But protection implies possession. And possession is the vulnerability.

You can't leak what you don't have. You can't be forced to hand over what doesn't exist.

In 2023, Swedish police raided Mullvad VPN's offices with a search warrant. They wanted user data. Customer information. Connection logs. Anything.

They left empty-handed.

Not because Mullvad refused to cooperate. Not because they hid the data. But because there was no data to give. Mullvad's entire identity system is a randomly generated account number. No email. No name. No records.

Mullvad VPN account number - just 16 random digits
Mullvad's entire authentication system: 16 random digits. That's it. That's the whole identity.

When the police realized this, they couldn't even argue. The architecture made compliance impossible. Not difficult. Impossible.

That's what real anonymity looks like.

When we designed Servury, we asked ourselves: what's the minimum information needed to run a cloud hosting platform?

Turns out, not much:

// What we DON'T collect:
- Email address (no recovery, no marketing, no leaks)
- Name (we don't care who you are)
- IP addresses (not logged, not stored, not tracked)
- Payment information (handled by processors, not us)
- Usage patterns (no analytics, no telemetry, nothing)
- Device fingerprints (your browser, your business)
- Geographic data (beyond what's needed for server selection)

// What we DO store:
- 32-character credential (random alphanumeric string)
- Account balance (need to know if you can deploy)
- Active services (servers and proxies you're running)

That's it. Three data points.

No "forgot password" link. No email verification. No phone number for "account security." Because every one of those features requires storing identity, and identity is the attack surface.

Here's the part where other "privacy" companies quietly change the subject: lose your credential, you're done.

No recovery process. No support ticket that can restore access. No "verify your identity" workflow. If that 32-character string disappears, so does your account.

And you know what? That's exactly the point.

  • Traditional service: "We can help you recover your account by verifying your identity"
    Translation: We know who you are, and we can prove it.
  • Servury: "We literally cannot help you recover your account"
    Translation: We have no idea who you are, and that's by design.

The inconvenience of memorizing (or securely storing) a random string is the cost of anonymity. Anyone who tells you that you can have both perfect anonymity AND easy account recovery is lying or doesn't understand the threat model.

Let's walk through a real scenario:

"Hi Servury support, I lost access to my account. Can you help me recover it?"

"I'm sorry, but we have no way to verify account ownership. If you don't have your credential, the account is inaccessible to everyone, including us."

"But I can prove it's me! Here's my payment receipt, my IP address, the exact time I signed up—"

"We don't store any of that information. There's nothing to match against."

Is this frustrating for users who lose their credentials? Absolutely. Is it a feature? Absolutely.

Because on the flip side:

  • Law enforcement can't social engineer your account access
  • Hackers can't phish or reset your credentials via email
  • We can't accidentally leak your personal information (because we don't have it)
  • No government can force us to reveal who you are (because we genuinely don't know)

Email addresses are the original sin of modern internet identity. They seem harmless. Universal. Convenient. And they completely destroy anonymity.

Why email kills anonymity:

1. Email IS identity
   - Tied to phone numbers
   - Tied to payment methods  
   - Tied to other services
   - Recovery mechanisms expose you

2. Email IS trackable
   - Read receipts
   - Link tracking
   - Metadata analysis
   - Cross-service correlation

3. Email IS persistent
   - Exists beyond single service
   - Archived forever
   - Subpoenaed retroactively
   - Leaked in breaches

4. Email IS social engineering
   - Phishing vector
   - Password reset vulnerability
   - Support ticket exploitation
   - Impersonation risk

The moment you require an email address, you're not building for anonymity. You're building for accountability. And sometimes that's fine! Banks should know who you are. Government services should verify identity. But cloud infrastructure? VPNs? Proxy services?

We shouldn't need to know a damn thing about you.

We accept cryptocurrency not because we're trying to hide from authorities. We accept it because traditional payment systems are surveillance infrastructure.

Every credit card transaction creates a permanent record linking your identity to your purchase. Your bank knows. The payment processor knows. The merchant knows. And they all store it. Forever.

Cryptocurrency breaks that chain. Not perfectly—blockchain analysis is a thing—but enough to decouple payment from persistent identity. Especially when combined with no-email registration.

And for those who need traditional payments? We support Stripe. Because pragmatism matters. But we don't pretend that credit card payments are anonymous. We're honest about the trade-offs.

Let's be crystal clear about what we're NOT claiming:

  • Anonymity ≠ Impunity
    If you use our servers for illegal activity, law enforcement can still investigate. They just can't start with "who owns this account" because we can't answer that question.
  • Anonymity ≠ Security
    Your credential is just a random string. If you save it in plaintext on your desktop, that's on you. Anonymity from us doesn't mean anonymity from your own bad opsec.
  • Anonymity ≠ Invisibility
    Your server has an IP address. Your proxy connections are visible. We're not magic. We just don't tie those technical identifiers back to your personal identity.
  • Anonymity ≠ Zero Trust Required
    You still have to trust that we're actually doing what we say. Open source code, transparency reports, and independent audits help, but perfect trustlessness is impossible in hosted infrastructure.

Anonymity is about limiting the damage when trust fails. It's about architecture that can't betray you even if the humans running it wanted to.

The internet is splitting into two worlds: the authenticated web and the anonymous web.

The authenticated web is where governments and corporations want you. Real names. Verified identities. Traceable payments. Every action logged and analyzed. It's convenient. It's personalized. It's surveilled.

The anonymous web is where privacy still exists. Where you can explore, experiment, and communicate without building a permanent record. Where your data can't be weaponized against you because it was never collected.

Every service that requires real identity for no technical reason is pushing you toward the authenticated web. Every credential-based, no-email, crypto-accepting service is keeping the anonymous web alive.

This isn't about having something to hide. It's about refusing to live under constant surveillance as the default.

Privacy is when they promise to protect your data.
Anonymity is when they never had your data to begin with.

That's the difference, that's what we built, that's real anonymity.

A 32-character string. No email. No identity. No bullshit.

Everything else is just marketing.


Read the original article

ybceo

Karma: 235
...
 @Hacker__News
@hacker._news

Comments

  • By mk89 2025-12-208:465 reply

    At first I thought it was a blog. No, this is a company. So, their privacy page (https://servury.com/privacy/):

    > Server Logs > Like all web services, our servers may log: > IP addresses of visitors > Request timestamps > User agent strings > These logs are used for security and debugging purposes and are not linked to your account.

    That's already a huge breach in comparison to mullvad privacy page. (https://mullvad.net/en/help/no-logging-data-policy)

    • By ybceo 2025-12-209:215 reply

      I agree 100%. I went ahead and disabled all logging in Apache just now. Will update the privacy page to reflect this within the hour.

      • By drink_machine 2025-12-209:274 reply

        Shouldn't you have spent some time to think through basic things like this before trying to write an opinion piece on anonymity? Certainly it shows a lack of depth of understanding.

        • By everdrive 2025-12-2017:214 reply

          The privacy crowd seems to be incapable of grey areas. Are all these the same thing? Are they all the same severity of problem?

            - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.

  - A government website uses a standard framework and that framework loads a google subdomain. In principle, Google could use this to track you but there's no evidence that this actually happens.

  - A website tracks user sessions so they can improve UI but don't sell that data to 3rd parties.

  - A website has many 3rd party domains, many of which are tracking domains.

  - Facebook knows exactly who you are and sells your information to real-time-bidding ad services.

  - Your cell phone's 3G connection must in principle triangulate you for the cell phone to function, but the resolution here is fuzzy.

  - You use Android and even when your GPS is turned "off" Google is still getting extremely high resolution of your location at all times and absolutely using that information to target you.
          A LOT of the privacy folks would put all those examples in the same category, and it absolutely drives me up a wall. It's purity-seeking at the expense of any meaningful distinction, or any meaningful investigation that actually allows uses to make informed decisions about their privacy.

          • By johnnyanmac 2025-12-2020:341 reply

            The issue isn't about the present but the future. You don't just assume Google one day won't try to compromise government data.

            Even if they don't, it opens up more attack vectors for malicious 3rd parties who want that data. That's why you can't be careless.

            • By TeMPOraL 2025-12-2021:224 reply

              That is paranoia.

              At any time any company could turn evil, and any free(ish) government could become totalitarian overnight. This is a fact, but also pretty useless one.

              The real questions to ask are, how likely it is to happen, and if that happens, how much did all these privacy measures accomplish.

              The answer to those are, "not very", and "not much".

              Down here on Earth, there are more real and immediate issues to consider, and balance to be found between preventing current and future misuse of data by public and private parties of all sides, while sharing enough data to be able to have a functioning technological civilization.

              Useful conversations and realistic solutions are all about those grey areas.

              • By johnnyanmac 2025-12-2021:48

                >At any time any company could turn evil, and any free(ish) government could become totalitarian overnight. This is a fact, but also pretty useless one.

                Is it isrlsss paranoia when it's happening around us as we speak?

                It's strange how we call it "preparation" to spend trillions of dollars on mobilizing a military, but "paranoia" to simply take some best practices and not have the citizen's data dangling around. Its a much cheaper aspect with huge results, like much of tech.

                I live in a good neighborhood and I have left my door unlocked once or twice to no consequence. That doesn't mean it's paranoia to make a habit out of locking my doors.

                That's all I assert here. Care and effort. I don't know all the subtle steps to take since I'm not in cybersecurit, but we still shouldn't excuse sloppiness.

              • By drob518 2025-12-2114:20

                Exactly. Just because something is possible doesn’t mean it’s probable. Everything is a risk. Everyone needs to prioritize against the set of risks that can be identified and figure out if they can be mitigated.

              • By everdrive 2025-12-2113:27

                This is really well-stated, and I'd add that even if you want to adopt the paranoid perspective, it still shouldn't lead someone to flatten all risks until they look the same. In real-world scenarios with real risk (military, firefighting, policing, etc.) real effort is made to measure and prioritize risks. Without that measuring and prioritizing risks the privacy crowd prevented from making real improvement.

          • By dylan604 2025-12-2020:111 reply

            > - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.

            Even if this sounds innocent, these must be turned over if you are provided a warrant or subpoena (which ever would be appropriate, IANAL).

            • By Brian_K_White 2025-12-210:282 reply

              But it's not malicious. It's not ideal, and it should be addressed, but it's not bad faith or intentional spying or even gross negligence or incompetence.

              • By dylan604 2025-12-211:181 reply

                When you claim you keep no logs yet find out you are keeping logs, what is that if not incompetence or negligence?

                • By Brian_K_White 2025-12-212:261 reply

                  Human. And what was their reaction upon having this crime brought to their attention? It was exactly all anyone could ask for.

                  Shitting on well-intentioned people who merely failed to be perfect is not a great way to get the most of what you ultimately want.

                  If you think intent doesn't matter then what happens when well-intentioned people decide it's not worth trying because no matter what they will be crucified as murderers even if all they did wrong was fail to clean the break room coffee pot. The actual baddies are still there and have no inhibitions and now not even any competition.

                  • By dylan604 2025-12-2118:43

                    Calling a strike a strike does not blame the batter. It’s simply calling it for what it is. Even if the person corrects the wrong does not mean that incompetence or negligence was not the correct description. This entire being offended for the correct words used to describe things is tiresome. It’s like people being offended at being told they are ignorant. Ignorant does not mean stupid. Just because ignorant people are ignorant of the word does not make people using words correctly mean or bad or full of ill will.

              • By godelski 2025-12-229:50

                  > it should be addressed, but it's not bad faith
                I think this is the part that annoys me about the privacy community. There's nicer ways to deal with these issues and get them resolved rather than just leaping to the pitchforks. Raise the concern and observe the response. That is far more informative of how much one should trust. Because let's be honest, at the end of the day there is still trust. You have to trust that they have no logs. You have to trust any third party auditor. Trustless is a difficult paradigm to build, so what's critical is the little things.

                But jumping to pitchforks just teaches companies to ignore the privacy crowd. Why cater to them when every action is interpreted as malicious? If you can do no right then realistically you can do no wrong either. If every action is "wrong" then none are. In this way I think the privacy community just shoots themselves in the foot, impeding us from getting what we want.

          • By Rygian 2025-12-2018:36

            They belong in the same category: the end user has zero agency over how their privacy is impacted, and is at the whim of the wishes/agency of whoever is serving content to them.

            Whether the one serving the content is exploiting data at the present moment has very little relevance. Because the end user has no means to assert whether it is happening or not.

          • By roncesvalles 2025-12-213:484 reply

            >A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.

            If data exists, it can be subpoenaed by the government.

            Personally, I don't understand people's mindless anathema about being profiled by ad companies, as if the worst thing ever in the world is... being served more relevant ads? In fact I love targeted ads, I often get recommended useful things that genuinely improve my life and save me hours in shopping research.

            It's the government getting that data that's the problem. Because one day you might do something that pisses off someone in the government, and someone goes on a power trip and decides to ruin your life by misusing the absolute power of the state.

            • By hdgvhicv 2025-12-2114:17

              If a correlation has the data it will sell it to anyone, including the government

              If a government has the data there’s a chance it will stay in the government at least

              You either

              1) don’t want it stored

              2) are happy for government to have it but not companies

              3) are happy for everyone to have it

            • By ahartmetz 2025-12-2110:30

              The private sector - banks, insurances, your e-mail provider, cloud storage provider... - can mess with you pretty well, too.

            • By subscribed 2025-12-2314:48

              Adtech sells that to creeps, goverments, police, insurance, banks, creeps, criminals, lawyers, data brokers. There absolutely IS a case for defending vehemently against the ads and tracking.

              And that's even before malvertising comes into picture.

            • By everdrive 2025-12-2113:331 reply

              The government would need to know what to subpoena, and what to prioritize as well. In principle could the government subpoena my ISP, learn I'd used a VPN, subpoena the VPN, learned I visited Wikipedia, then subpoena Wikipedia to finally learn what articles I'd written. Yes, but in practice this will never happen. There's no interest in doing so, and it's unclear a judge would be convinced that useful information could be obtained from such a path.

              On the other hand, if I'm making death threats on Facebook, there's a much more realistic path: view the threats from a public source --> subpoena Facebook for private data.

              Treating the two risks as similar is madness.

        • By amarant 2025-12-2019:47

          We all mess up and miss things, op has shown maturity enough to admit to their mistakes and improve from them.

          My takeaway from this thread is an increased amount of trust in OP. Not because they made a mistake, but because of how they handled it. Well done OP!

        • By ybceo 2025-12-209:334 reply

          I disagree. Like I said earlier :

          Web server logs were not tied to user credentials in any way, they were used for debugging purposes and could not have been used to identify users.

          • By procaryote 2025-12-209:441 reply

            From your faq: "We maintain zero logs of your activities. We don't track IP addresses, …"

            Front page says "zero logs"

            Some logs, including specifically datapoints you have promised not to log, but you mean well (?) is pretty different from zero logs

            • By ffsm8 2025-12-2013:46

              Fwiw, zero logs in that context is usually in the relation to requests through the VPN, whereas this discussion is about requests on their homepage? Or did I misunderstand something here?

          • By pear01 2025-12-2014:171 reply

            You disagree and yet you agreed 100% and made the change. I thought the point the preceding parent comment is making is that you should have thought of that beforehand. Yet you seemed to already come to a judgement about it yet then quickly agreed to reverse yourself.

            Sounds like a clear "lack of a depth of understanding" to me.

          • By organsnyder 2025-12-2015:40

            I have a static IP address; and most connections tend to have long-lived leases anyways. It can easily be used to identify me, even if you don't explicitly tie it to my account.

          • By drink_machine 2025-12-209:351 reply

            [flagged]

            • By ybceo 2025-12-209:452 reply

              I went ahead and took action on the criticism as soon as I saw the parent comment. All apache access logs are piped to /dev/null now.

              I'm not here to debate, the reason I posted here is to hear what people thought and see how I could improve my platform based on the criticism.

              • By basedrum 2025-12-2016:091 reply

                Look into the Apache module called mod-remove-IP, it's old and hasn't had any changes for years, but it works much better than just disabling in the logs because it will also persist those removals throughout any frameworks. Also with Apache you cannot as easily destroy your error logs which sometimes have IPS in them. Consider nginx as an alternative

              • By navigate8310 2025-12-2015:021 reply

                I appreciate your opinion on anonymity, but, it's nothing more than, "trust me bro". And being a US company that further tingles the spidy sense.

                • By joemazerino 2025-12-2015:401 reply

                  The US isn't the sole transgressor against privacy. EU has made that pretty clear in the last month.

                  • By sallveburrpi 2025-12-2016:591 reply

                    What happened in the last month? Genuine question

                    • By joemazerino 2025-12-2115:501 reply

                      Look up Chat Control.

                      • By sallveburrpi 2025-12-2116:30

                        Chat Control was first proposed in 2022 and is still in parliament. Some try to push it through again and again but it gets blocked. I don’t see why it should be different this time and so far nothing has actually changed for EU citizens.

        • By lisbbb 2025-12-212:08

          Privacy was a joke--every time I gave someone my data that data got breached, including the US government.

      • By ljlolel 2025-12-209:492 reply

        The whole thing is behind cloudflare!

        • By megous 2025-12-2010:261 reply

          Anonymity is responsibility of a visitor in any case. If the visitor's anonymity depends on some website not storing logs, the visitor lost already.

          • By reactordev 2025-12-2017:27

            Your browser knows more about you than you do. When accessing a website, anonymous or not, it sends a fingerprint so to speak to that site and its ad network. It’s there that your anonymity ceases and you are identified, classified, segmented, and fed more “How to stay safe online” ads. There’s no escaping it. Chromium is not to be trusted.

        • By bossyTeacher 2025-12-2013:494 reply

          in 2025, can small and medium businesses afford to be exposed to the world wild web? You don't need to be a major site these days to be DDosed on the regular

          • By encom 2025-12-2014:321 reply

            Baseless fear mongering. I've had webservers raw-dogging the Internet for about 25 years. Nothing of any consequence has happened. Hasn't happened to anyone I know, either. Anecdata yes, but people are making it sound like running a webserver is like connecting a Windows XP machine to the internet - instant pwnage. It isn't.

            I've been DDoS'ed exactly once. In 2003 I got into a pointless internet argument on IRC, and my home connection got hammered, which of course made me lose the argument by default. I activated my backup ISDN, so my Diablo 2 game was barely interrupted.

            • By hollerith 2025-12-2014:382 reply

              >I've had webservers

              But have those webservers supported a small or medium-sized business?

              • By trollbridge 2025-12-2014:59

                Mine do, although I do use Cloudflare.

                I've periodically removed Cloudflare because of issues with reissuing SSL certs, Cloudflare being down, and other reasons, and haven't noticed any problems.

                The biggest benefit I get from Cloudflare is blocking scraper robots, which I've just been too lazy to figure out how to do myself.

              • By sdoering 2025-12-2016:19

                Mine did. Mine do. Never a problem. Not once.

          • By V__ 2025-12-2014:05

            Who gets ddosed on the regular? Spam is a regular problem, but I have never encountered a ddos on a business website.

          • By 63stack 2025-12-210:23

            Yes. The whole "you will be ddosd if you are exposed to the world wide web" is fud. (And/or racketeering)

          • By immibis 2025-12-2015:20

            Despite what Cloudflare wants you to think, yes, yes they can.

            Also you can sue whoever DDoSes you and put them in jail. It's easier than it used to be, since the internet is heavily surveilled now. The malicious actors with really good anonymity aren't wasting it attacking a nobody.

      • By sdoering 2025-12-2016:152 reply

        Does it matter, when CF is collecting all that already before people even reach your site?

        • By zbentley 2025-12-2019:46

          Does CF matter, when intermediate ISPs are collecting IP address and DNS query activity and can be subpoenaed?

          The answer to both this and parent is yes: partial privacy improvements are still improvements. There are two big reasons for this and many smaller reasons as well:

          First, legal actors prioritize who to take action against; some cases are “worth seeing if $law-enforcement-agency can get logs from self-hosted or colo’d servers with minimal legal trouble” but not “worth subpoenaing cloudflare/a vpn provider/ISP for logs that turned out not to be stored on the servers that received the traffic“.

          Second, illegal actors are a lot more likely to break into your servers and be able to see traffic information than they are to be able to break into cloudflare/vpn/ISP infrastructure. Sure, most attackers aren’t interested in logs. But many of the kind of websites whose logs law enforcement is interested in are also interesting to blackmailers.

        • By dylan604 2025-12-2020:14

          If the authorities come to TFA site with demands, they can't do anything about what CF is doing. All they can do is turn over what they have, and/or prove they don't have what is being asked of them. What some 3rd party does is not germane at all.

      • By mk89 2025-12-2010:033 reply

        Are you allowed to do that in US? I see the company is located in the USA, can companies disable logging just like that?

        (Asking because I really don't know)

        • By immibis 2025-12-2010:231 reply

          In most countries the law doesn't say you have to log everything about your users, but it does say that if you log it and the police ask for it then you have to give the data to them.

          • By singpolyma3 2025-12-2013:411 reply

            I think you mean if a court asks for it. And they have to ask for something you actually have

            • By immibis 2025-12-2014:461 reply

              That's why companies that actually care about privacy (I think there are only two - Mullvad and Signal?) make a point of not ever capturing the data to begin with, and deleting what they do capture as soon as possible.

              • By singpolyma3 2025-12-2021:592 reply

                Interesting that you mention those two as I'd not trust either with private data. They engage in too much magical thinking in their marketing for my liking...

        • By SoftTalker 2025-12-2017:27

          I don't know either, but I would guess there are no laws that says internet service operators must log anything.

          But, banks and financial services now must obey "know your customer" laws so it's not beyond imagination that similar laws could be applied to websites and ISPs operating in a particular country.

        • By drnick1 2025-12-217:10

          What is truly absurd is that most websites default to logging activities. It's as if they actively conspired against their users.

      • By godelski 2025-12-229:44

        Just curious, why not accept cash?

        Not that I use it, but one of the best privacy features of Mullvad is that you can post them cash with your account number and they will credit it. That makes the transaction virtually, and for all practical purposes, untraceable.

        It seems like you have the means to do exactly that too.

    • By afro88 2025-12-209:111 reply

      > That's already a huge breach in comparison to mullvad privacy page.

      And the "3 data points, that's it" of the blog post

      • By ybceo 2025-12-209:231 reply

        Those data points refer to what is stored in the database and is tied to your 32 character credential.

        Web server logs were not tied to user credentials in any way.

    • By willtemperley 2025-12-2020:00

      I initially liked the sentiment but the offering doesn’t appear to add up. Unfortunately the real private cloud, if it exists, is bare metal and can’t really be sold as a subscription.

    • By IlikeKitties 2025-12-209:121 reply

      I mean technically yes but I find THAT kind of logging utterly benign.

      • By procaryote 2025-12-209:331 reply

        They're good enough for fingerprinting and matching against other logs.

        Also:

        > // What we DON'T collect:

        > - IP addresses (not logged, not stored, not tracked)

        > - Usage patterns (no analytics, no telemetry, nothing)

        > - Device fingerprints (your browser, your business)

        so, I've read one blog from this company, and already they're lying or incompetent

        • By tensegrist 2025-12-2010:201 reply

          i hate to point it out, but that was written by an llm that probably wasn't prompted precisely enough to not make up comforting thoughts like that

          • By pxc 2025-12-2014:39

            Indeed, the whole thing reads like it was written by an LLM.

    • By givemeethekeys 2025-12-2117:18

      Do as I say, not as I do! /s

  • By coldstartops 2025-12-2021:042 reply

    You are liying. here: https://servury.com/datacenters/

    Here on datacenters you say your are ISO27001 and SOC2 certified.

    "We're ISO 27001 certified and maintain SOC 2 Type II compliance."

    You do not have any certificate that I can find: https://www.iafcertsearch.org/search/certified-entities?sear...

    https://www.iafcertsearch.org/search/certified-entities?sear...

    Who is the company who certified you? What is the certification number?

    • By foundry27 2025-12-2023:501 reply

      I’m not sure if this is just an “on mobile” thing, but I can’t find any reference to ISO 27001 or SOC2 at that datacentres URL. Taking your word for it being there previously, this seems like a major red flag! Faking these certs is no joke, and silently removing references to that after being called out would be even more of a bad look.

      @ybceo you seemed to represent this org based on your previous comments, is the parent commenter missing something here?

    • By ybceo 2025-12-214:113 reply

      You're right, we shouldn't have had those certifications listed. They've been removed. We're a new company, made a mistake, and we're fixing it. Appreciate you calling it out.

      • By coldstartops 2025-12-2120:14

        Sorry for continuing on this thread, but now I got more questions:

        How do you monitor and enforce your uptime SLA? You state 99.9%, which is less than 9 hours downtime per year; what happens if you breach this guarantee?

        Any other types of SLA's? What happens if you get breached/ your networks gets breached, or hardware failure, and my "anonymous" data is lost.

        Besides that you make some claims, but are they real, or are they vaporwave?

        like: "All our datacenters maintain the highest security standards with 24/7 on-site security, biometric access controls, and CCTV surveillance.

        Each facility features N+1 power redundancy with UPS systems and diesel generators, ensuring your services remain online even during extended power outages."

        Are you sure the above is true, because I am not.

      • By PotatoPrime 2025-12-2114:071 reply

        In this instance, what mistake did you make here exactly? Are you in process for those certifications? Is there any plan to achieve them?

        Or was the mistake saying you held a certification that you thought wasn't important to most people?

        • By lenkite 2025-12-2117:31

          Mistake was using LLM generation.

      • By coldstartops 2025-12-2120:20

        Are you even a new company?

        The only one I could find in Delaware with YBC Holdings, INC is registered in 1994 and is a brewing company

        https://b.assets.dandb.com/businessdirectory/ybcholdingsinc....

  • By bfkwlfkjf 2025-12-2010:032 reply

    Speaking of mullvad. I recently learned about mullvad browser, which is basically tor browser minus connecting via the your network. This is interesting because the tor project has put the most effort into fingerprinting resistance. If you care about privacy and you have a customized browser, you're likely uniquely finger printable [1]. If you don't want to connect via tor, there's no excuse not to use the mullvad browser. (Doesn't require you to use mullvad VPN; comes with the mullvad plugin, disabled by default, to optionally use mullvad encrypted DNS. Last point, I wrote to the tor project and asked "is it possible to use tor browser minus tor network", and they responded "that's the mullvad browser", so this isn't just my recommendation)

    [1] https://coveryourtracks.eff.org

HackerNews

About