Self-hosting as a professional practice Cuadernos Lacre https://solo2.net/en/notebooks/articulos/self-hosting-as-professional-practice.html It is good to start by deactivating a word that scares without reason: server. A server is not a mysterious machine in a cooled room. It is, simply, the computer of another person —or your own— that saves information and delivers it to whoever requests it. For decades we kept the information of our clients in a folder, in a filing cabinet, on the office desk and no one lost sleep for that. Information was not scary because it was on paper; it doesn't have to be scary either because it is on a disk. The «cloud» is not ethereal either. It is the computer of a company, almost always far away and almost always someone else's. I learned this involuntarily the day that, confident that my files were in safe custody in Google Drive, I discovered that the folder on my computer did not contain my documents, but shortcuts to documents that lived somewhere else. If that other place decided to close, change the price or cancel the service, my tranquility would go with it. I did not possess my things; I had permission to access them. That is where the question of this Notebook arises, easier to state than to answer: where should your clients' data live? And your own? The public conversation frames it as if there were only two opposing answers — the cloud of the big platforms, or doing it yourself — almost a matter of which side you're on. But there aren't two paths: there are three, and none of them is an act of faith. Read slowly, they have more nuance and ask more of you than they seem to. It is easy to think that confidentiality is a matter of lawyers, doctors or journalists, and that the rest have nothing to hide. It is a error, and of the expensive ones. Almost any business keeps data of its clients subject to the law, and many keep, without knowing it, information quite more sensitive than it seems. A sofa shop writes down the name, address and phone number of whoever buys; if there is financing, their financial details too. A renovation or interior-design firm keeps photos of the inside of its clients' homes and the full floor plans of their houses. A cleaning company handles the floor plans of the offices it cleans, often marked with colours and numbers that say which employee goes where, at what time and with which key. None of that seems like much until you ask who else it would be valuable to: those cleaning plans are, seen through other eyes, the perfect map for anyone who wants to break in and steal. The fact of a business being small, or that it sells sofas instead of defending pleas, doesn't make its data lack of value nor makes the law stop applying to it. It only makes its owner tend to think less in it. And thinking little about something that is your responsibility is precisely where problems begin. Here arises the immediate objection, and it is reasonable: if I have everything on the office computer, what happens if it breaks? The question is good. The answer is that the safety net we imagine in the large providers is more modest —and easier to be imitated— than it seems. When I leave my data in the data center of a multinational, I trust that it has copies in several places. And probably it has them: in a second location, maybe in a third. But that redundancy is not infinite and above all it is not mine: it remains a hard disk of which I am not the owner, managed by someone in whom I place a faith that I almost never verify. That same net I can weave myself, and with a decisive advantage. My daily service lives on the office computer. From there I keep an encrypted copy on the computer of a friendly company —a colleague in the profession, another trusted office— and another encrypted copy, if I want, at that same European provider we were talking about. The difference is everything: what I leave outside is not my service nor my data in clear, but an encrypted copy that only I can open. The external provider keeps a closed chest of which he doesn't have the key. I do not entrust my information to him: I entrust him some bytes that without me signify nothing. Allow me a personal story, because it illustrates this better than any argument. For more than ten years I was a devoted customer of CrashPlan, a technically extraordinary backup service. I backed up in their cloud all my computers and those of my family —those of the company and those of the house, everything—, with versions that I could recover with the frequency I wanted, traveling back in time to a specific file from months ago. After the first copy it only transmitted the differences, encrypted and compressed, so that I kept an enormous backup updated with almost no effort. It saved me many times, from a silly document to a whole disk. The price went up over the years and I didn't care: I paid happy. What I didn't know was that CrashPlan had made a calculation error: they had promised by contract unlimited storage, in space and time. And space multiplied by time —years of history, versions every few minutes— grows until it becomes unsustainable. One day they informed us all that the service was ending. They did it with elegance and with a generous term, almost a year, and gave us means to download our own. But where does one go with more than ten years of versioned copies of all their disks? There you discover that you have neither the way to download everything nor the place to put it, and that, even if you could, the new warehouse would cost a fortune. I saved four essential things. The rest went when they flipped the switch. I was calm, my information was safe... until it stopped being so. And not through betrayal: CrashPlan behaved impeccably — unlike Evernote, which years later behaved shamefully — quite simply, my guardian angel in the cloud decided, fully within its rights, to stop being one. The result, for me, was identical: what I thought was safe vanished. What this story really teaches has more to do with human nature than with technology. When someone feels that something is their responsibility, they act in a preventive way: they make copies, they secure their back, they distrust with good judgment. When they believe —erroneously— that the responsibility is borne by a large and solvent third party, they relax and let things go. That delegated tranquility is not prudence: it is, without makeup, a form of irresponsibility. That quiet irresponsibility resembles much that of some parents who enroll their son in the most expensive school, pay him afterwards a master degree, and with that they believe they have fulfilled their duty. They have not fulfilled. Being a parent is worrying about what he learned today, about what he doesn't understand, his values, his self-confidence. If at twenty-five years old that son doesn't know how to work nor behave, the fault is not of the school that collected the money: it is of the one who delegated and paid believing that with that it was enough. Paying a third party does not exempt from responsibility. It never has. It is the same with data, and recent history confirms it. Fifty or a hundred years ago a professional kept their clients' things in folders, in the office or at home, and felt responsible for them. Rarely was anything lost. We have moved into the digital world and, with astonishing ease, we upload everything to “the cloud” — which is nothing more than some multinational's computer — and stop worrying. And often there are accidents, and there are firms that lose everything, and then people say: it was Google's fault, it was Microsoft's fault. No. The information is yours, or your clients', but the one responsible is you. Hosting your own things is not a technical whim: it is recovering that serenity of decades ago, that of knowing where each thing is and why. Data protection, meanwhile, has lived an abrupt pendulum swing —from there not being any norm, when anyone exhibited the data of a client without thinking, to a requirement that falls with disproportionate hardness on the smallest, the freelancer who gives the phone of a client to the delivery person. I do not discuss the goal; I observe the mismatch. But the mismatch does not absolve us: the day that the administration has means to track and sanction at scale, size will stop protecting anyone, and it is wise not to wait for that day with the house unordered. Having the data under own control helps to comply and helps to prove it. And above all, it returns things to their place: when information is yours, the responsibility is entirely yours —there is no third party to blame, nor a third party whose failure exposes you—. It would be dishonest to paint this without its shadows. Taking the intermediary's place means carrying what comes with it: keeping backups up to date, applying updates, and a legal responsibility — that of the RGPD — which, in truth, never quite stopped being yours (the footnote references detail the articles). There is work, and there is a day when something fails at the worst possible time. We don't hide it. But the fear that surrounds that word, responsibility, is miscalibrated. It is far easier to lose your files in a cloud service that shuts down, or your photos in Google Photos, than to lose that folder of important documents on your own computer: the one you know where it is and would notice missing the moment it disappeared. What you feel is yours, you look after; what you believe to be safe in someone else's hands, you neglect. Think of the photo albums of old, the ones with developed paper kept in a drawer. Have you ever heard anyone say they “lost” their family album? You hear about the house that burned down with the album inside; losing it just like that, no. And yet, people who had all their photos in Google Photos or Apple Photos and were left with nothing: that story comes back every few months, because they believed it was safe. Google Photos looks after your photos, of course it does; but it does not look after them the way parents look after the album where their children and grandchildren are. That difference is not fixed by any data centre: responsibility, when it is yours, is not only a burden; it is also the best guarantee. Sources and further reading - Regulation (EU) 2016/679 — article 28 (processor), article 32 (security of processing), article 33 (notification of a breach), article 37 (designation of the Data Protection Officer). - Spanish Data Protection Agency — Practical guide for risk analysis in the processing of personal data (current revision). Framework for controllers who assume own technical functions. - European Data Protection Board — Guidelines 1/2024 on processing of personal data based on legitimate interests. Applicable also for the proportionality test in decisions of own infrastructure. - European Commission — public directory of information service providers established in European jurisdiction. Administrative starting point to identify European managed hosting options. - Nextcloud GmbH (Germany) — Nextcloud Enterprise architecture and compliance documentation. Documented case of free software with self-hosted and managed by European provider modalities; useful as technical reference of a project maintained in European jurisdiction since 2016. --- Cuadernos Lacre · A publication of Menzuri Gestión S.L. · written by R.Eugenio · edited by the team of Solo2. https://solo2.net/en/notebooks/