VECTRYS is the operational nervous system for short-term rental and hospitality. The dashboard you are looking at runs on an EU-sovereign stack with GDPR-native compliance, a published responsible-use charter, and a separated agent / data architecture. Every assertion below maps to a concrete, auditable artefact.
Sovereignty
Domain registrar IONOS (Karlsruhe). VPS infrastructure Hostinger Paris. Sovereign self-hosted Git forge. Transactional email Brevo (Paris HQ). TLS issued by Let’s Encrypt. No US cloud dependency in the critical path.
Compliance
Personal data minimisation at the schema layer. Encrypted PII. Right-to-erasure implementable per module. Granular retention. No third-party tracking on the dashboard. Cookie banner aligned with ePrivacy.
Architecture
Frontend (Tier 1 · KVM1 Paris) handles the public surface only. Agents (Tier 2 · KVM2 Paris) orchestrate workflows in an isolated tier. Data (Tier 3 · KVM4 Paris) holds tenant records and is never directly internet-exposed. A compromise in any tier cannot reach the others laterally without explicit, audited cross-tier authentication.
Authentication
Sign-in via single-use magic link sent to allowlisted email addresses. Session JWTs are server-side revocable through a sovereign broker. Magic-link nonces burn on first use; bearer tokens between Tier 1 and Tier 2 rotate on-demand.
Observability
Structured JSON audit entries for every authentication event and every action trigger. Captured in private runtime logs. Tamper-evident chain across the broker’s persisted state.
Accessibility
Contrast verified. Keyboard navigation across all interactive surfaces. Visible focus indicators. Atkinson Hyperlegible toggle for dyslexia. Touch targets above 44 px. Honours prefers-reduced-motion.
Every component is either EU-hosted, EU-headquartered, or self-hosted on the operator’s sovereign VPS.
| Layer | Component | Hosting |
|---|---|---|
| Frontend · Tier 1 | Next.js 15 · React 19 | Hostinger Paris VPS (KVM1 · dedicated) |
| Authentication | jose JWT · HS256 · same-process | KVM1 (no edge dependency) |
| Agent broker · Tier 2 | Native Node.js HTTP | Hostinger Paris VPS (KVM2 · isolated agents tier) |
| Sandbox | Firejail (caps drop · seccomp · no network) | KVM2 Paris |
| Data store · Tier 3 | PostgreSQL + pgvector | Hostinger Paris VPS (KVM4 · never internet-exposed) |
| TLS termination | Caddy 2 + Let’s Encrypt | KVM1 + KVM2 Paris (per-tier) |
| DNS | IONOS authoritative | IONOS (Karlsruhe · EU) |
| Email transport | Brevo REST v3 | Brevo Paris HQ · EU servers |
| Source forge | Forgejo (Codeberg fork) | Self-hosted KVM4 Paris (git.vectrys.ai) |
| Secrets vault | 1Password Business | 1Password EU residency |
We welcome scrutiny. Source code is reviewable on request through a sovereign Git forge. The audit log surface is exportable. The infrastructure architecture is documented down to the systemd unit. Penetration testing reports are shareable under NDA.