Sovereignty audit · ummah.email

Every "no Google, no Meta, no surveillance" claim we make has to hold at the bytes level, not just in marketing copy. Below is the complete public list of what we run, what we depend on, and what we explicitly do not use. We update this list monthly. If you find a discrepancy between this page and what your browser actually loads, email salaam@ummah.email.

Our public commitment

These are not aspirational. These are commitments we publish so they can be held against us.

No Cloudflare. Ever. We will never proxy, cache, or terminate TLS through Cloudflare. The day we do is the day we cease to be sovereign.
No AWS. No GCP. No Azure. Hetzner Helsinki and Hetzner Falkenstein only. Bare metal, EU jurisdiction, no hyperscaler tenant agreement we cannot read end-to-end.
No Google. No Microsoft. No Meta. No Sendgrid. No Mailchimp. No Hubspot. No Salesforce. No Twilio. If a vendor's business model is harvesting users at scale, they do not touch our stack.
No analytics that send data outside our servers. Self-hosted Matomo only, on our hardware, IP-anonymized, cookieless.

Our poison pill against acquisition

If UMG is ever acquired, all user data is destroyed before transfer. By signing up, every ummah.email member is a party to this commitment. No buyer inherits Muslim data.

This is the asbab side of "tie your camel". We tie the camel against the day we might be tempted to leave it loose. The commitment is written into the user agreement. We disclose it here so the commitment cannot quietly disappear in a future revision.

What we run on our own iron

UMG-controlled infrastructure. No third party between you and us.

UMG mail serverOpen-source mail engine. Helsinki. Our hardware. Encrypted at rest.

Ummah Email webmail (webmail.ummah.email)Open-source webmail engine with our Maktub theme. Same server.

nginxOpen-source HTTP server. Routes traffic to the above. Same hardware.

UmmahPass · LaravelOur identity layer and signup flow. Self-hosted Postgres and Redis.

Matomo (analytics.ummahmediagroup.com)Self-hosted, cookieless, IP-anonymized. No Google Analytics.

UmmahCHAT (chat.ummahmediagroup.com)Self-hosted team chat. Internal Ummah Media Group team comms. Same server cluster.

Hosting: Hetzner Online GmbHHelsinki, Finland (Hetzner FI data center). EU jurisdiction. GDPR-binding and Finnish data protection law. Outside US CLOUD Act and FISA 702 absent a Finnish court order.

What we use that we don't own

The minimum necessary third-party surface. Every vendor named and explained.

StripePayment processing. Card data never touches our servers. KYC and payment regulation makes self-hosting impossible at our scale. Disclosed.

Let's EncryptTLS certificates. Open standard. No tracking surface.

Dynadot (DNS registrar)US commercial registrar. In-progress migration to a secondary anti-surveillance NS provider (Njalla / 1984 Hosting) Sprint 9. Eventual full migration off Dynadot Sprint 18+.

MaxMind GeoLite2 (planned, Sprint 10)Offline IP-to-country DB. No outbound calls per visit. Replaces ip-api.com which leaked visitor IPs to a US third party.

Bunny Fonts was on this list through Sprint 7. As of May 10 2026 it is self-hosted at /fonts/ on every UMG property. Zero outbound font requests on page load. See Sprint 8 transparency report →

What we explicitly do not use

The list every company forgets to publish. Here is ours.

Google Fonts, we self-host all fonts at /fonts/
Google Analytics, we use self-hosted Matomo instead
Google Tag Manager, no tag manager at all
Google reCAPTCHA, we use first-party rate limits
Cloudflare, the Big Tech CDN that sits between you and ProtonMail and Tuta; not us
AWS / GCP / Azure, bare metal at Hetzner, no hyperscaler
Meta Pixel / Facebook Login, never integrated
FCM (Google) / APNS (Apple) push, Web Push with our own VAPID keys
App Store / Play Store, PWA-first, sovereign distribution
Salesforce / HubSpot, first-party CRM
Mailchimp / Sendgrid / Mailgun, we run our own SMTP
Twilio, never. SMS optional via European-jurisdiction providers when needed.
Snowplow / Segment / Amplitude, first-party events only

What we default ON

Defaults are choices. We disclose ours.

Outbound email signatureEvery paid ummah.email member's outbound email gets a small footer: Sent from yourname@ummah.email, yours at ummah.email. Plain text. Reversible. Disable here or customize here.

10% sadaqah disbursement$0.50 of every $5/mo routes to a vetted Muslim charity. Non-toggleable, it is part of the offer. See pricing.

UmmahPass identity bridgeYour handle is the same across ummah.email + ummah.me + UmmahPlaces + UmmahCauses + chat.ummah.city. One identity, all surfaces.

Server geography and legal posture

Servers physically in Helsinki, Finland (Hetzner FI data center). Hetzner Online GmbH (German company, EU-jurisdiction) operates them. Data is subject to GDPR and Finnish data protection law. Not subject to US CLOUD Act or FISA 702 absent a Finnish court order recognizing the request.

UMG corporate is Ummah Media Group LLC, a US-incorporated entity (Delaware). This means US legal process can be served on UMG; a separate Finnish order is required to compel data on the European servers. We disclose every such order via the warrant canary below.

Warrant canary

Issued monthly by the Ummah Media Group security office. If a future month's canary is missing, that is the signal: a gagged surveillance order has been received that we cannot publicly acknowledge.

Read the current canary →

Found a discrepancy? Report it.

If your browser loads a request this page does not disclose, that is a sovereignty leak. Email salaam@ummah.email with a DevTools screenshot. PGP key publishing is planned. Bug bounty pool is planned. Right now: email us and we will fix it publicly.