Transparency report Q2 2026

The sovereignty audit is a static, real-time snapshot. This report is the longitudinal record. Every quarter we publish: the dependency list as it stood, the jurisdictions our data crossed, every government request received, and the warrant canary as a public signal.

Headline numbers

Government data requests this quarter0

National Security Letters received0

FISA court orders received0

US CLOUD Act requests received0

German court orders received0

Finnish court orders received0

Backdoors added under any compulsion0

Third-party content access grants beyond mail routing0

Direct dependencies on third-party vendors4

Self-hosted infrastructure components7

Big Tech vendors in the stack0

Dependency list (snapshot 2026-05-10)

The complete public list of every system component, library, and external service we depend on. If your browser loads anything not on this list, that is a sovereignty leak. Email salaam@ummah.email.

System packages and runtimes (self-hosted)

Ubuntu 24.04 LTS, OS on all UMG servers
nginx 1.24, HTTP server / reverse proxy
PHP 8.4-fpm, Laravel application runtime
Python 3.12, FastAPI dashboard, automation scripts
PostgreSQL 16, identity, profiles, business data
MySQL 8.0, legacy WordPress, dashboard internals
Redis, sessions, cache, queues
Open-source mail engine, IMAP/SMTP/JMAP, our hardware
Open-source webmail engine (Maktub theme)
Matomo, self-hosted analytics, IP-anonymized, cookieless
Self-hosted team chat, internal team comms

Application frameworks

Laravel 12, UmmahPass, UmmahCauses, UmmahPlaces, ummah.me
FastAPI, UMG Dashboard
Tailwind CSS, styling (compiled, self-hosted)
Alpine.js, client interactions (self-hosted minified bundle)
Stripe.js, payment widget (loaded from Stripe origin only on checkout pages)

Third-party vendors (4 total)

Stripe Inc. (US), payment processing only. Card data never touches our servers.
Let's Encrypt / ISRG (US non-profit), TLS certificates. Open standard, no tracking.
Dynadot LLC (US), DNS registrar. Migration to anti-surveillance NS provider (Njalla / 1984) planned Sprint 9.
MaxMind GeoLite2 (US), offline IP-to-country DB. Planned Sprint 10. No per-visit calls.

Hardware and hosting

Hetzner Online GmbH (DE), bare-metal CX23 + dedicated mail server in Helsinki, Finland (Hetzner FI data center).
EU jurisdiction. GDPR-binding. Finnish data protection law.

What changed this quarter

2026-05-15, homepage v2 launch: Sovereign Seal mark adopted, full v2 brand kit (cream surfaces, Inter primary, forest accent). v1 dark hacker aesthetic retired. Trust pages migrated to v2 same day.
2026-05-10, Bunny Fonts (BunnyWay d.o.o., Slovenia) removed from third-party list. Self-hosted at /fonts/ on every UMG property. Net dependency count: 12 → 11.
2026-05-10, CSP font-src and style-src hardened to 'self' on ummah.email, ummahpass.io, ummahcauses.org. Bunny.net removed from allowlist.
2026-05-10, public commitment + acquisition poison-pill clause added to /sovereignty.
2026-05-09, SPF/DKIM/DMARC sweep across 25 Dynadot-owned UMG domains. 8 domains hardened. ummah.email DKIM verified end-to-end.
2026-05-09, muslimtorrents.com + ummahmediagroup.com NS migration off legacy GoDaddy nameservers (NS-drop incident response). Both zones rebuilt at Dynadot.

Jurisdictions data touches

Where your data physically sits, where it is routed, and what legal regime applies at each step.

Helsinki, Finland: Primary servers (Hetzner FI). Inbox storage, identity records, application servers. Finnish data protection law + GDPR.
Falkenstein, Germany: Backup target (Hetzner FSN). German BDSG + GDPR.
San Francisco, USA: Stripe (payment processing only). Card data, billing email. Never the inbox content. US PCI-DSS, CA Consumer Privacy Act.
Slovenia (deprecated this quarter): Bunny Fonts CDN. As of 2026-05-10 we no longer route font requests outside our servers. Removed.
San Mateo, USA: Dynadot DNS registrar (control plane only; queries are public DNS). Migration to anti-surveillance NS provider planned Sprint 9. US.

Key custodians

Who can technically access encrypted-at-rest data, and under what conditions.

Ummah Media Group LLC: root SSH on the mail server, encryption-at-rest keys for inbox volumes, the only entity that can decrypt mail content under normal operation.
Ummah Media Group LLC (again): identity layer keys (UmmahPass JWT signing, OAuth client secrets, Passport personal-access keys). No third party holds these.
Stripe Inc.: cardholder data and payment metadata. Required by KYC and PCI-DSS. Never the inbox.
Hetzner Online GmbH: physical access to the rack. Cannot read encrypted-at-rest volumes without the keys we hold. Could in theory image disks under German legal compulsion (zero such requests this quarter, see canary).
Let's Encrypt: signs our public TLS certificates. Cannot read user traffic; only attests our domain control. No per-user surface.

End-to-end encrypted mail (E2E Stage 2) is on the Sprint 11 roadmap. Stage 1 (encryption-at-rest) ships today on every paid ummah.email inbox.

Data flow diagram

Where bytes move when you use ummah.email. Text representation; hand-drawn for clarity.

Browser (you) │ │ TLS 1.3 (Let's Encrypt cert) ▼ nginx (Hetzner FI / Helsinki) │ ├──▶ Static (HTML / CSS / fonts / WOFF2) ← served from disk, /fonts/ self-hosted │ ├──▶ UmmahPass (Laravel + PostgreSQL) ← identity, billing, OAuth │ │ │ └──▶ Stripe (San Francisco) ← cards only, never inbox │ ├──▶ Mail server (Hetzner FI) ← IMAP/SMTP/JMAP, encrypted-at-rest │ ├──▶ Webmail (Hetzner FI) ← reads from mail server over local socket │ └──▶ Matomo (analytics.ummahmediagroup.com) ← self-hosted, IP-anonymized │ └─ does NOT egress user data anywhere Outside this diagram = sovereignty leak. Report it to salaam@ummah.email.

Warrant canary, current

Reproduced verbatim from /canary.txt. If a future quarter's report ships without this canary, or with a substantially altered canary, that is the signal: a gagged surveillance order has been received.

As of 2026-05-10:

  - 0 (zero) National Security Letters
  - 0 (zero) FISA court orders
  - 0 (zero) US CLOUD Act requests
  - 0 (zero) German court orders compelling user data disclosure
  - 0 (zero) requests from any government agency
  - 0 (zero) backdoors added to UMG infrastructure under any compulsion
  - 0 (zero) third-party content-access grants beyond mail delivery routing

The infrastructure described at https://ummah.email/sovereignty
is accurate as of this date.

  -- Ummah Media Group LLC, 2026-05-10

Read the full plaintext canary →

Next quarter

Q3 2026 report will publish on or before 2026-08-10. Cadence is fixed: Apr / Jul / Oct / Jan, each issued in the second month of the quarter.

Planned changes Q3 2026:

Dynadot → Njalla / 1984 Hosting NS migration on at least 5 UMG domains.
PGP signing key for the warrant canary (currently unsigned-but-published).
MaxMind GeoLite2 offline DB replaces ip-api.com calls in the dashboard.
Independent Muslim-led security audit kicks off (Q3 2026 to Q4 2026).

Found something we did not disclose? Report it.

Email salaam@ummah.email. We publish corrections to this report (with timestamps) rather than silently editing. The edit log lives at the bottom of the next quarterly report.