Compliance & digital sovereignty

An RMM sits at the heart of every network you manage. Where it runs, who owns the infrastructure and which laws can compel access to it are not footnotes — they are the product. Here is exactly where RMM Labs Ltd stands.

Our public statement

We choose EU sovereignty

RMM Labs Ltd publicly and unambiguously chooses European digital sovereignty. Xcellerate RMM is built in Sofia, Bulgaria, by an EU-registered company, and the platform is designed, operated and governed entirely under European law.

This is a structural choice, not a marketing line. Our company, our infrastructure and our data processing are anchored in the European Union, so every decision about your data — and your customers' data — is made inside a single, predictable legal framework: EU law.

  • EU company, EU jurisdiction

    RMM Labs Ltd is registered in Sofia, Bulgaria. Contracts, data processing agreements and disputes are governed by EU and Bulgarian law — nothing else.

  • Independent by design

    We are privately held with no non-EU parent company or controlling investor, so no foreign jurisdiction can quietly change what we are obliged to do.

  • Sovereignty on the roadmap

    Every architectural decision — hosting, sub-processors, telemetry — is evaluated against one question first: does it keep our customers sovereign over their data?

Xcellerate RMM Cloud

EU-hosted, privately owned — and deliberately outside the US Cloud Act

Xcellerate RMM Cloud runs exclusively on EU-hosted, privately owned infrastructure. We deliberately do not build our cloud on US hyperscalers, so the platform does not clash with the US CLOUD Act — the legislation that can compel US-based providers to hand over data regardless of where in the world it is physically stored.

For MSPs, this removes an entire category of due-diligence pain. You can offer Xcellerate RMM to your EU-regulated customers — finance, healthcare, legal, public sector, critical infrastructure — without having to explain away a US sub-processor in your GDPR, NIS2 or DORA documentation. The answer to “who can access our data?” stays short: nobody outside the EU.

  • EU data centres only

    All Cloud tenants run in data centres physically located in the European Union, on hardware we own and operate ourselves.

  • No US hyperscaler in the chain

    No AWS, Azure or Google Cloud anywhere in the hosting stack — and therefore no US CLOUD Act exposure by construction.

  • GDPR-first processing

    EU-based sub-processors only, a straightforward DPA, and data that never needs a transfer mechanism because it never leaves the EU.

  • Self-hosting as the ultimate guarantee

    If policy requires it, run the open-source core on your own infrastructure — the same product, under your complete physical control.

Full transparency

Why open core, open source — in full

An RMM agent runs with high privileges on every endpoint you manage. We believe software with that level of access has no business being a black box. That is why the Xcellerate RMM core is open source under AGPL v3: anyone — customer, auditor, regulator or competitor — can read, build and verify the exact code that runs on their machines.

Open source is our trust model; open core is our sustainability model. The free, self-hosted core is complete and production-grade — not a crippled demo. Commercial offerings — Cloud hosting, Enterprise Support tiers and first-party plugins — fund full-time development without ever holding your data or your fleet hostage.

Transparency also means no lock-in. Your data is yours: Excel exports throughout the product, a fully documented public API, and an AGPL core you can take and run yourself if we ever stop deserving your business. We think that is exactly the pressure a healthy vendor should keep on itself.

  • AGPL v3 core, publicly auditable

    The entire core platform — server and agent — is open source. Security through visibility, not obscurity.

  • Honest open core

    The line between free core and paid extras is public and stable. What is free today does not silently move behind a paywall tomorrow.

  • No lock-in, ever

    Documented API, exports everywhere, and the freedom to migrate from Cloud to self-hosted (or away entirely) with your data intact.

  • Community as an audit layer

    Issues, code and release notes are public — thousands of eyes keep us honest in a way closed-source vendors cannot match.

Need this on paper for a customer audit?

We are happy to support your due diligence — DPA, sub-processor list, hosting details and security questionnaires.

Contact us