Composition: the NordBastion polar-bear mascot in tactical armour standing on a wharf overlooking the Stockholm Old-Town silhouette under aurora light, the Swedish flag flying above a cyan-lit data-fortress on the horizon — evoking a Swedish constitutional-jurisdiction VPS

Country · Sweden · Bastion STO.001

A Sweden VPS, KYC-free.
Under the world's oldest constitutional press-freedom regime.

A VPS pinned inside Sweden, under Tryckfrihetsförordningen (1766) and Yttrandefrihetsgrundlagen — constitutional source secrecy, by criminal statute. No identity collection, paid in crypto, booted in 90 seconds.

Why Sweden Go to Stockholm bastion

TL;DR

01
Stockholm bastion STO.001 inside a tier-III carrier-neutral facility, 100 Gbps private backbone to Helsinki, Oslo and Reykjavík.
02
Tryckfrihetsförordningen (1766) — constitutional source secrecy by criminal statute, plus Yttrandefrihetsgrundlagen and GDPR Article 5 minimisation.
03
Pay in Bitcoin or Monero, no identity check — provisioned in 90 seconds, billed against a prepaid balance.

Why a Swedish VPS

Sweden is not an accident of geography. It is a choice of constitutional law.

Sweden has the longest continuous constitutional protection of free expression in the world. The Tryckfrihetsförordningen dates from 1766 — older than the United States Constitution. It is one of four Swedish constitutional acts and ranks above ordinary statute. The Yttrandefrihetsgrundlagen of 1991 extends the same shield to electronic media. Together they give publishers, journalists and the sources who feed them a written, judicially enforced guarantee against state interference — and they make it a criminal offence for an operator to disclose the identity of an anonymous source, even on police request.

Sweden's data-protection posture is unusually assertive. The IMY (Integritetsskyddsmyndigheten) is among the most active data-protection regulators in Europe, with a documented record of fining government and private actors for over-collection. GDPR Article 5 minimisation — collect only what you need, keep it only as long as you need it — is not abstract here, it is enforced. For a privacy-first hosting operator that constraint is welcome: it is a third-party regulator reinforcing the same doctrine NordBastion ships under by choice.

The Pionen / WikiLeaks precedent is the historical anchor. When the 2010 diplomatic-cable releases triggered global pressure on every hosting provider involved, Bahnhof — operating from the Pionen bunker in Stockholm — kept WikiLeaks online under exactly this constitutional regime. NordBastion does not run inside Pionen; STO.001 is in a different tier-III facility in the metropolitan area. The legal regime that protected Bahnhof and WikiLeaks then is the legal regime that protects a NordBastion customer now.

The Swedish bastion

Stockholm — STO.001.

City landing

Stockholm VPS — pinned cores, Swedish jurisdiction.

The full city page. Five-tier strip pinned to the bastion, four-card "Why Stockholm" grid (press freedom, source secrecy, IMY enforcement, peering), and the city-specific FAQ. Latency to Helsinki around 8 ms, to Oslo 11 ms, to Reykjavík 25 ms over the private backbone.

Open the Stockholm page

Bastion code: STO.001
Latency · Helsinki / Oslo / Reykjavík: ~8 / 11 / 25 ms
Constitutional citation: Tryckfrihetsförordningen (1766)

Sweden vs the other three

Four Nordic legal regimes. Pick the one that fits the workload.

The four Nordic jurisdictions are close cousins but not identical. Some workloads want Sweden specifically; others are better served by Finland, Norway or Iceland.

Sweden · this page

Press-freedom regime, constitutional

The world's oldest constitutional press-freedom act, criminal-statute source secrecy, IMY-enforced GDPR. EU member with the conservative end of GDPR enforcement.

Stockholm bastion

Finland

Strongest source secrecy in the EU

Section 16 of the Act on the Exercise of Freedom of Expression in Mass Media gives journalists and publishers an absolute right to refuse to disclose sources — read as broader than Sweden's in some scholarship.

Helsinki bastion

Norway

EEA outside the EU

Norway sits in the EEA but not the EU. GDPR applies via EEA incorporation; the e-Evidence regulation does not. A useful split for operators who want EU-grade data protection without EU-grade cross-border production orders.

Oslo bastion

Iceland

IMMI — written for publishers

The Icelandic Modern Media Initiative (IMMI, 2010) explicitly designed source protection, intermediary immunity and prior-restraint limits for digital publishers. Outside the EU entirely; geographically isolated.

Reykjavík bastion

Pick a tier

The right tier for a Swedish VPS. Three calls, three workloads.

$5.90 / MO

Sentinel — sidecar, personal

2 vCPU, 4 GB RAM, 120 GB NVMe. Good for a small Mastodon, a Wireguard exit in Stockholm, a personal mail bridge or a Tor relay sitting under Swedish law.
$11.90 / MO

Garrison — production single-service

4 vCPU, 8 GB RAM, 240 GB NVMe. The sweet spot for one production application — a publication site under Tryckfrihetsförordningen protection, a hardened nginx + PHP-FPM, a small Postgres.
$23.90 / MO

Ravelin — multi-service stack

8 vCPU, 16 GB RAM, 480 GB NVMe. Comfortable for a multi-service publication infrastructure — CMS, database, search, queue and worker, all under a single Swedish jurisdiction.

Full tier line — Sentinel · Garrison · Ravelin · Bulwark · Citadel — on /stockholm-vps/.

Verdict

Choose Sweden when the workload needs a written constitutional shield.

Sweden is the right Nordic jurisdiction when the workload is publishing — a site, a media archive, a leak intake, a publication infrastructure that needs the most explicit constitutional press-freedom guarantee available on the open market. Tryckfrihetsförordningen is not a policy promise. It is a law older than the United States.

If your priority is source secrecy as an absolute right, Finland is also worth a look. If you want EU-grade GDPR without EU cross-border production orders, look at Norway. If you want geographic isolation and a digital-publisher charter, look at Iceland. For everything else — and as the default for any publication-shaped workload — Sweden is the answer.

FAQ · Sweden

Sweden-specific, answered.

Questions that come up specifically about hosting a VPS under Swedish law — constitution, EU membership, retention, mobility.

Is Stockholm the only Swedish location?

For now, yes. NordBastion operates one bastion in Sweden — STO.001 — inside a tier-III carrier-neutral facility in the Stockholm metropolitan area. Stockholm is also the densest peering point in the country (IXSE, STHIX, Netnod), which is why we put the Swedish bastion there rather than in Gothenburg or Malmö. A second Swedish site is not on the published 18-month roadmap.

What does Tryckfrihetsförordningen protect?

Tryckfrihetsförordningen (the Freedom of the Press Act, 1766) is one of four Swedish constitutional acts and ranks above ordinary statute. Together with Yttrandefrihetsgrundlagen (1991) it guarantees the right to publish, the right to remain an anonymous source, and — critically for an infrastructure operator — makes it a criminal offence to disclose the identity of an anonymous source, even on police request. That guarantee survives translation into the crypto-paid, no-identity hosting model NordBastion runs.

Does Sweden's EU membership weaken the privacy posture?

No — and arguably it strengthens it. GDPR, contrary to its reputation, is a friend of the privacy-conscious customer here. Article 5 binds NordBastion to minimal data collection by law, Article 17 gives every customer a right to erasure enforced by a regulator with real teeth (the IMY is one of the most assertive data-protection authorities in Europe). EU membership does mean Sweden is inside the e-Evidence framework — see the data-retention answer below.

What is the Pionen precedent and does NordBastion run there?

Pionen is the Stockholm bunker famously used by Bahnhof to host WikiLeaks during the 2010 cable releases. It is widely cited as the canonical example of Sweden being willing to host politically inconvenient infrastructure under its constitutional press-freedom regime. NordBastion does not run inside Pionen — STO.001 is in a different tier-III facility in the metropolitan area — but the legal regime that protected Bahnhof and WikiLeaks is the same legal regime that protects a NordBastion customer today.

Can Sweden compel logs from NordBastion?

Only through a Swedish court order, on a named subject, for data we actually hold — and that intersection is narrow. By doctrine, NordBastion does not collect identity at signup, does not retain payment-card data, does not log application-level activity, and rotates infrastructure logs aggressively. What does not exist cannot be compelled. Anything that does exist is published in the monthly transparency report, in aggregate.

What about Sweden's data-retention laws?

Sweden's former blanket data-retention regime was struck down by the CJEU (Tele2 Sverige, 2016) and replaced by a much narrower targeted retention statute. As a hosting provider — not a telecom — NordBastion is not subject to bulk retention obligations under that statute. We retain only what is operationally necessary, on the schedules published in the transparency report.

How does the SLA work in Sweden specifically?

The NordBastion SLA is 99.99 percent per-bastion, computed independently for each of the four locations. The Stockholm STO.001 uptime is broken out on /status/ alongside the other three bastions. SLA credits are applied to your prepaid balance automatically — no ticket required.

Can I move my VPS from Sweden to Finland or Iceland later?

Yes. Every VPS can be snapshot-redeployed to any other Nordic bastion through the panel — Stockholm to Helsinki, Helsinki to Reykjavík, anywhere. The snapshot transfer runs over the 100 Gbps private backbone, so even a Ravelin migration completes in a few minutes. You re-point DNS at the new IP; nothing else changes.