Solution in detail

Your own server — GDPR-compliant, AI-capable, maintainable

A practical blueprint for SMBs: which tasks an own server takes over, which hardware fits, how it is secured and maintained, who does what, which models run on it. Plus: a requirements checklist for the first call.

Why an own server makes sense for SMBs

Cloud SaaS is fast. But every service an SMB uses as SaaS — mail, file storage, password manager, chat, scheduling, wiki — means: data leaves the building. In classic industries with confidentiality obligations (lawyer, tax advisor, doctor, therapist, engineer with IP protection) that is often not defensible under professional rules. Plus: SaaS costs scale linearly with staff numbers. An own server bundles services, keeps data local and typically amortises in 18 months at 15+ staff.

What can an SMB's own server deliver?

Eight typical tasks that a single server can handle for an SMB with 5–50 staff. Each is its own container stack, all run in parallel on the same hardware.

File storage & cloud

Nextcloud as a central file cloud with WebDAV, calendar, contacts. Multi-user with roles. Mobile apps for iOS/Android are standard. Replaces Dropbox + Microsoft 365 Files. RAM footprint: around 2 GB.

Mail server

docker-mailserver with Postfix + Dovecot + Rspamd spam filter. Unlimited aliases, own mail delivery with DKIM/SPF/DMARC. Optional SOGo as webmail. Replaces Strato, Ionos, Google Workspace.

Password manager

Vaultwarden (Bitwarden compatible). Personal and organisation vault, shared folders per project/mandate, integrated TOTP generator. One container, 50 MB RAM.

Knowledge base & wiki

BookStack as wiki with books-chapters-pages structure, WYSIWYG + Markdown, full-text search, multi-user. For internal docs, consulting knowledge, client handbooks.

Appointment scheduling

Cal.com as a Calendly alternative. Self-service slots for clients/patients, recurring appointments, reminder emails via your own mail server. Four containers, around 1 GB RAM.

Workflow automation

for simple workflows (email → → DATEV export) or 7 for complex business processes with user tasks. 400+ pre-built integrations.

AI server (Ollama + Open WebUI)

Local (Llama 3.3, Qwen 2.5, Mistral) for GDPR-bound areas. as a ChatGPT-like surface. , over your own documents, .

Monitoring & backup

for service monitoring, + for hardware metrics, automatic daily backup to a separate NAS or cloud storage. Plus a disaster-recovery plan.

Hardware — three size tiers

Which hardware concretely? Depends on staff number, demand and growth expectations. Three pragmatic tiers with concrete models and prices.

Tier 1 — small (5–15 staff, without AI)

Mini PC or NAS system. Intel NUC or UGREEN DXP4800 with 32 GB RAM, 2 TB SSD. Enough for mail + cloud + wiki + password manager + + monitoring. Hardware around €1,500–2,500, power around €100/year. Location: IT cabinet in the office with UPS.

Tier 2 — mid (10–30 staff, with small AI)

Workstation with consumer . AMD Ryzen 9 + 64 GB RAM + RTX 4090 (24 GB VRAM) + 4 TB NVMe SSD. : models up to 32B (Qwen 2.5, Phi 4) usable locally. Hardware €4,000–6,000, power around €250/year (inference). Location: server-grade room with ventilation.

Tier 3 — premium (20–100 staff, with large AI)

Apple Mac Studio M4 Ultra with 192 GB unified memory OR an NVIDIA workstation with 2× RTX 5090. : Llama 3.3 70B + Mixtral + DeepSeek R1 32B in parallel. Hardware €8,000–15,000, power around €400/year. Location: dedicated server room or Hetzner colocation.

How is the server secured?

Security is a layer cake, not magic. Six building blocks that together form pragmatic SMB protection — without enterprise effort.

Firewall + fail2ban

OS firewall (ufw or firewalld) opening only required ports (443 for HTTPS, 25/465/587/993 for mail, optionally 22 for SSH). blocks brute-force attempts automatically. Mandatory configuration, not optional.

OS and container updates

OS updates weekly automatic (unattended-upgrades on Ubuntu). Container images checked quarterly, critical security updates installed immediately. Renovate-bot or watchtower helps keep the overview.

Backup strategy 3-2-1

Three copies of the data, two different storage media, one off-site (e.g. Hetzner storage box or NAS in a second building). Daily incremental backups, weekly full snapshots. Restic, BorgBackup or Duplicati.

Disaster recovery (DR)

Quarterly restore test: 'can we rebuild a complete server from the backup?' Documented DR plan: which steps in which order, which logins, which hardware. No hardware plans that burn along in a fire.

TLS everywhere + Caddy

Every web service behind Caddy with automatic certificate. Mail send and receive via STARTTLS, opportunistic encryption. Internal container-to-container traffic in a private network.

Audit log and monitoring

watches service status, shows hardware utilisation, gathers logs. On anomalies Slack/email alert. Plus: login per application (who did what when).

How is the server maintained?

Maintenance is not magic but a recurring rhythm. Four frequency tiers with concrete tasks — from the daily 5-minute check to the annual security audit.

Daily (automated)

checks every service every 60 seconds. alarm at disk > 85 % or RAM > 90 %. Daily backup routine runs at 02:00. Auto-mail on error.

Weekly (10 minutes, owner)

Dashboard check: all containers green? Last backups successful? Anomalies in logs? OS updates installed in the maintenance window (Saturday 06:00). Container image updates reviewed.

Monthly (1 hour, IT-affine staff)

Test and install container image updates. Backup restore test of a small file. Check storage utilisation, archive old data if needed. Staff account review (who is still there?).

Quarterly / annually (external consultant)

Quarterly: full disaster-recovery test, security patch review, performance review. Annually: hardware lifetime check, obligation review, requirements review (what has changed?).

Who does what?

Responsibilities clearly divided. In an SMB with 5–50 staff there are three typical roles — even if some tasks are combined.

Owner / leadership

Strategic decisions: which services , which stay SaaS? Budget approval for hardware and consulting. Escalation point on maintenance issues. Weekly dashboard check (10 minutes).

IT-affine staff member (internal power user)

Day-to-day: create new staff accounts, route tickets, first aid for simple issues. Monthly maintenance tasks (test updates, backup restore test). Interface to the external consultant.

External consulting partner (that's us)

Setup and migration support. Complex configuration changes. Security audits. Emergency intervention for disaster recovery. Quarterly maintenance sessions. Contact for strategic architecture decisions.

Which AIs can be integrated?

choice depends on two factors: hardware (which models can run?) and (what should the do?). Both can be realised on the same server — if the hardware fits.

General-purpose AI for text and translation

Llama 3.3 70B (on premium hardware) or Qwen 2.5 32B (on mid hardware). Both very good in German. Integrated into as chat interface, into as an step for workflows. Check model license per model.

Reasoning + complex logic

DeepSeek R1 Distill 32B as specialised reasoning model. : legal analysis, complex calculations, strategy outlines. Can run in parallel to the general-purpose model.

RAG (Retrieval-Augmented Generation)

brings functionality: upload documents (PDF, DOCX), generate , answers from your own knowledge base. For client/patient documentation, subsidy logic, ISO 9001 handbooks.

Multi-modal (images, whiteboards)

Models like Llama 3.2 Vision or Qwen 2.5 VL accept images. : analyse scanned invoices, interpret part photos for complaints, process whiteboard sketches for workshops.

What's next?

If this solution sounds fitting, the next steps are manageable. Three stages from the first call to a productive server.

1. Fill in the requirements checklist

We have prepared a structured wishlist — industry-specific templates, asked data sensitivity, wishlist, hardware preferences. Filling in takes 10–15 minutes and gives us the foundation for a precise first call.

2. First call (free, 45 minutes)

We discuss your wishlist, clarify open points, estimate hardware demand and timeframe. You get an honest assessment: does self-hosting fit you, or is cloud SaaS more pragmatic for your case? Both are OK.

3. Setup roadmap and stepwise migration

A with concrete stages — typical: buy hardware, set up server (1 week), migrate mail + cloud + password manager (2 weeks), set up stack (1 week), train staff (3 days), handover + quarterly maintenance contract. Total 8–12 weeks.

First step

Fill in the requirements checklist

10–15 minutes of your time, industry-specific templates, no login. Send the result to us or bring it to the first call.

→ Go to the wishlist

Ready for the next step?

Free intro call, no strings attached. In 30 minutes you'll know whether and how AI can help your business.

Book a call Check eligibility