Skip to content
Resources

For developers

Technical details on how Oden C.A.M is built — for those who want to know what they're actually buying, or want to develop something on top.

Last updated:

Architecture in two sentences

Your WordPress site stays where it always lived — we don't move anything. The central control panel and automated maintenance routines run on a separate service, Oden, deployed to Google Cloud Run in the europe-north1 (Finland) region. The site and Oden talk over a TLS 1.3-encrypted API where every message is Ed25519-signed — the bridge is a small WordPress plugin (WEBBELi worker) that we install on your site.

We also offer WEBBELi hosting as an add-on — our own managed WordPress hosting in Sweden — if you want to move your hosting over to us for better performance and a single combined invoice. It's not required to use Oden.

The WEBBELi worker plugin

WEBBELi worker is installed automatically on your WordPress site during onboarding. It's the plugin that acts as the "agent" for Oden — it performs updates, gathers metrics, creates backups, and reports back. The plugin is open source under an MIT license (with trademark restrictions), and the source is available at github.com/nni-solutions/webbeli-worker.

The plugin does not:

  • Send the contents of your database to Oden — only metadata about updates and status.
  • Modify files in wp-content/themes/ or wp-content/uploads/ without your explicit action.
  • Require SSH access — all communication happens via the WordPress REST API over HTTPS.

The Oden API

We plan to open a public REST API in Q3 2026 so that customers with larger installations can integrate Oden into their own CI/CD pipeline. Likely endpoints:

  • GET /v1/sites — list connected WordPress installations.
  • GET /v1/sites/:id/updates — history of applied updates.
  • POST /v1/sites/:id/restore — restore from backup.
  • GET /v1/sites/:id/health — current availability and performance metrics.

Want to be part of beta testing? Send a message to dev@oden.cam with information about your use case.

Webhooks

Oden can send webhooks to a URL you specify when certain events occur. Supported events today:

  • update.applied — an update has been applied to your site.
  • backup.created — a new backup has been created.
  • backup.restored — a restore has been performed.
  • security.incident — we've detected potentially malicious activity.
  • uptime.alert — the site is down.

Webhooks are signed with HMAC-SHA256 and a shared key. Configure them in the control panel under Settings → Integrations.

Security model

Oden never stores your WordPress administrator password. The WEBBELi worker plugin creates its own dedicated service user with a randomly generated API key that's automatically rotated every 30 days. The key lives in your WordPress database and can be revoked at any time — which cuts off Oden's access without affecting your site.

Detailed security documentation, including threat model and incident procedures, is in the privacy policy and GDPR statement.

Local development and staging

Each production site on Oden gets an isolated staging copy on a separate domain automatically. You can push changes from staging to production via the control panel at any time, or run automatic regression tests before pushing.

For real local work, we recommend wp-cli + Local by Flywheel or DDEV. The WEBBELi worker plugin has a CLI command wp webbeli pull that pulls a synced copy of database + uploads to your local environment.

Contribute or report a bug

Found a bug? Send details to dev@oden.cam or open an issue on our GitHub. We have an open bug-bounty program — security issues are rewarded on a scale based on severity.

GDPR

GDPR — how we handle your data.

We built Oden C.A.M around data minimization, EU hosting, and full transparency — not as an afterthought.

01

Where your data lives

All Oden data (control panel, logs, backups) is stored in Cloud Run and Firestore in the Finland region (europe-north1). Your WordPress sites run on whichever hosting you choose — if you want to move to us, we offer WEBBELi as an add-on (Scandinavian servers in Sweden). Backups are AES-256 encrypted and stay inside the EU. We use no subprocessors in the US or other non-EU/EEA countries — which means Schrems II concerns simply don't apply.

02

What data we process

Only what's needed to run your WordPress: your sites' URLs, plugin and theme versions, update history, and cryptographic keys. We never touch your visitors' data — there's no tracking pixel and no ads module.

  • Site metadata (URL, version, status)
  • Operations logs (security events, updates)
  • Backup archives (encrypted, 30 days)
  • Operator identity (your email, for support)
03

How it's protected

The connection between your WordPress and Oden goes via the WEBBELi worker plugin we install on your site — TLS 1.3 with Ed25519 keys. Stored secrets are envelope-encrypted (Cloud KMS). Audit logs are write-only and kept for 12 months.

04

Your rights

You can request access to, correction of, or deletion of your data. Email hello@oden.cam and we'll respond within 30 days (usually within 48 hours). At termination, all customer data is permanently erased within 60 days — except what we must retain under Swedish bookkeeping law (7 years).

05

Data incidents

If we confirm an incident affecting your personal data, we'll contact you within 72 hours with an initial report, in parallel with our notification to IMY (the Swedish DPA). The report covers what happened, what was affected, and what mitigations we're applying.

06

Data Processing Agreement (DPA)

A standard DPA is automatically included — no separate paperwork. It stipulates EU hosting, sub-processors (list available on request), and Swedish law as the applicable jurisdiction. Larger procurements can sign an extended agreement: hello@oden.cam.

Controller: NNi Solutions, Sweden. Questions? hello@oden.cam
Service

Get Oden C.A.M