Safer internet — by design.

SafePi is a local security gateway that protects internet access by allowing only what is explicitly trusted. If something is not trusted, it simply cannot be reached.

A trusted allowlist is continuously maintained and synced automatically every hour, keeping protection strict while helping legitimate services continue to work.

Built for shared networks where safety, predictability, and reliability matter more than managing security on every individual device.

Buy SafePi How it works
  • ✔ Allowlist-based protection (only trusted destinations work)
  • ✔ Automatic hourly allowlist updates with optional custom overrides
  • ✔ Local-first operation (LAN-only interface)
  • ✔ Page Doctor explains blocked requests and suggests minimal approvals
  • ✔ Optional SafeDNS Guard for strict network-level enforcement with the companion router
  • ✔ Optional Mullvad VPN integration
  • ✔ Optional DNS filtering (powered by the open-source Pi-hole® project): blocks many advertising, tracking, and known unsafe domains using community-maintained blocklists

About Safepify

Safepify Oy develops local-first network safety products designed for homes, schools, assisted living environments, and other shared networks.

Our goal is to make internet access more predictable and easier to manage by allowing only explicitly trusted destinations, while keeping control local to the network instead of relying on cloud-based filtering.

SafePi is our flagship product — a security gateway that helps administrators reduce exposure to phishing, malicious content, and unexpected online behavior without requiring complex setup on every device.

Built for networks that need safer browsing

SafePi is designed for environments where browsing should be safe and predictable — without relying on cloud-managed policy platforms or complicated setup on every device.

Homes & families

Consistent protection for devices on the same Wi-Fi network.

Elderly & assisted living

Strong protection without requiring users to make complex security decisions.

Schools & training

Controlled access designed for focused use and reduced exposure.

Guest Wi-Fi & public spaces

Safer browsing for visitor networks, libraries, waiting areas, and shared community spaces.

Small offices & clinics

Reduced phishing exposure for staff and visitors on shared networks.

Older PCs still in use

SafePi can help older computers browse more safely by allowing only explicitly trusted web destinations.

SafePi does not replace operating system updates or antivirus software.

Filtering runs locally on your network. The management interface is LAN-only by default.

How it works

SafePi sits between your devices and the internet and applies a simple but strict rule: allow what is trusted, deny what is unknown.

SafePi can operate in Basic (proxy) mode or in SafeDNS Guard mode together with the SafePi Companion Router.

1) Proxy filtering (SafePi Basic)

In Basic mode, SafePi works as a local web proxy. Web traffic is filtered through the allowlist, and only explicitly trusted domains are reachable.

Basic mode requires a small per-device setup: set the SafePi proxy IP and port in network settings.

2) Maintained trust model

SafePi includes a maintained allowlist covering common global services, nationally relevant domains, and selected infrastructure needed for many legitimate services to work properly.

Optional custom overrides are available for advanced environments that need tighter control.

3) Local management

SafePi is managed through a local web interface available only within your network (LAN) at http://safepi.local. It is not exposed to the internet.

Administrators can review blocked requests in real time, adjust allowlists, enable or disable optional features, and manage subscription plans from the interface.

A dedicated setup page at http://safepi.local:8080/setup provides clear instructions for configuring proxy settings on devices.

Limitations of proxy-based filtering (Basic)

Some applications and system services may bypass proxy settings. In addition, QUIC / HTTP-3 traffic and direct IP connections are outside the scope of traditional proxy filtering.

For network-wide enforcement with fewer bypass paths, SafePi offers SafeDNS Guard.

Basic vs SafeDNS Guard

SafePi Basic makes decisions at the domain level through the proxy. This is often enough for normal browsing and many legitimate services.

SafeDNS Guard is stricter. It enforces policy at the network level and may occasionally require approval of legitimate backend infrastructure used by apps.

This stricter model reduces common bypass paths while keeping approvals visible and manageable.

Managed, visible, and diagnosable

SafePi is built to be easy to operate day-to-day while still providing clear visibility into what is being allowed or denied.

SafePi updates

SafePi components — including backend logic and the web interface — are updated automatically to improve functionality and compatibility over time.

Updates are applied locally on the device and do not require cloud control. Operating system updates are managed separately.

PIN-protected changes (Parent Guard)

Optional PIN protection can restrict sensitive actions, helping prevent unauthorized configuration changes.

Useful in family, public, and assisted-living environments.

Live visibility

SafePi provides clear visibility into network activity so administrators can understand why requests were allowed or denied.

In Basic (proxy) mode, SafePi shows live proxy denies. In SafeDNS Guard mode, SafePi shows Live kernel drops.

If DNS filtering is enabled, SafePi also shows live DNS denies.

A dedicated statistics view summarizes blocked requests, allowed traffic, and the most active devices on the network.

Page Doctor & diagnostics

The built-in Page Doctor analyzes blocked requests and can suggest which domains may be required for a page to function correctly, helping restore legitimate services while keeping the allowlist minimal.

When investigating unknown destinations, SafePi can also display additional IP intelligence such as hosting provider information and infrastructure signals.

Help from the interface

Request SafePi-related help directly from the interface, including guidance for blocked websites and domain approval requests.

Assistance level depends on your plan.

Plans & billing

Subscription plans can be managed from the interface, including upgrades and cancellations.

Billing is handled through a secure payment provider.

Local by design

The SafePi management interface is available only within your local network (LAN) and is not exposed to the internet.

SafePi does not rely on traditional login accounts or stored credentials. Access is limited to the local network, and sensitive actions can be protected with an optional PIN (Parent Guard), reducing unnecessary attack surface.

Safe by default

SafePi includes a maintained allowlist covering common global services, nationally relevant domains, and selected internet infrastructure needed for many legitimate services to work properly.

Allowlist approach

  • Unknown domains are denied by default
  • Known risky destinations can be excluded from default policies
  • Administrators can extend access by adding trusted domains

SafePi applies allowlist rules locally. You can add or remove domains using the LAN-only web interface.

Optional DNS filtering

DNS filtering uses the open-source Pi-hole® engine to block many advertising, tracking, and other unwanted domains — without changing what you allow.

Pi-hole® is a trademark of Pi-hole LLC. SafePi is not affiliated with or endorsed by the Pi-hole project.

SafeDNS Guard

SafeDNS Guard upgrades SafePi from proxy filtering to network-level enforcement. Policy is applied at the router layer — not only inside a browser or individual application.

Devices simply connect to the protected network provided by the SafePi Companion Router. No proxy configuration. No per-device software.

Strict by design — without over-allowing

Most security tools try to block “bad” websites. SafeDNS Guard takes a different approach: it allows only trusted sites — and nothing else.

Modern websites depend on shared infrastructure such as content delivery networks. SafeDNS Guard handles this safely by separating:

  • Trusted sites you approve (your actual destinations)
  • Infrastructure helpers needed to make those sites work

SafeDNS Guard learns only what belongs to the site — not the shared infrastructure behind it.

Infrastructure is allowed only to keep sites working — but it is never treated as trusted itself.

This prevents accidental expansion of trust to large shared platforms.

Enforced, not suggested

  • DNS policy is enforced across the network
  • Direct IP connections can be restricted
  • If a destination is not explicitly allowed, it does not pass
  • Third-party VPN clients and external DNS resolvers typically fail by default, unless their required endpoints are explicitly trusted

This helps prevent silent bypasses where a device routes around policy by switching DNS or tunneling out.

Strict — and practical

SafeDNS Guard automatically handles many real-world service dependencies. When a trusted domain is allowed, SafeDNS Guard can automatically permit verified subdomains and their resolved IPs with expiry.

This helps legitimate services keep working even when infrastructure changes in the background.

Only shared cloud or CDN infrastructure that cannot be confidently tied to the trusted service may require manual review.

Clear visibility when you need it

In SafeDNS Guard mode, network-level blocks are shown in Live kernel drops, where destinations are resolved into human-readable hostnames.

From there, administrators can review and add approvals when appropriate.

Page Doctor focuses on proxy-based analysis. SafeDNS Guard has its own dedicated enforcement view.

Auditable approvals

SafeDNS Guard includes a paginated approvals view showing each allowed IP and hostname, including why it was added and when it expires.

Every entry can be copied or removed instantly. Keep policy minimal and reversible.

Built for controlled environments

SafeDNS Guard is designed for homes, schools, guest Wi-Fi, assisted living, and small organizations where consistent enforcement matters.

The SafePi Companion Router directs traffic through SafePi so policy remains enforced across the network while staying manageable for the administrator.

Optional privacy features

SafePi supports optional integration with Mullvad VPN for encrypted outbound traffic. Additional options may include a VPN kill switch and DNS-level filtering depending on plan level and configuration.

VPN usage is optional and configurable from the local interface.

Pricing

Choose your SafePi hardware

Hardware is purchased first. Subscriptions are enabled later from the SafePi interface.

SafePi Basic

€299

One-time device purchase

  • SafePi security gateway device
  • Allowlist-based browsing protection
  • Automatic allowlist updates
  • Local web interface (LAN-only)
  • Real-time logs + Page Doctor
  • Optional Mullvad VPN integration
  • Optional DNS filtering (powered by the open-source Pi-hole® project)
  • Upgradeable to SafeDNS Guard (Shield)
Buy SafePi

SafePi Shield (Complete System)

€348

SafePi device + companion router

  • SafePi device included
  • Companion router included
  • Ready for SafeDNS Guard
  • No per-device setup required
  • Network-level enforcement capability
Buy Complete System

SafePi Companion Router

€120

Required to enable SafeDNS Guard (Shield)

  • Companion router for SafePi
  • Enables SafeDNS Guard
  • For existing SafePi device owners
  • Enforces network-level protection
Buy Companion Router

Enable features on your SafePi

After setup, subscriptions can be enabled anytime from the SafePi web interface.

SafePi Care

€4.99 / month

  • Help via the web interface
  • Domain approval assistance
  • Guidance for blocked websites

SafePi Control

€14.99 / month

  • Everything in Care
  • Git-based allowlist sync
  • Parent Guard (PIN protection)
  • Configuration lock & auditing

SafePi Shield

€24.99 / month

Requires SafePi Companion Router

  • SafeDNS Guard (network-level enforcement)
  • Fail-closed protection
  • Blocks unknown destinations by default
  • Prevents DNS and VPN bypass

SafePi Shield uses SafeDNS Guard together with the SafePi Companion Router to enforce protection across the entire network. The router ensures all traffic flows through SafePi, preventing bypass via direct connections or external DNS. SafePi Basic and other plans operate in proxy mode and do not require the router.

Support

Need help with SafePi or a blocked website? Send a message and we’ll respond as soon as possible.

Setup guidance is also available on your local network at http://safepi.local:8080/setup.

We need your email address to reply.

By sending this message you agree to share the provided contact details so we can respond.