🇫🇮 🇬🇧

Safer internet — by design.

SafePi is a local network security product developed by Safepify Oy. It helps make browsing safer by allowing access only to explicitly trusted destinations.

SafePi Basic already provides strong everyday browsing protection as a one-time purchase. Subscriptions are optional add-ons for support, advanced control, and stricter network-level enforcement.

If a destination isn’t trusted, the connection is blocked. Filtering happens locally on your network, keeping protection predictable and fully under your control.

SafePi is designed for homes, shared networks, and other environments where safety, clarity, and reliability matter more than managing security on every individual device.

Buy SafePi How it works
  • ✔ Strong everyday protection with SafePi Basic
  • ✔ No subscription required for core protection
  • ✔ Automatic hourly allowlist updates with optional custom overrides
  • ✔ Local-first operation (LAN-only interface)
  • ✔ Page Doctor explains blocked requests and suggests minimal approvals
  • ✔ Optional SafeDNS Guard for strict network-level enforcement with the SafePi Shield Router
  • ✔ Optional Mullvad VPN integration
  • ✔ Optional DNS filtering (powered by the open-source Pi-hole® project): blocks many advertising, tracking, and known unsafe domains using community-maintained blocklists

Local-first protection

Your data stays on your device

SafePi is designed so filtering and logging happen locally on the SafePi device inside your own network — not in a cloud dashboard.

Local processing

All filtering and logging happens locally on the SafePi device on your network.

LAN-only management

The management interface is only accessible from inside your LAN.

No cloud dependency

No cloud account or login is required for core protection.

  • ✔ Browsing history, page contents, and traffic data never leave your network
  • ✔ SafePi receives allowlist updates but does not send your traffic data outbound
  • ✔ Local-first operation with LAN-only management
  • ✔ Safepify Oy is a Finnish company

Built for networks that need safer browsing

SafePi is designed for environments where browsing should be safe and predictable — without relying on cloud-managed policy platforms or complicated setup on every device.

Homes & families

Consistent protection for devices on the same Wi-Fi network.

Elderly & assisted living

Strong protection without requiring users to make complex security decisions.

Schools & training

Controlled access designed for focused use and reduced exposure.

Guest Wi-Fi & public spaces

Safer browsing for visitor networks, libraries, waiting areas, and shared community spaces.

Small offices & clinics

Reduced phishing exposure for staff and visitors on shared networks.

Older PCs still in use

SafePi can help older computers browse more safely by allowing only explicitly trusted web destinations.

SafePi does not replace operating system updates or antivirus software.

Filtering happens directly on your network, and the management interface is only accessible from within it.

How it works

SafePi sits between your devices and the internet and applies a simple but strict rule: allow what is trusted, deny what is unknown.

SafePi can operate in Basic (proxy) mode or in SafeDNS Guard mode together with the SafePi Shield Router.

1) Proxy filtering (SafePi Basic)

In Basic mode, SafePi provides strong everyday protection for normal browsing by allowing only explicitly trusted web destinations through the local proxy.

Basic mode requires a small per-device setup: set the SafePi proxy IP and port in network settings.

2) Maintained trust model

SafePi includes a maintained allowlist covering common global services, nationally relevant domains, and selected infrastructure needed for many legitimate services to work properly.

Optional custom overrides are available for advanced environments that need tighter control.

3) Local management

SafePi is managed through a local web interface available only within your network (LAN) at http://safepi.local. It is not exposed to the internet.

Administrators can review blocked requests in real time, adjust allowlists, enable or disable optional features, and manage subscription plans from the interface.

A dedicated setup page at http://safepi.local:8080/setup provides clear instructions for configuring proxy settings on devices.

Basic vs SafeDNS Guard

SafePi Basic makes decisions at the domain level through the proxy. This is often enough for normal browsing and many legitimate services.

SafeDNS Guard is stricter. It enforces policy at the network level and may occasionally require approval of legitimate backend infrastructure used by apps.

This stricter model reduces common bypass paths while keeping approvals visible and manageable.

When to choose SafeDNS Guard instead

SafePi Basic already provides strong protection for normal web browsing. Some applications and system services, however, may bypass proxy settings. In addition, QUIC / HTTP-3 traffic and direct IP connections are outside the scope of traditional proxy filtering.

For environments that need stricter network-wide enforcement with fewer bypass paths, SafePi offers SafeDNS Guard.

Managed, visible, and diagnosable

SafePi is built to be easy to operate day-to-day while still providing clear visibility into what is being allowed or denied.

SafePi updates

SafePi components — including backend logic and the web interface — are updated automatically to improve functionality and compatibility over time.

Updates are applied locally on the device and do not require cloud control. Operating system updates are managed separately.

PIN-protected changes (Parent Guard)

Optional PIN protection can restrict sensitive actions, helping prevent unauthorized configuration changes.

Useful in family, public, and assisted-living environments.

Live visibility

SafePi provides clear visibility into network activity so administrators can understand why requests were allowed or denied.

In Basic (proxy) mode, SafePi shows live proxy denies. In SafeDNS Guard mode, SafePi shows Live kernel drops.

If DNS filtering is enabled, SafePi also shows live DNS denies.

A dedicated statistics view summarizes blocked requests, allowed traffic, and the most active devices on the network.

Page Doctor & diagnostics

The built-in Page Doctor analyzes blocked requests and can suggest which domains may be required for a page to function correctly, helping restore legitimate services while keeping the allowlist minimal.

When investigating unknown destinations, SafePi can also display additional IP intelligence such as hosting provider information and infrastructure signals.

Help from the interface

Request SafePi-related help directly from the interface, including guidance for blocked websites and domain approval requests.

Assistance level depends on your plan.

Plans & billing

Optional subscription plans can be managed from the interface, including upgrades and cancellations.

Billing is handled through a secure payment provider.

Local by design

The SafePi management interface is available only within your local network (LAN) and is not exposed to the internet.

SafePi does not rely on traditional login accounts or stored credentials. Access is limited to the local network, and sensitive actions can be protected with an optional PIN (Parent Guard), reducing unnecessary attack surface.

Safe by default

SafePi includes a maintained allowlist covering common global services, nationally relevant domains, and selected internet infrastructure needed for many legitimate services to work properly.

Allowlist approach

  • Unknown domains are denied by default
  • Known risky destinations can be excluded from default policies
  • Administrators can extend access by adding trusted domains

SafePi applies allowlist rules locally. You can add or remove domains using the LAN-only web interface.

Optional DNS filtering

DNS filtering uses the open-source Pi-hole® engine to block many advertising, tracking, and other unwanted domains — without changing what you allow.

Pi-hole® is a trademark of Pi-hole LLC. SafePi is not affiliated with or endorsed by the Pi-hole project.

SafeDNS Guard

SafeDNS Guard upgrades SafePi from proxy filtering to network-level enforcement. Policy is applied at the router level — not just inside a browser or individual application.

Devices simply connect to the protected network provided by the SafePi Shield Router. No proxy configuration. No per-device software.

Strict by design — without over-allowing

Most security tools try to block “bad” websites. SafeDNS Guard takes a different approach: it allows only trusted sites — and nothing else.

Modern websites depend on shared infrastructure such as content delivery networks. SafeDNS Guard handles this safely by separating:

  • Trusted sites you approve (your actual destinations)
  • Infrastructure helpers needed to make those sites work

SafeDNS Guard learns only what belongs to the site — not the shared infrastructure behind it.

Infrastructure is allowed only to keep sites working — but it is never treated as trusted itself.

This prevents accidental expansion of trust to large shared platforms.

Enforced, not suggested

  • DNS policy is enforced across the network
  • Direct IP connections can be restricted
  • If a destination is not explicitly allowed, it does not pass
  • Third-party VPN clients and external DNS resolvers typically fail by default, unless their required endpoints are explicitly trusted

This helps prevent silent bypasses where a device routes around policy by switching DNS or tunneling out.

Strict — and practical

SafeDNS Guard automatically handles many real-world service dependencies. When a trusted domain is allowed, SafeDNS Guard can automatically permit verified subdomains and their resolved IPs with expiry.

This helps legitimate services keep working even when infrastructure changes in the background.

Only shared cloud or CDN infrastructure that cannot be confidently tied to the trusted service may require manual review.

Clear visibility when you need it

In SafeDNS Guard mode, network-level blocks are shown in Live kernel drops, where destinations are resolved into human-readable hostnames.

From there, administrators can review and add approvals when appropriate.

Page Doctor focuses on proxy-based analysis. SafeDNS Guard has its own dedicated enforcement view.

Approval history

SafeDNS Guard includes a paginated approvals view showing each allowed IP and hostname, including why it was added and when it expires.

Every entry can be copied or removed instantly. Keep policy minimal and reversible.

Built for controlled environments

SafeDNS Guard is designed for homes, schools, guest Wi-Fi, assisted living, and small organizations where consistent enforcement matters.

The SafePi Shield Router directs traffic through SafePi so policy remains enforced across the network while staying manageable for the administrator.

Optional privacy features

SafePi supports optional integration with Mullvad VPN for encrypted outbound traffic. Additional options may include a VPN kill switch and DNS-level filtering depending on plan level and configuration.

VPN usage is optional and configurable from the local interface.

Security transparency

See exactly what SafePi does

SafePi generates a human-readable security report from your own network activity. The report explains what was blocked, why it was blocked, and whether suspicious behavior was detected — without showing browsing histories, page contents, passwords, or packet captures.

Protected

Anonymized sample report · 24h period · Proxy mode

8 844 Requests denied
116 Ads/trackers blocked
0 Security findings
3 Known LAN devices
“Most blocked activity observed during this period appears related to advertising, analytics, telemetry, or third-party web infrastructure.”

The sample report was generated from a real SafePi deployment and automatically anonymized before export. Local IP addresses, device names, and identifying metadata were removed or generalized.

View anonymized sample report

Pricing

Choose your SafePi hardware

Hardware works on its own. Optional subscriptions can be enabled later from the SafePi interface.

SafePi Basic

€299

One-time device purchase

No subscription required for core protection

  • SafePi security gateway device
  • Strong everyday browsing protection
  • Allowlist-based filtering
  • Automatic allowlist updates
  • Local web interface (LAN-only)
  • Real-time logs + Page Doctor
  • Optional Mullvad VPN integration
  • Optional DNS filtering (powered by the open-source Pi-hole® project)
  • Optional upgrades available later
Buy SafePi

SafePi Shield (Complete System)

€348

SafePi device + Shield Router

  • SafePi device included
  • SafePi Shield Router included
  • Ready for SafeDNS Guard
  • No per-device setup required
  • Enables full network protection

Choose this if you want protection across your entire network without configuring each device.

Buy Complete System

SafePi Shield Router

€120

Enables full network protection (SafeDNS Guard)

  • Routes all traffic through SafePi
  • No per-device setup required
  • Prevents bypass (VPN, DNS, direct connections)
  • For existing SafePi device owners
Buy Shield Router

Optional feature plans

Subscriptions are optional. SafePi Basic works without any monthly plan.

SafePi Care

€4.99 / month

  • Help via the web interface
  • Domain approval assistance
  • Guidance for blocked websites

SafePi Control

€14.99 / month

  • Everything in Care
  • Git-based allowlist sync
  • PIN protection
  • Configuration lock

SafePi Shield

€24.99 / month

Requires SafePi Shield Router

  • SafeDNS Guard (network-level enforcement)
  • Fail-closed protection
  • Blocks unknown destinations by default
  • Prevents DNS and VPN bypass

SafePi Shield uses SafeDNS Guard together with the SafePi Shield Router to protect the entire network. The router ensures all traffic flows through SafePi, preventing bypass via direct connections or external DNS. SafePi Basic and other plans operate in proxy mode and do not require the router.

Support

Need help with SafePi or a blocked website? Send a message and we’ll respond as soon as possible.

Setup guidance is also available on your local network at http://safepi.local:8080/setup.

We need your email address to reply.

By sending this message you agree to share the provided contact details so we can respond.

Built in Finland, for Finnish networks

Carl-Christian Grönholm, founder of Safepify Oy

Carl-Christian Grönholm

Founder, Safepify Oy · Finland

I built SafePi because I couldn't find a network security product that was honest about what it actually does, kept data local, and didn't require an IT department to operate.

I also wanted better protection for my own family network — including my 87-year-old mother, who still uses online banking and email independently.

SafePi is the kind of protection I wanted in my own home.

🇫🇮 Safepify Oy · Business ID: 3612963-1