Summary

  • CDZNET's public identities join cleanly. Brazilian company data and the provider's site use CNPJ 28.583.371/0001-62, the Sao Jose do Rio Preto address and the legal name CDZNET DATACENTER LTDA; Registro.br assigns the same CNPJ AS263062, two IPv4 /22 blocks and one IPv6 /32.
  • The network is visibly in use. RIPEstat observed AS263062 originating all three Registro.br allocations during July 1-15, 2026, with broad collector visibility and two clearly observed adjacent networks. None of the three aggregate routes had a validating RPKI authorisation in the captured checks, which returned unknown rather than invalid.
  • There is public service proof beyond the company's own catalogue. The Municipality of Olimpia records a R$121,209.72 contract with CDZNET, running from October 23, 2025 to October 22, 2026, for dedicated and virtual cloud servers, database software, advanced monitoring and a point-to-point network. The record proves a defined customer engagement, not its availability or support outcomes.
  • Buyers should convert the provider's useful local proposition into testable obligations. The site advertises a Brazilian facility, 99.9% uptime, connectivity through eight operators, round-the-clock support with a two-hour maximum, managed backup and disaster recovery. Public materials do not define the uptime calculation, support clock, restore objectives, carrier paths, data-copy map or service credits tightly enough to carry a critical workload without a negotiated schedule.

The company, network and trading address resolve to one operator

Regional infrastructure providers often present three identities: a legal entity on the contract, a brand on the website and a network holder in internet registries. When those identities do not align, a buyer can struggle to establish who controls the address space, who operates the service and who owes the remedy after an incident. CDZNET offers a comparatively strong attribution chain.

The Brazilian company-data record for CNPJ 28.583.371/0001-62 names CDZNET DATACENTER LTDA, marks it active, gives an opening date of September 5, 2017 and places its headquarters at Rua Independencia 2472, Sao Jose do Rio Preto, Sao Paulo. Its principal activity is data processing, application provision and internet hosting. Secondary activities include fixed telecommunications, communications-network access, multimedia communications, voice over IP and technical support. The record also names Aldevino de Zan and Marcelo Basile de Zan as administrators. Casa dos Dados republishes Receita Federal material and is not a substitute for a current certified corporate extract, but the identifiers are specific and internally consistent.

The provider's company page repeats the legal CNPJ and street address. It says the CDZNET business began in 2007 and built its own data centre in 2010, while the current limited company dates from 2017 in the company-data record. Those dates can coexist: a brand or predecessor operation can be older than the current legal person. They should not be silently merged. A buyer assessing contractual continuity should ask which entity operated the earlier service, whether contracts or assets transferred, and which company now owns or leases the facility equipment.

The decisive technical join comes from Registro.br's RDAP record for AS263062. It identifies CDZNET DATACENTER LTDA as registrant, publishes the same CNPJ and names Marcelo Basile de Zan in the administrative and abuse contact chain. It links the ASN to 186.232.108.0/22, 191.243.140.0/22 and 2804:938::/32. The individual Registro.br address record for 186.232.108.0/22 again names the company and CNPJ; the equivalent records do the same for 191.243.140.0/22 and 2804:938::/32.

This is more than name similarity. A single Brazilian tax identifier connects the public sales surface, company record, ASN and address allocations. It does not prove who is on shift, where each server sits or whether every asset is owned by the company. It does give customers a concrete counterparty and a network identity that can be written into the service schedule, incident plan and exit procedure.

The catalogue describes a real operating surface

CDZNET's current website presents a broad but coherent infrastructure catalogue: colocation, dedicated servers, Cloud Server, VPS, cloud backup, professional email and website hosting. These are not interchangeable products. They divide operational responsibility differently, and the website provides enough detail to see where some of those boundaries begin.

The Cloud Server page says virtual machines run on VMware in the provider's own Brazilian data centre. It advertises Linux and Windows environments, customer-controlled scaling of disk, memory and CPU, DDoS protection, managed backups, and provisioning in Brazilian reais. At capture, the entry Cloud Basic offer displayed one virtual CPU, 2 GB of memory, 50 GB of disk, one IPv4 address and a monthly price of R$179.88. Published configurations and prices are sales evidence at a point in time, not a guarantee that capacity is reserved or that every feature is included in every order.

The dedicated-server page draws a different line. It advertises root or administrator access, isolated hardware, Linux or Windows, optional control panels, a managed backup, DDoS protection and provisioning within 48 hours. Three displayed configurations use Xeon E5-2673 v3 processors, SSD storage, RAID 1, four IPv4 addresses and a 1 Gbps public port. A dedicated host can reduce compute contention, but it does not by itself isolate power, network, storage administration, backup credentials or the people authorised to intervene.

The colocation offer leaves the server with the customer and places power, cooling, physical security and facility operation with CDZNET. It says customers may install equipment themselves or buy installation and other data-centre support from CDZNET. That distinction matters during an outage: a customer-owned appliance may still depend on provider staff for console access, cable replacement, rebooting and media handling. Remote-hands scope and authority should therefore be agreed before the first urgent request.

Backup adds another control plane. The backup and disaster-recovery page describes daily integrity checks, off-site transfer over fibre, VLAN or dedicated links, Veeam or Acronis, support for Microsoft 365, Azure, AWS, virtual machines, endpoints and physical servers, plus disaster recovery on demand. Those are meaningful service components. Yet an integrity check is not a restoration test, and an external copy is not necessarily isolated from the production credentials or incident that damaged the source. A buyer needs the backup location, tenancy, immutability, retention, encryption-key ownership, failure alerts, recovery-point objective and measured recovery-time objective for its particular workload.

The catalogue therefore establishes an operating surface rather than an assurance result. It tells a platform team what CDZNET is prepared to sell and which layers the provider may manage. The order, service schedule and operating runbook must say which party actually provisions accounts, patches guest systems, monitors capacity, approves changes, restores data and pays for emergency work.

A public-sector contract is useful service proof, with a narrow meaning

Self-description becomes more credible when a named customer record shows that services were procured. The Municipality of Olimpia's electronic tender page records CDZNET DATACENTER LTDA as contractor under contract 200/2025. The stated scope covers a dedicated cloud server, database-management software licensing, advanced server management and monitoring, a point-to-point network and a virtual cloud server. The published value is R$121,209.72, with a term from October 23, 2025 through October 22, 2026.

That record answers an important question: CDZNET has been selected for a multi-layer production assignment that combines compute, software, monitoring and connectivity. It is stronger service proof than a generic testimonial because the contracting authority, scope, value and dates are public. It also demonstrates why the provider matters beyond ordinary website hosting. A municipal workload can place operational continuity, database administration and network delivery in the same supplier relationship.

The contract listing does not show the service's observed uptime, incident count, restoration performance or user satisfaction. A procurement award records an obligation, not its fulfilment. Nor should one government engagement be converted into a general claim about customer volume or market share. The fair conclusion is that the legal entity was contracted for a specific cloud and network service, while performance remains a separate evidence question.

For a new buyer, the Olimpia scope is a useful model for diligence. It identifies the layers that should be priced separately: physical or virtual compute, software licensing, monitoring, network access and operating labour. Bundling can reduce hand-offs during an incident, but it can also concentrate failure and exit risk. The customer should know whether it can transfer the database licence, export machine images, retain monitoring history, replace the point-to-point link and recover administrator access independently.

AS263062 is live, dual-stack and attributable

The clearest present-tense operating evidence is in public routing. RIPEstat's announced-prefix record for AS263062 showed 186.232.108.0/22, 191.243.140.0/22 and 2804:938::/32 throughout its July 1-15, 2026 observation window. These are the same three allocations linked from Registro.br. Each IPv4 /22 contains 1,024 addresses, while the IPv6 /32 supplies a much larger addressing space. Address capacity is not server count or utilisation; it is a resource footprint.

RIPEstat's routing-status views showed both IPv4 aggregates visible to 325 of 326 reporting IPv4 peers at the capture point. The 186.232.108.0/22 status dated its first observed origin by AS263062 to April 2012, while the 191.243.140.0/22 status dated first observation to April 2014. The IPv6 aggregate was visible to 320 of 322 reporting IPv6 peers. These measurements support long-lived, globally visible routing under the company-linked ASN. They do not measure packet loss, congestion, application availability or facility uptime.

The RIPEstat neighbour observation found two clearly visible adjacent networks on July 15: AS262761, identified by RIPEstat as Sinal Br Telecom, and AS268764, identified as NetCaster Solutions. A third, AS262427, had very low visibility and was classified as uncertain. This supports more than one visible external path at the control-plane level. It does not reveal circuit capacity, commercial terms, building entrances, fibre ducts or whether the two routes share a physical dependency.

That boundary matters because CDZNET's site says the facility has connectivity with eight internet operators and that Cloud Server uses a direct PTT or PIX connection. Public BGP collectors do not necessarily expose every private interconnection, backup circuit or reseller relationship. The absence of eight visible adjacent ASNs is not proof that the claim is false. Conversely, a carrier logo or circuit invoice is not proof of path diversity. A critical customer should ask for the current carrier matrix, circuit capacities, normal routing policy, failover design and the result of a controlled failover test.

PeeringDB provides a dated cross-check rather than a current topology map. The AS263062 PeeringDB entry, last updated at the network level in July 2022, describes a content network with 21 IPv4 prefixes, one IPv6 prefix and a 100-1000 Mbps traffic band. It lists no public exchange connection and no facility. PeeringDB is operator-supplied and voluntary; empty exchange and facility tables do not disprove CDZNET's PTT, carrier or building claims. The stale record simply cannot validate them today. The live registry and routing measurements carry more weight for current network attribution.

Route authorisation is the visible security gap

The three captured RPKI checks deserve separate treatment. RIPEstat returned unknown for the origin of 186.232.108.0/22, 191.243.140.0/22 and 2804:938::/32. In each response, the list of validating route-origin authorisations was empty.

Unknown is not invalid. It means the validator had no applicable cryptographic authorisation against which to judge the observed origin. The routes were still broadly visible, and registry records tied both the resources and ASN to CDZNET. The missing authorisation nevertheless leaves networks that enforce route-origin validation without a positive RPKI signal for those aggregates.

For a provider selling DDoS protection, redundancy and high availability, route control belongs in the assurance conversation. The customer should ask whether CDZNET plans to create route-origin authorisations, who controls the registry credentials, how emergency origin changes are approved and how a disaster-recovery route would be authorised. RPKI would not secure servers or stop every route leak. It would make the intended origin independently verifiable and reduce one avoidable ambiguity at the routing boundary.

Brazilian location must be defined per copy and control plane

CDZNET's local proposition is unusually explicit. Its Cloud Server page says servers are hosted in Brazil. Its backup page advertises external storage in a national data centre. The company page identifies the facility in Sao Jose do Rio Preto and publishes concrete infrastructure claims: 1,408 rack units of colocation capacity, 300 kVA of planned energy capacity, a 100 kVA Caterpillar generator, redundant Trane cooling motors, UPS equipment, fire protection, controlled access and continuous monitoring.

These details make a site visit and engineering schedule possible. They do not yet show installed usable capacity, current load, power-path selectivity, fuel autonomy, maintenance history, fire-zone separation or whether backup storage shares the same hazard domain. The difference between 300 kVA planned capacity and a named 100 kVA generator particularly needs a load and priority explanation. A buyer should ask which systems remain backed during a utility failure, for how long, and under what tested load.

The CDZNET privacy policy, dated February 8, 2022, says personal data under the company's responsibility is not sent outside Brazil. It also explains that CDZNET often acts as a processor on customer instructions and may apply product-specific privacy terms. That is a useful public commitment, but its scope is narrower than a blanket promise that every customer-data copy remains in Brazil.

Cloud and backup services create several locations: primary disks, replicas, snapshots, monitoring logs, ticket attachments, telemetry, identity systems, email, vendor support sessions and disaster-recovery copies. The backup page explicitly supports Microsoft 365, Azure and AWS, which can introduce customer-chosen or supplier-dependent regions. A data-processing agreement should list each data category, controller and processor role, physical region, subprocessor, transfer mechanism, retention period and deletion proof. Brazilian registration and a local facility do not settle those fields by themselves.

Locality also has an operational dimension. Data can remain in Brazil while privileged support is exercised from elsewhere, or while a software vendor receives diagnostic material. Conversely, a customer's own Azure or AWS account may deliberately place a protected copy in another jurisdiction. The right assurance target is not a broad national label. It is a verified map for the exact service, including who can reach each copy and what happens during support, recovery and exit.

A two-hour support claim needs a clock, owner and remedy

CDZNET repeatedly advertises trained staff available 24 hours a day, seven days a week, with a maximum support SLA of two hours. Its contact page offers routes for technical support, upgrades, backup recovery, sales and general enquiries. The public ASN and address records also expose an abuse and technical contact. Together these are a better accountability surface than a provider with only an anonymous order form.

The phrase "two hours" remains underspecified. It could mean first acknowledgement, technician assignment, diagnosis, workaround or full restoration. It may apply to every ticket or only to a defined severity, and the clock may pause while the provider waits for customer information. Round-the-clock availability can describe a queue without proving that staff with network, hypervisor, storage and database authority are all on duty.

A production schedule should therefore define severity levels, clock start and stop rules, acknowledgement and restoration targets, escalation contacts, maintenance exceptions and service credits. It should distinguish customer-managed incidents from provider-managed ones. For colocation, it should set remote-hands response and approval limits. For backup, it should name who may order a destructive restore and how identity is verified. For a managed database, it should identify who can fail over, roll back or contact the software licensor.

Support evidence should be measured after contracting. Useful records include response and restoration distributions by severity, missed-SLA counts, maintenance notices, post-incident reports and repeated restore exercises. A telephone number and ticket form make contact possible. They do not show how the organisation performs when power, routing and a customer application fail at the same time.

This is also where local labour can justify a regional provider. A team in the same market, language and time zone may resolve physical and contractual issues faster than a distant platform's queue. That advantage becomes durable only when authority is distributed across enough trained people, escalation survives individual absence and the customer can reach an accountable decision-maker during a major incident.

Price the operating model, not the data-centre name

CDZNET presents a credible option for organisations that value Brazilian billing, local infrastructure, direct technical contact and a mixture of cloud, connectivity and hands-on support. The public record is materially stronger than a marketing-only hosting brand: it includes a legal counterparty, assigned network resources, current dual-stack routing and a live municipal contract.

The comparison with hyperscale cloud, another colocation provider or self-operated infrastructure should include the work boundary. CDZNET may absorb provisioning, physical security, power, cooling, network operation, monitoring, backup and recovery tasks depending on the product. The customer still needs capacity governance, guest-system security, identity controls, application observability, restore testing, cost review and an exit path. A low monthly virtual-machine price is not the full cost if those controls remain unfunded.

Vendor concentration deserves an explicit decision. Buying compute, point-to-point connectivity, monitoring, backup and support from one local operator can remove coordination delays. The same bundle can make one incident or commercial dispute affect several recovery options at once. Independent monitoring, customer-held exports, separate emergency credentials and at least one recovery copy outside the provider's administrative domain can preserve the convenience without making every control dependent on one account.

Before a critical deployment, the buyer should ask CDZNET to turn five public claims into evidence: the facility claim into an asset and power schedule; the eight-operator claim into a carrier and path matrix; 99.9% uptime into a measurement and credit formula; the two-hour support claim into severity-specific clocks and escalation; and Brazilian location into a copy-by-copy data map. The buyer should also request current RPKI plans, recent failover evidence and a witnessed restoration from the proposed backup design.

CDZNET's name can reasonably be treated as evidence of an attributable Brazilian infrastructure operator. It should not be treated as operating assurance by itself. The public record supplies a solid starting point; the service earns the rest through contract precision, observable routes, tested recovery and support outcomes that remain available when the easy day is over.