Summary
- Visão's public NOC material advertises a 99.9999% network SLA, but its published service terms promise 99.9% monthly availability for several hosting and server products. In a 30-day month, those figures imply about 2.6 seconds and 43.2 minutes of allowable downtime respectively: a thousandfold difference in failure budget before exclusions, measurement rules or remedies are considered.
- The public network record is substantive but bounded. AS273508 has observable IPv4 and IPv6 routes, valid RPKI signals, multiple observed upstreams, a 10 Gbps IX.br São Paulo connection, public operational contacts and a looking glass. Those facts establish an operating network surface; they do not prove compute health, storage durability, physical path diversity, application availability or tested recovery.
- Recovery is the most consequential contract gap. Current product cards repeatedly advertise backup as included, while the service terms say Visão does not perform backups for VPS, Mikrotik CHR, Zabbix or dedicated servers and does not guarantee restoration from internal shared-hosting copies. A production buyer should treat its own independent, tested backup as mandatory until a signed service schedule resolves that conflict.
- Visão's potential advantage is not an abstract uptime percentage. It is the combination of Brazilian billing, a local legal counterparty, a public NOC, regional support and direct operational familiarity with hosting and ISP workloads. That advantage becomes valuable only when severity targets, decision authority, facility evidence, restore objectives, data location, incident notice and exit assistance are contractually specific.
One decimal point, one thousand times the failure
The most revealing fact about Visão Datacenter is a subtraction.
On its public NOC page, the company advertises a “99.9999%” SLA for network availability. In its service terms, last updated on 22 August 2025, it says that website hosting, reseller hosting, professional email, VPS, Zabbix server and dedicated-server plans are maintained to a monthly SLA of 99.9%. The visual difference is less than one tenth of one percentage point. The engineering difference is much larger.
If six nines were measured over a 30-day month, its error budget would be 2.592 seconds. Over a 365-day year, it would be 31.536 seconds. A 99.9% monthly commitment allows 43.2 minutes in a 30-day month and 44.64 minutes in a 31-day month. The unavailable fraction at 99.9% is one thousand times the unavailable fraction at 99.9999%.
That calculation does not establish that Visão has missed either figure. It exposes the first question a buyer must answer: are these two percentages describing different services, different layers or simply different public messages? The NOC language expressly refers to network availability. The terms cover named hosting and server products. It is therefore possible for both statements to coexist if six nines applies to a tightly defined network component while 99.9% applies to an end product. But the public pages do not provide the measurement specification that would make that distinction operationally useful.
A network can be “up” while a customer is down. A border router may answer while an upstream path is congested. A route may remain visible while a hypervisor is stalled. A virtual machine may respond to ICMP while its disk is read-only. A web server may return a status code while login, payment or database writes fail. A facility may retain utility power while a maintenance error interrupts one distribution branch. An application may be healthy inside the data centre while the customer's DNS, certificate, identity service or own ISP makes it unreachable.
Availability is therefore not one number. It is a chain of observable states. The chain for a typical hosted application might include facility power, cooling, physical security, carrier access, edge routers, transit and peering, firewalls, address routing, hypervisor scheduling, storage, guest operating system, database, DNS, authentication and application logic. Six nines at one point in that chain cannot be multiplied across the rest by rhetoric.
The public terms make the difference even more concrete. They exclude customer-ISP failure, planned technical work, emergency security intervention, application-code failure, unsuitable service sizing, external conditions, operating-system corruption and malware from the uptime guarantee. They require a customer to request a credit within 15 days, provide detailed monitoring evidence and accept that approval remains with Visão. They also state that outside monitoring tools will not be accepted as proof, even while suggesting that the customer maintain detailed Zabbix or similar records.
The evidentiary boundary between an acceptable customer monitor and an unacceptable third-party monitor is not clear on the page.
The credit bands are a billing remedy, not an operational recovery promise. The first published band runs from 99.8% to 99.0% availability for a 5% credit; the treatment of a smaller miss just below 99.9% is not stated clearly. The schedule rises to a maximum 30% credit below 89.9% availability. In a 30-day month, 89.9% corresponds to roughly 72.72 hours of downtime. A future account credit worth 30% of the monthly hosting charge would be economically remote from three days of lost sales, delayed billing, customer support, engineering work, data reconstruction or reputational damage for most production systems.
This is not unusual in infrastructure contracting. Major cloud providers also define covered services, downtime tests, exclusions, customer claim procedures and credits rather than insuring all consequential loss. Google, for example, distinguishes a single Compute Engine instance at 99.9% from instances deployed across multiple zones at 99.99%, and it defines downtime in terms of connectivity or persistent-disk access. The lesson is not that one provider's percentage is automatically better. It is that topology, definition and remedy are inseparable from the number.
Visão's diligence case should begin with this thousandfold gap because it forces every subsequent question into the right form. What exactly is being measured? Which contract controls? Which failure is excluded? What evidence settles a dispute? What action restores service? And who pays for the loss that a credit does not touch?
The counterparty is visible, but the operating perimeter has two brands
Visão is more than a sales page. Public Brazilian company data presented by Casa dos Dados identifies VISAO DATACENTER LTDA, CNPJ 51.470.964/0001-34, as an active limited company opened on 18 July 2023 in Xaxim, Santa Catarina. Its principal registered activity covers data processing, application-service provision and internet hosting. The current Visão contact page gives the same CNPJ-linked Xaxim address, telephone number and company domain.
The network identity is similarly attributable. AS273508 is registered to Visão Datacenter LTDA in public routing records, and the company's name appears in LACNIC's 2026 electoral register. That register supports membership status, not service quality. It nevertheless ties the legal name into the regional number-resource ecosystem rather than leaving it as an unverified hosting label.
The complication is not that the legal company is hidden. It is that the customer-facing perimeter still carries the Cactos Hospedagem brand. Visão's homepage links its customer area to a Visão Datacenter/Cactos Hospedagem portal. The Cactos site advertises a substantially overlapping hosting, VPS, dedicated-server and ISP-cloud portfolio, shows the same telephone number and publishes the same CNPJ 51.470.964/0001-34. Its company history page says the operation began in Brazil's northeast and later established a Santa Catarina branch where its data centre and servers are located.
The matching CNPJ is strong evidence that Cactos is not simply an unrelated portal receiving Visão customers. It suggests a legacy, parallel or commercial brand surface operated by the same legal counterparty. That reading is more reassuring than an unexplained third-party checkout. It still leaves procurement work to do. The order form, invoice issuer, payment recipient, data-processing terms, support ticket, service credit and abuse response should all identify the accountable entity consistently. If a ticket says Cactos while the SLA says Visão, the buyer should know whether that is branding or a change in contractual responsibility.
There is also a chronology that needs documentary explanation. The legal company began activity in 2023. Visão's “Quem Somos” page claims more than 20 years of experience. The facility directory discussed below gives 2004 as the operating year. Those statements can be reconciled if the team, Cactos operation, assets or predecessor business predates the present limited company. Public sources reviewed for this report do not supply the chain of succession, asset ownership or operating agreements needed to prove that continuity.
That uncertainty does not invalidate the experience claim. It changes the procurement request. A buyer relying on long operating history should ask what has actually continued for 20 years: the staff, facility, customer contracts, network, hardware, Cactos brand or a predecessor sole proprietorship. It should also ask which entity owns the facility, employs the NOC staff, contracts the carriers, holds insurance and owes the service credit today.
This distinction matters most during severe failure. Marketing history can establish familiarity. Only a current legal and operational map establishes who can authorize a route change, purchase an emergency part, admit a technician, restore a backup, notify a regulator and compensate a customer.
The customer journey exposes the real service boundary
The public purchasing flow is more informative than a broad description of “cloud.” It shows where Visão's work ends and the customer's begins.
First comes account creation and payment. The terms require a valid Brazilian CPF or CNPJ, email confirmation and payment confirmation before activation. They advise customers not to use an email address hosted on the service being ordered as the account contact, an operationally sensible warning because a service outage should not disable the recovery channel. Services are prepaid and automatically renewed unless cancellation is requested. Accounts more than 72 hours late may be suspended, and the terms attach short deletion windows to some suspended server products.
Next comes provisioning. The current VPS page offers a ladder of fixed-price plans in Brazilian reais, with stated RAM, vCore, NVMe storage, a 100 Mb link, “unlimited” traffic, IPv4 and IPv6, root access, scalability and included backup. The page does not publish the generic VPS hypervisor, CPU generations, vCPU scheduling entitlement, storage replication scheme, host-failure procedure, API, image catalogue, availability zones or a time to replace a failed host. Those omissions do not mean the capabilities are absent; they mean a buyer cannot infer them from the plan card.
Dedicated hardware has a different workflow. The terms allow up to seven business days after payment for assembly and operating-system configuration. Visão says it does not administer the server and limits its support responsibility to hardware, with intervention otherwise largely restricted to necessary reboots. The customer owns operating-system maintenance, application configuration, logs, IP reputation, security and resource use. A “dedicated server” is therefore a physical-resource product, not a managed-service promise, unless a separate order adds management.
Migration is conditional rather than deterministic. Visão says it will attempt migration from another provider when the source uses WHM/cPanel and permits full-backup functions; otherwise transfer may use SFTP. It does not promise a fixed completion time because source access, data volume and configuration differences affect the result. After migration, the customer remains responsible for changing DNS. This is a reasonable allocation of uncertainty, but it means a buyer cannot put “free migration” into a cutover plan without a rehearsal, rollback window and named owner for each dependency.
The operating phase is also split. Visão provides network and infrastructure support, but its terms exclude support for third-party systems such as websites, ERP software, panels and programming languages. That is especially important because several Visão product pages are named for ISP or communications software. A plan labelled for IXC, Opa! Suite, Quaza, Issabel or Mikrotik may be sized and marketed around that workload, but the terms do not automatically make Visão the application maintainer. The customer needs a three-way responsibility matrix covering Visão, the software vendor or integrator, and its own team.
Monitoring introduces another transfer of work. The NOC page promises 24x7 monitoring. The service-credit process nevertheless expects the customer to notice downtime, preserve detailed evidence and submit a claim. That means provider monitoring and customer monitoring serve different purposes. Provider monitoring operates the platform. Customer monitoring proves the experienced service and protects the right to a remedy. A production buyer needs both, ideally from independent locations and at both network and application layers.
Recovery is where the journey becomes economically decisive. The public product pages say backup is included. The terms say the customer bears responsibility for its files and must keep an external backup; they expressly say Visão does not make backups for VPS, Mikrotik CHR, Zabbix or dedicated servers. For shared hosting, internal daily and weekly copies are described as operational copies rather than a complete customer backup, and restoration is not guaranteed. A customer may ask support to restore its own backup for a fee, but the terms say that procedure is not guaranteed.
Finally comes exit. External migration is the customer's responsibility and must be completed before cancellation. The terms allow proportional refunds for eligible longer-cycle plans but apply a 30% penalty after the seventh day; monthly plans receive no refund after seven days. Dedicated servers cannot be downgraded to VPS or shared hosting under the published terms. These rules make an export test, DNS control, independent backup and replacement-provider plan part of initial implementation, not an administrative task to invent at termination.
The customer journey therefore has a clear pattern. Visão can reduce the friction of buying Brazilian infrastructure, but it does not automatically absorb the architecture, application, monitoring, backup, migration and continuity work around that infrastructure. The value proposition depends on whether its human support reduces that residual work faster than its documentation gaps create new supervision.
AS273508 proves a network, not an end-to-end service
Visão's strongest independently observable evidence sits in the routing layer.
At the time of review, bgp.tools showed AS273508 originating four IPv4 /24 routes and one IPv6 /32, each displayed with valid RPKI status. It observed three upstreams—Ferenz Networks, Polli Telecom and ENTRENANET—and 42 peers. Its IX view showed a 10 Gbps connection at IX.br São Paulo with IPv4 and IPv6. Hurricane Electric's BGP Toolkit also reproduced an autonomous-system record with Visão contacts and policy statements naming Polli, ENTRENANET, Ferenz and Hurricane Electric.
PeeringDB, whose network profiles are maintained by participating operators, lists the same ASN, public NOC, peering and abuse contacts, a looking glass, an open peering policy, a 10 Gbps operational IX.br São Paulo connection and presence at Ascenty SPO02 in Osasco and Equinix SP4 in Barueri. Visão's own peering request form offers Equinix SP4 and Ascenty SP2 as interconnection choices and asks applicants about IRR, RPKI and PeeringDB practices.
The public looking glass provides BGP, advertised-route, summary, traceroute and ping queries and names two edge-router labels, EDGE01-XXM and EDGE02-XXM. That is useful operational transparency. It lets another network or customer inspect selected routes without relying solely on a marketing statement. The labels are not proof that the routers use separate power, fibre, racks, software versions or failure domains; they are a starting point for asking.
Visão also participates in MANRS. The entity page publishes Visão's statements about route filtering, IRR and RPKI validation, source-address controls, operational contacts and the looking glass. The MANRS entity list gives 15 July 2025 as its approval date. Participation is a positive governance signal. The implementation descriptions remain entity-supplied and should not be read as an independent audit of every router, route or customer service.
These records support several verified conclusions. Visão operates a public ASN. It originates observable address space. It has a current route-security footprint. It is connected to a major Brazilian exchange. It publishes operational contacts and troubleshooting tools. That is more technical evidence than many small hosting brands expose.
The records do not show the architecture of a purchased VPS or cabinet. Forty-two observed peers are not necessarily 42 independent physical paths. IX.br explains that its route servers allow a entity to exchange routes with many networks through a small set of BGP sessions on a shared exchange fabric. That is economically and operationally valuable, but a route-server peer count should not be translated into carrier diversity. The same metro transport, cross-connect, edge chassis or facility event could affect multiple logical adjacencies.
Nor does a 10 Gbps exchange port establish spare capacity. Peering can reduce transit cost, shorten paths and improve control; IX.br describes those benefits in its overview of the exchange model. A port can still congest, and traffic to destinations not reached over peering still depends on transit. Buyers need utilization percentiles, burst behaviour, upgrade triggers, packet-loss history and the relationship between the advertised 100 Mb customer link and aggregate network capacity.
The three observed upstreams are encouraging, but their names do not reveal physical diversity. Two carrier contracts can share a duct, pole route, building entrance or upstream metro ring. Visão's public pages do not show whether the Xaxim site has diverse carrier entrances, whether transport to São Paulo follows independent paths, how BGP preference changes in failure, or whether enough capacity remains after losing the largest upstream.
RPKI validity is similarly specific. It helps relying networks verify that the origin ASN is authorized for a prefix. It does not protect the server from hardware failure, the route from congestion, the application from attack or the customer from deleting data. Routing security is one control surface, not a proxy for service resilience.
The correct procurement use of AS273508 is therefore attachment. Record the actual addresses assigned to the service. Verify their origin, normal paths and RPKI state. Identify which edge and facility serve them. Monitor IPv4 and IPv6 separately. Ask what changes during upstream loss. Preserve traceroute and application baselines. The public ASN gives the buyer something inspectable; the contract must connect that evidence to the workload.
Xaxim compute and São Paulo interconnection need one topology
Visão's physical story has two geographic centres.
The company and contact address is in Xaxim, Santa Catarina. The public looking glass uses “XXM” edge labels, consistent with that location. The Cactos history page says its Santa Catarina branch contains the data centre where its servers are located. A Data Center Map listing also describes a Visão facility at the Xaxim address.
The interconnection story is concentrated around São Paulo. PeeringDB lists Visão at Ascenty SPO02 in Osasco and Equinix SP4 in Barueri and shows its IX.br São Paulo port. That is a plausible regional architecture: operate compute or customer equipment in western Santa Catarina, then carry traffic to a much denser exchange market for peering and transit. It could also mean that some equipment or services are placed in São Paulo. The public material does not map individual products through those locations.
That missing map matters because distance creates both value and failure modes. A São Paulo exchange presence can shorten paths to content and national networks, improve route choice and reduce paid transit. Transport between Xaxim and São Paulo introduces circuits, intermediate facilities, optical equipment and carrier operations that must remain available. If both “diverse” upstreams ride the same long-haul path, the logical diversity is weaker than it appears. If compute is split between Xaxim and São Paulo, the buyer needs to know which data and control planes are in each place.
For a VPS customer, the basic question is where the host and primary storage reside. Then come the harder ones: where snapshots reside, where customer backups reside, where the management portal runs, where monitoring data is retained, where DNS is operated, and where a replacement instance would start after site failure. For a dedicated-server customer, the questions concern spare hardware, remote hands and whether a replacement system can be built elsewhere. For a colocation customer, the exact cabinet, power feed, meet-me room, carrier entrance and access procedure matter more than the corporate mailing address.
The architecture also affects latency claims. Visão says it is prepared to deliver low latency throughout Brazil and names direct connections to Apple, Meta and Cloudflare on its NOC page. Public routing observations show Cloudflare among peers, while other named direct relationships were not independently established in the evidence reviewed. Even where a direct session exists, the customer path depends on BGP policy, destination prefix, traffic direction and failure state. The buyer should test the users and services it actually has rather than treating a content-company logo as a universal shortcut.
A useful topology document would show at least five layers: customer workload location; storage and backup location; edge routers and carrier entrances; transit and IX transport; and control systems such as portal, monitoring, ticketing and DNS. Each line should have an owner, capacity, normal path and failover path. Without that document, “Xaxim data centre plus São Paulo peering” is a credible operating narrative but not yet a recoverable architecture.
Tier III+ is a claim until the certificate and scope are named
Visão's homepage describes infrastructure designed for maximum “Tier III+” availability, while the NOC page refers to a redundant Tier III structure. The Data Center Map listing goes further: it reports 1 MW of built and live power, 5,382 square feet of whitespace, up to 15 kW per rack, 2N+2 UPS redundancy, N+1 cooling, N+1 standby power, 24x7 security and technical staff, and a Tier 3 design.
If accurate and applicable to the purchased service, those are material facility capabilities. They imply a physical plant with utility distribution, UPS modules, generators, cooling, environmental monitoring, fire protection, access control and trained operations. They would help explain how a small regional provider could support colocation and dedicated infrastructure rather than merely reselling remote virtual machines.
The source quality requires caution. Data Center Map is a commercial directory and its fields are not equivalent to an engineering report. The same entry says the facility became operational in 2004, lists a total plot size of four square feet and gives a maximum floor load of 100,000 pounds per square foot. Those values are internally implausible or at least require explanation. The page exposes compliance fields for PCI DSS, ISO 27001 and ISO 9001 but does not attach certificate numbers, scopes, issuers or reports in the text available for review.
Formal tier language has a defined meaning. The Uptime Institute describes Tier III as concurrently maintainable: capacity components and distribution paths can be removed for planned maintenance without affecting IT operations. It recognizes four classifications, Tier I through Tier IV. “Tier III+” is not a fifth Uptime classification. The TIA-942 certification framework likewise uses Rated-1 through Rated-4 and defines Rated-3 as concurrently maintainable.
That does not prevent an operator from using a plus sign to describe design features beyond its chosen baseline. It means the plus sign has no self-executing procurement meaning. A buyer should ask which standard is being invoked, whether the claim concerns design or constructed facility, whether a licensed certification body performed the assessment, which building and phase were covered, when the certificate expires and whether the purchased racks or systems fall within scope.
Even a valid facility certificate would answer only part of the reliability question. Concurrent maintainability concerns site infrastructure. It does not certify the customer's application, storage replication, network capacity, staffing depth, change controls or restore process. Uptime's own framework distinguishes topology from operational sustainability. A perfectly designed electrical system can still be undermined by maintenance procedure, fuel management, common-mode controls or human error.
The facility diligence should therefore move from adjectives to documents. Request a one-line electrical diagram, utility-feed description, UPS and generator topology, maintenance-bypass design, cooling diagram, fuel autonomy and replenishment contract, last load-bank test, last transfer test, fire-system inspection, carrier entrances, physical-access process, preventive-maintenance calendar and the last significant facility incident report. For each claimed 2N+2 or N+1 layer, ask what “N” is at current load and what spare capacity remains during maintenance.
The chronology deserves the same treatment. If the site has operated since 2004 while the present company opened in 2023, identify the prior operator and the date on which Visão assumed control. Determine whether maintenance records and certificates transfer with the asset or remain under another entity. A long-running building can be an advantage, but only if its operating history is continuous and inspectable.
Until those documents are produced, the defensible statement is modest: Visão publicly asserts Tier III/Tier III+ characteristics, and an operator-maintained facility directory publishes detailed specifications. That is enough to justify a site visit and document request, not enough to treat the facility as independently certified.
“Backup included” and “we do not back up VPS” cannot both guide recovery
The sharpest practical contradiction in Visão's public material concerns backup.
The VPS product cards repeatedly say “Backup Incluso.” The email plans do the same. Provider-oriented pages for IXC, Opa! Suite, Quaza and Mikrotik repeat the phrase. A normal buyer would reasonably read it as a service feature, even if the card does not state schedule, retention or restore time.
The service terms say something materially different. They state that Visão does not perform backups or security copies for Mikrotik CHR, VPS, Zabbix or dedicated servers. They say professional email does not provide a Visão backup tool. They describe shared-hosting daily and weekly copies as internal, overwritten in cycles, incomplete and not guaranteed for customer restoration. The customer accepts responsibility for maintaining an external copy. Support may attempt restoration from a customer-provided backup for a fee, without a guarantee of success.
There may be a benign explanation. “Included” could refer to an optional portal function, a snapshot with limited scope, a newer product feature not yet reflected in the terms, or marketing copy carried across plan templates. The evidence reviewed does not resolve which. Reliability procurement cannot leave the answer implicit.
A backup is not one feature. It has at least eight dimensions: protected data; capture method; frequency; consistency; retention; failure-domain separation; encryption and access; and restore performance. A disk snapshot on the same storage cluster protects against some operator mistakes but not storage corruption or site loss. A daily copy protects a low-change website differently from a billing database. A backup that cannot be restored inside the business's maximum tolerable outage is an archive, not a continuity control.
NIST's guidance for managed service providers stresses that backups should be conducted, maintained and tested. Its contingency-planning guide frames recovery around business impact, recovery time and recovery point requirements. Those principles translate directly into buyer questions for Visão.
What is the recovery point objective for each data class? Is the copy crash-consistent or application-consistent? Are databases quiesced? Is the backup account administratively separate from the production root account? Can ransomware or a compromised portal delete both production and backup? Is one copy outside the Visão facility and ASN? How many versions are retained? Who owns the encryption key? How long does a one-terabyte restore take over the available path? Is restore labour included, chargeable or best-effort? What evidence from the last restore test is available?
The customer should answer those questions even if Visão later provides a strong backup addendum. The terms place primary responsibility on the customer, and that allocation should govern architecture until superseded in writing. A sensible baseline is an independent copy in another administrative and physical failure domain, with automated integrity checks and scheduled restoration exercises.
Recovery economics also changes the product comparison. A low monthly VPS price may be attractive, but the true cost includes backup storage elsewhere, data-transfer time, restore automation, configuration management, DNS failover, testing and engineer availability. A more expensive managed service may be cheaper if it supplies verified recovery and reduces that labour. Conversely, a technically mature customer may prefer Visão's simpler server precisely because it can build its own provider-independent recovery.
The decisive procurement test is not “Is backup included?” It is: “Delete a non-production instance and its primary data, then recover it using the contracted process while we measure lost data, elapsed time, support actions and extra charges.” Any answer short of a witnessed restore leaves the largest continuity risk unpriced.
Support quality depends on authority, not channel count
Visão emphasizes close, human support. Its homepage and NOC page advertise 24x7 monitoring and specialized assistance. The Cactos support surface offers email, chat, WhatsApp, ticket and consumer-service channels; it says ticket support is available around the clock while WhatsApp and telephone operate from 08:00 to 22:00 on business days. That channel distinction matters. “24x7 support” may mean an always-open ticket queue, not that every escalation path or specialist is continuously staffed.
The public contacts are still a real advantage. PeeringDB exposes NOC, peering and abuse roles. The looking glass names an engineer. The company publishes a telephone number and INOC-DBA identifier. A regional customer can reach a Portuguese-speaking operator without first navigating a global support plan. For outages that involve routing, physical hardware or account access, proximity and shared language can reduce diagnosis time.
But contactability is not authority. The person answering a ticket may be able to acknowledge an alert but not move a VM, change BGP policy, replace a disk, enter the facility, authorize a restore or approve customer communication. Dedicated-server terms narrow support to hardware. Third-party applications are excluded. Migration and restore are conditional. Public pages do not state severity definitions, acknowledgement times, restoration targets, escalation intervals or executive contacts.
The support chain should be tested before production. Open a normal-priority ticket and measure acknowledgement and resolution. Then run a planned high-severity exercise: simulate loss of a server, route or credential and ask the provider to follow its escalation path. Record who answers, what identity checks occur, which actions the first responder can take, when a specialist joins, how status updates are issued and what post-incident record is delivered.
The exercise should include an out-of-band contact. Visão wisely advises customers not to host their account email on the same service. Buyers should also retain the contract, customer number, emergency phone, NOC email, IP allocations, backup credentials and escalation contacts outside the Visão portal. If the portal, DNS or hosted email is part of the incident, the recovery process must not depend on it.
The Cactos/Visão brand boundary should be included in the drill. A support ticket opened at a Cactos domain should still produce a record that can support a Visão SLA claim. An invoice, ticket and NOC incident should share a customer and service identifier. Staff should be able to explain which terms apply without sending the customer between brands.
Local support can be Visão's strongest commercial differentiator. It becomes defensible when the company can show not merely that somebody answers, but that the right person can act within a measured time and preserve a usable incident record.
Fixed-reais pricing sells simplicity while transferring tail risk
Visão's public pricing is straightforward. Its VPS ladder was advertised at R$59.90 to R$329.90 per month at the time of review, with increasing RAM, vCore and NVMe allocations while retaining a 100 Mb link, unlimited-traffic language, root access, IPv4 and IPv6. The vertical plans package similar infrastructure around named software use cases. This is a familiar regional-hosting proposition: a predictable monthly amount in local currency and a human support path instead of a metered global-cloud bill.
The simplicity is valuable. A small platform team can budget a server without modelling per-second compute, managed-disk operations, load balancers, public-address charges, cross-zone traffic, egress and premium support. A regional ISP can order infrastructure framed around a system it already uses. A Brazilian company can pay a domestic counterparty through familiar payment rails.
The price does not erase infrastructure economics. Visão must fund server depreciation, NVMe replacement, power, cooling, racks, transit, transport to São Paulo, IX access, IPv4 resources, software licences, payment processing, tax, abuse handling and around-the-clock operations. “Unlimited traffic” is economically bounded by the 100 Mb port, acceptable-use terms, aggregate capacity and provider policy. “Scalable” is bounded by available hardware and migration procedure. “Dedicated resources” needs a scheduling definition.
The terms protect the provider from several mismatches. Billing is prepaid. Automatic renewal applies. Prices may change with 30 days' notice. Late payment can trigger suspension. Short deletion windows limit the cost of retaining unpaid server state. Early termination can carry a 30% penalty. Dedicated hardware cannot simply be downgraded into a smaller service.
Reliability credits protect the provider in another way. They are calculated against the service fee, not the customer's economic dependency. Consider the structure without inventing a customer number:
unrecovered incident cost = lost gross margin + staff time + customer remediation + data reconstruction + regulatory response + migration cost - service credit
For a low-cost server supporting a high-value workflow, the service credit will usually be the smallest term in that equation. That is why a buyer should never set business tolerance equal to provider SLA. The business chooses its own maximum tolerable outage and data loss; the architecture then uses Visão, another provider or both to meet it.
Visão can still win that comparison. Its local support may reduce incident labour. Fixed pricing may reduce cost-management work. A 100 Mb cap may be entirely adequate for a stable business system. A local dedicated server may offer better price-performance than a hyperscale instance for a steady workload. The point is to price the complete responsibility stack, including the recovery and supervision that the customer retains.
Security is split across routing, platform, customer and law
Visão exposes credible network-security signals. Its routes were shown as RPKI-valid in the current bgp.tools view. Its MANRS statements describe route filtering, IRR checks, anti-spoofing controls and operational communication. Its peering policy asks counterparties to maintain routing information and block malicious traffic. These controls reduce specific routing and abuse risks.
The customer layer remains broad. The terms assign account security, operating-system integrity, application configuration, patches, logs and data protection to the customer for unmanaged services. They allow suspension for insecure or abusive systems and impose email-rate and content restrictions. Dedicated-server support does not include system administration. A root-access VPS is therefore a shared-responsibility service even if the marketing language feels managed.
The public material reviewed did not provide a service-specific security architecture, penetration-test summary, SOC report, data-processing agreement, key-management description or certificate pack. The facility page uses physical and logical security language, while the directory lists security controls without attached audit documents. These may be available to qualified customers; they should be requested rather than assumed absent.
Brazilian data-protection duties make incident timing especially important. The LGPD requires technical and administrative security measures and provides for notification of relevant personal-data incidents. The ANPD's current incident communication guidance states that a controller generally has three business days to notify the authority and affected data subjects when the regulatory threshold is met, and that an operator must supply the controller with the necessary information.
That creates a procurement requirement independent of general uptime. If Visão processes or hosts personal data as an operator, the customer contract should require rapid notice—early enough for the customer to investigate and meet its own deadline. The notice should cover discovery time, affected systems and data, likely impact, containment, preservation of logs, sub-processors, recovery status and a named incident contact. A generic promise to follow Brazilian law is weaker than a fixed notification clock.
DDoS exposure also needs explicit treatment. The pages reviewed did not define an included mitigation service, scrubbing capacity, attack thresholds, null-routing policy or customer communication procedure. Multiple upstreams and peering can improve route options, but they are not a DDoS specification. A buyer should ask what happens when traffic exceeds the customer's 100 Mb access rate, an edge port or an upstream threshold, and whether mitigation changes the route, source address or latency.
The most important security test is boundary clarity. Which controls belong to Visão's facility and network? Which belong to its virtualization or hosting platform? Which belong to the software vendor? Which belong to the customer? What evidence shows each control operating? Security gaps usually appear not because nobody considered a risk, but because two parties each believed the other owned it.
Failure exposure is concentrated where the public map is silent
No credible public incident history or postmortem series for Visão surfaced in this review. That should not be read as proof of incident-free operation. Small providers often disclose little, and search visibility is an unreliable outage database. The absence itself becomes a diligence question: ask for availability reports, maintenance notices, significant-incident summaries and restore-test evidence under confidentiality if necessary.
The public architecture points to several failure classes.
The first is facility concentration. If primary compute, storage and backup all sit in the Xaxim site, a power, cooling, fire, access or site-network event could affect all three. Redundant components within one building reduce component failure; they do not create geographic recovery.
The second is transport concentration. São Paulo peering may depend on long-haul transport from Xaxim. Multiple BGP upstreams do not guarantee multiple ducts or metro entrances. A fibre cut or intermediate carrier event could remove several logical paths together.
The third is platform concentration. Public VPS pages do not disclose host clusters, storage failure domains or automated restart. A single-host failure can be brief if workloads restart elsewhere and storage remains available, or prolonged if hardware replacement and manual reconstruction are required. The customer cannot infer which from “high availability.”
The fourth is control-plane concentration. The same account portal may handle orders, tickets, invoices and service actions across Visão and Cactos branding. If credentials are compromised or the portal is unavailable, the customer needs a separate authentication and emergency path. If support records are needed for an SLA claim, they must remain retrievable after the incident.
The fifth is human concentration. A regional operator's strength is often a small group of experienced people. The corresponding risk is whether enough authorized staff are available during simultaneous network, facility and customer incidents. The public record names operational contacts but does not show shift staffing, succession, on-call depth or vendor escalation.
The sixth is customer-created concentration. A single VPS with local backup, one DNS provider, one administrator and no tested export can turn a modest provider incident into a long business outage. Visão's 99.9% terms should be treated as the reliability ceiling of one service unit, not as a design for the customer's whole application.
Each exposure has a practical countermeasure: geographic copy, diverse transport evidence, multi-node design, out-of-band access, tested escalation and provider-independent automation. The buyer does not need Visão to eliminate every risk. It needs enough transparency to decide which risks to transfer, which to accept and which to engineer around.
The substitutes differ mainly in who performs the recovery work
Visão is not competing against a single category called “cloud.” It sits between several operating models.
A Brazilian hyperscale region offers deep automation, broad managed services and multiple zones. AWS lists three availability zones in its São Paulo region. Google lists three zones in southamerica-east1 around Osasco. Those zones make a higher-availability architecture possible, but the customer must deploy across them, operate load balancing, replicate state, manage identity and understand a more complex bill. A single hyperscale VM can have an SLA no better than Visão's published 99.9% product commitment.
Another regional Brazilian host may offer the closest direct substitute: fixed-reais VPS, cPanel hosting, dedicated servers and Portuguese support. The deciding evidence is unlikely to be a small difference in RAM or sticker price. It is the provider's facility proof, backup contract, support authority, status history, network diversity and portability.
Direct colocation is a different trade. The customer can place owned hardware in a larger facility or contract a cabinet through a carrier-neutral operator, gaining physical control and perhaps a wider carrier ecosystem. It also inherits hardware procurement, spares, remote hands, lifecycle management and system administration. Visão's own colocation offer could be attractive if its Xaxim facility claims are documented and its local team can act faster than a distant enterprise facility.
Self-managed infrastructure maximizes control but places every on-call, security, replacement and continuity burden on the customer. For a small company, that may be less reliable even when it feels independent. A well-run regional provider can pool those duties more efficiently.
Software as a service can replace some Visão workloads entirely. A company buying hosted email, an ISP operations system or a communications server could choose a vendor-managed SaaS product rather than a root-access VM. That transfers application maintenance and may improve recovery evidence, but it can increase data, integration, pricing and exit dependency.
The most robust substitute may be a split design rather than a replacement. Keep a steady workload on Visão for local support and predictable cost, while maintaining an independent backup, infrastructure code and tested recovery target at another provider. Or use Visão as the recovery site for a primary elsewhere. The economics then depend on how quickly the second environment can become useful, not whether it runs at full cost every day.
The procurement unit should therefore be “cost per recoverable business service,” not “cost per vCore.” Visão wins when its people, network and local operating context lower that total. It loses when undocumented recovery, monitoring and support boundaries force the customer to carry two operational teams for one server.
Switching starts with data, but it ends with identity and routes
Exit from Visão has several layers.
The obvious layer is data. The terms require the customer to back up and transfer websites, databases and email before external cancellation. That means the customer must know the export format, available bandwidth, credentials and time required. Large NVMe allocations paired with a 100 Mb service link can create a long transfer if no faster export path exists. A one-terabyte data set at a perfect continuous 100 Mb/s would take more than 22 hours before protocol overhead or contention; real migration time could be longer. The exact path should be tested rather than calculated from the plan card alone.
The second layer is configuration. Root-access servers accumulate operating-system state, firewall rules, packages, scheduled jobs, certificates, monitoring agents and secrets. Without configuration management, the backup may contain data but not a reproducible service. A customer should be able to rebuild a clean instance elsewhere from documented code and then restore only the necessary state.
The third layer is application licensing. Mikrotik, cPanel, CloudLinux, LiteSpeed and named ISP applications can bind migration to licences, versions, machine identifiers or vendor support. The customer should know whether licences are owned by it, rented through Visão or embedded in the plan, and what happens at termination.
The fourth layer is addressing and reputation. Provider-assigned IPv4 and IPv6 addresses generally do not move with the customer. DNS must change. Email reputation must be rebuilt or warmed. Access lists and counterparties may need new addresses. If Visão announces customer-owned resources, route objects, ROAs and BGP sessions require an agreed transition sequence.
The fifth layer is control identity. The customer must retain invoices, tickets, service identifiers and authorization records from the Cactos/Visão portal. It should remove provider access, rotate credentials and confirm data deletion after exit. If the portal is the only record of the contract, export it before cancellation.
The sixth layer is people. A local Visão technician may hold practical knowledge of a customer's system even when application support is excluded. That tacit knowledge becomes a switching cost. Runbooks, diagrams and incident records should belong to the customer and be kept outside the provider.
A credible exit test uses a small but real workload. Export it, rebuild it elsewhere, restore data, change DNS, validate users, revoke old access and measure elapsed engineering time. Repeat annually. If the exercise is easy, Visão can be used more confidently because dependency is reversible. If it fails, the problem should be fixed before the service becomes more critical.
A procurement test built around evidence, not adjectives
Visão has enough public substance to justify serious evaluation. The next step should be a structured proof exercise.
Bind each percentage to a service. Ask for the signed definition of the NOC's 99.9999% claim and the product-specific 99.9% commitment. Record period, numerator, denominator, observation point, polling interval, partial degradation rules, IPv4/IPv6 treatment, maintenance, exclusions and credits. For colocation and Mikrotik CHR, which are not plainly included in the public 99.9% list, obtain the applicable schedule.
Reconcile the credit evidence rule. Agree in advance which monitoring systems and locations are admissible. Preserve raw probe data, provider alerts and ticket timestamps. A customer should not discover after an outage that the monitor used to design the service cannot support a claim.
Resolve the backup contradiction in writing. Identify every included copy, its frequency, retention, location, consistency, encryption, deletion rights and restore charge. State expressly whether the general terms or product card controls. Assume no provider recovery until the signed answer says otherwise.
Run a restore. Delete a test workload or data set and recover it through the normal support path. Measure recovery point, recovery time, human actions and fees. Repeat with a compromised production credential to test administrative separation.
Map the topology. Identify compute, storage, backup, management portal, monitoring, DNS, edge routers, carrier entrances, transit providers, IX transport and failover locations. Mark Xaxim, Osasco and Barueri roles without assuming that a PeeringDB facility is a workload site.
Test path failure. Observe normal IPv4 and IPv6 routes, then ask Visão to demonstrate how traffic changes after one upstream or edge failure in a controlled window. Confirm remaining capacity and application behaviour, not merely BGP convergence.
Inspect the facility evidence. Request the exact Tier or Rated standard claimed, certificate number, scope, issuer and validity. Review power and cooling diagrams, generator tests, fuel, fire protection, access control, carrier entrances and maintenance records. Visit the Xaxim site for colocation or critical dedicated infrastructure.
Define support authority. Put severity levels, acknowledgement times, update intervals, restoration targets and escalation contacts into the order. Name who can reboot, move a VM, replace hardware, change routes, start a restore and notify management at 03:00.
Exercise the out-of-band path. During a scheduled drill, assume hosted email, DNS and the customer portal are unavailable. Confirm that telephone, NOC email from an external domain and identity-verification procedures still work.
Assign the software layers. For IXC, Opa! Suite, Quaza, Issabel, Mikrotik, cPanel or another named stack, document which party handles installation, patching, database performance, licences, backups, security, vendor escalation and application recovery.
Set the incident-notice clock. For personal data, require Visão to notify the customer rapidly enough for LGPD analysis and the ANPD's three-business-day process. Specify evidence preservation, sub-processor disclosure and continuing updates.
Price the tail. Calculate business loss at the customer's own outage scenarios and subtract the maximum service credit. Budget independent backup, second-provider capacity, engineer time, migration and testing. Compare total recoverable-service cost across Visão and substitutes.
Test capacity, not only latency. Measure sustained throughput, packet loss, jitter and storage performance during representative peaks. Ask about 100 Mb enforcement, burst policy, noisy-neighbour controls, aggregate headroom and upgrade lead time.
Reconcile Visão and Cactos records. Confirm that the CNPJ, order, invoice, portal, support ticket, privacy terms, SLA and payment recipient refer to the same accountable service. Record the legal significance of each brand.
Perform an exit rehearsal. Rebuild a test service at another provider, restore data, change DNS, replace addresses, move licences and revoke Visão access. Measure how much tacit provider knowledge must be converted into customer documentation.
These tests are intentionally practical. None requires Visão to publish proprietary diagrams to the world. A serious provider should be able to share enough evidence under normal commercial confidentiality to let a customer price its dependency.
What would change the judgment
Several public developments would materially strengthen Visão's reliability case.
A service-specific SLA that explains the relationship between six nines and 99.9% would remove the central ambiguity. A public status page with historical incidents, maintenance and postmortems would turn a claim into an operating record. Certificate numbers and scopes would clarify Tier and security language. A topology note would explain which products run in Xaxim and what the São Paulo facility presences do. A backup schedule and restore record would resolve the product-card conflict. Published severity targets would make 24x7 support measurable.
Several changes would weaken it.
Unexplained divergence between Visão and Cactos terms, stale legal or privacy records, disappearing operational contacts, lapsed RPKI, shrinking route diversity, an inaccessible looking glass, repeated changes to credit evidence, or facility claims that cannot be tied to documents would all increase supervision cost. So would growth in product promises without matching support depth or capacity disclosure.
The current evidence supports a balanced conclusion. Visão Datacenter is an observable Brazilian infrastructure operator with a legal counterparty, public routing identity, multiple network relationships, IX.br presence, operational contacts and a product range that can meet real regional hosting needs. Its public record is stronger at the network edge than at the recovery and contract layers.
That distinction should shape the buying decision. AS273508 demonstrates that Visão participates in the machinery of the internet. It does not show that a customer's database can be restored before payroll, billing or subscriber support fails. Tier language suggests a resilience ambition. It does not identify the certified scope. A 24x7 channel suggests accessibility. It does not identify who can act. “Backup included” suggests protection. The terms transfer the recovery burden back to the customer.
Visão's opportunity is to close those gaps with evidence. A regional provider does not need hyperscale breadth to be reliable. It needs a service boundary that a customer can understand, a failure budget that matches the contract, a support team with authority, a recovery path that has been exercised and an exit path that keeps trust voluntary.
The thousandfold difference between six nines and three nines is therefore not a gotcha. It is a diagnostic. It shows where marketing, engineering and commercial responsibility have not yet been joined in public. The buyer should not ask Visão to promise a more dramatic percentage. It should ask the company to make one percentage operationally true for the exact route, server, storage, backup and support chain being purchased.

