Data Protection at Hetzner

In this article, we answer frequently asked questions about data protection at Hetzner.

You can find our data protection information at https://www.hetzner.com/legal/privacy-policy/.

If you have any specific concerns, we will be happy to assist you. Please contact us via a request in your customer account or by email to data-protection@hetzner.com.

Account

Why has my account been deactivated?

A customer account can be deactivated for various reasons. Please check your email inbox first, as we send a notification before deactivating an account.

Common reasons are:

1. Inactivity

If a customer without active products does not log into their account for a period of one year, the account will be deactivated. We will send a reminder email in advance. If you do not log in after receiving this email, your account will be deactivated.

2. Non-payment

An account may also be deactivated due to an unpaid invoice. In this case, we will send a total of four payment reminders. In the third payment reminder, we will inform you that your account will be deactivated if payment is still not received.

If your account has been deactivated, you can create a new account at https://accounts.hetzner.com/signUp.

How can I delete my account?

Deactivation of the account is only possible if there are no more active products and all outstanding invoices have been paid in full.

Please proceed as follows:

If necessary, cancel all active products. Instructions can be found here: https://docs.hetzner.com/general/cancellation/.
Wait for the final invoice and pay it. Our invoices are issued retroactively, i.e. at the end of the billing period. Example: If you cancel your last product during the current month, you will not receive the final invoice until the following month.
After paying the last invoice, you can deactivate your account yourself via the following link: https://accounts.hetzner.com/account/delete.

Your personal data will be deleted from our systems after the statutory, contractual and other retention periods have expired.

Order processing (in short: AV contract)

What is an AV contract?

The AV contract regulates the rights and obligations between you as the controller and Hetzner as the processor (Art. 28 GDPR). Hetzner undertakes to process the personal data processed on your products exclusively in accordance with your instructions and only for the agreed purposes, as well as to implement appropriate technical and organisational measures (TOMs) to protect the data.

When do I need an AV contract?

An AV contract is required if Hetzner processes personal data on your behalf within the scope of the products or services you have rented (Art. 28 (3) GDPR). There may be exceptions, for example if the processing is carried out exclusively for private purposes.

Whether a DPA is required in your specific case depends on the circumstances. We cannot provide a binding legal assessment, as this would constitute legal advice. We recommend that you contact a data protection officer, solicitor or the supervisory authority responsible for you.

How can I conclude a DPA with Hetzner?

We do not create or sign individual AV contracts.

Our sample contract can be found here:

German https://www.hetzner.com/AV/DPA_de.pdf
English https://www.hetzner.com/AV/DPA_en.pdf

You can conclude the data processing agreement directly in your customer account: [https://accounts.hetzner.com/account/dpa]

Details of the contract content

Before concluding the contract, you must specify:

what types of personal data we process on your behalf and
which groups of persons (circle of data subjects) are affected.

For both points, you can select from predefined categories or add your own information. This information is then documented in Appendix 1 of your AV contract.

How do I proceed in case of changes?

If information changes subsequently, you have the following options:

Option 1: You delete the existing AV contract in your customer account (trash can icon) and conclude a new contract.
Option 2: You conclude an additional AV contract. A total of up to six AV contracts can exist at the same time.

Do I have to sign the AV contract?

No. A handwritten signature is not required. You give your consent by clicking the checkbox “I agree to the agreement” in your customer account.

Subcontractors

We use third-party services for data processing. An overview of the subcontractors used can be found at: https://www.hetzner.com/AV/subunternehmer.pdf.

Technical and organisational measures (TOMs for short)

TOMs are security measures that Hetzner, as a processor, uses to ensure that personal data is protected and processed in accordance with the GDPR (Art. 32 GDPR). Detailed information about our TOMs can be found at: https://docs.hetzner.com/general/others/certificates/#technisch-organisatorische-massnahmen-toms

Review of our TOMs

Our TOMs are reviewed annually by TÜV Rheinland (i-sec GmbH). Our customers automatically receive the audit report via the customer portal if they have concluded a data processing agreement with us. This can then be accessed via https://accounts.hetzner.com/account/dpa.

Locations outside the EU / third country transfers

Is my data transferred to third countries?

The transfer and storage of data depends on the following factors:

Non-cloud products: The data is processed and stored exclusively within the EU.
Cloud: For our cloud products, the storage location depends on the product location you have chosen.

Support access is generally provided by our teams within the EU.

Only data that the customer actively transfers to a server in a third country (e.g. the USA or Singapore) will also be transferred to that third country. Hetzner processes its own data (e.g. customer master data, contract and billing data) exclusively within the EU. Please note that, in accordance with our AV contract, you are responsible for both the data stored on the server and its encryption. The transfer of your server data from the EU to the third country is based on your express consent, which you gave when selecting the product location.

Does Hetzner operate its own data centres outside the EU?

No. Hetzner does not operate its own data centres in the USA or Singapore, but uses third-party data centres. Hetzner products run on Hetzner's own servers.

Further information on data protection at our US locations

Who is my contractual partner?

Hetzner US LLC is a subsidiary of Hetzner Online GmbH and provides data centre services to the latter in the USA. For you as a customer, this means that Hetzner Online GmbH remains your contractual partner.

Which of my data is passed on?

Hetzner Online GmbH does not pass on your customer master data (e.g. payment details) to Hetzner US LLC. Only the data stored on your cloud server is transferred to the USA, provided you have chosen this product location.

Case studies

To give you a better idea, we have put together the following two case studies for you:

Case study 1: You rent a cloud server with a product location in Falkenstein, Nuremberg or Helsinki → Both your customer master data and the data stored on the cloud server are stored and processed within the EU. Your data is also not stored on servers outside Europe.

Case study 2: You rent a cloud server with a product location in Ashburn (Virginia) and/or Hillsboro (Oregon) → Only the data stored on your cloud server is transferred to the USA. Your customer master data continues to be stored and processed within the EU only.

Further information on data protection at our Singapore location

Who is my contractual partner?

Hetzner Singapore Pte. Ltd., a subsidiary of Hetzner Online GmbH, provides data centre services in Singapore to its parent company. This means that Hetzner Online GmbH remains your contractual partner.

Which of my data is passed on?

Hetzner Online GmbH does not pass on your customer master data (e.g. payment details) to Hetzner Singapore Pte. Ltd. Only the data stored on your cloud server is transferred to Singapore, provided you have chosen this product location.

Case studies

The following two case studies are intended to give you a more concrete idea:

Case study 1: You rent a cloud server with a product location in Falkenstein, Nuremberg or Helsinki → Your customer master data and the data stored on your cloud server remain within the EU. Your data is not stored on servers outside Europe.
Case study 2: You rent a cloud server with a product location in Singapore → Only the data stored on your cloud server is transferred to Singapore. Your customer master data continues to be stored and processed only within the EU.

Backups

Depending on the product, backups are stored in a different fire compartment or at a different location. If you have chosen a product location within the EU, the backups also remain within the EU. The automatic creation of backups depends on the product and the services booked. Our dedicated servers and cloud servers are unmanaged products. You are therefore responsible for setting up appropriate backups yourself. Here, you can use our storage boxes to create backups, for example.

Log files for web hosting & managed servers

General information

Log files (known as ‘logs’) are records automatically created by computers or programmes. Every time something happens – e.g. someone logs in, an error occurs or a file is opened – the system writes a short note to this log file. This note is called a log entry, and the entire file is the log file.

Log files help system administrators or developers to:

Understand what happened when something failed
Track who did what (e.g. for security issues)
Identify errors so they can be fixed more easily

What data is stored in log files?

Each line of a log file represents a single event (e.g. a page view) and contains:

Date and time
A description of the event
Who or what triggered the event

As an example, below is an excerpt from the log file of a website hosted by Hetzner, as displayed in the konsoleH. Log files like these are one of the most important resources for gaining insight into website visitor activity, for example. Example line from a log file

The following example line shows the information that is typically logged in the log file when a page is accessed.

xyz.tld 0 1.2.3.4 - - [17/Jul/2024:13:52:46 +0200] ‘GET /test.php HTTP/2.0’ 200 97017 ‘www.hetzner.com’ "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

Explanation of the individual components of the sample log line: (from left to right):

xyz.tld Domain to which the request was made (only available in the live log)
0 Time in seconds required to respond to the request (only available in the live log)
1.2.3.4 IP address of the client (anonymised, see note)
- Log name from identd
- User name (only set if protected areas are used via HTTP authentication, e.g. with basic auth)
17/Jul/2024:13:52:46 Time at which the request was received by the server
‘GET /test.php HTTP/2.0’ First line of the request (contains method (tells the server what to do), access target, HTTP protocol used)
200 HTTP status code (here: success)
97017 Bytes sent including headers (header data)
www.hetzner.com Referrer (previously visited website)
‘Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0’ User agent (contains information about the operating system, browser type, browser version)

Please note: Some values are transmitted by the user or their browser itself, for example the referrer or the user agent. If this value is not transmitted, a - appears in the log file.

How long are the log files stored?

Mail server logs: Retention period is 7 days
Apache logs (access and error logs when accessing your website): The default setting is 7 days. You can configure the storage period yourself in konsoleH. You can set the deletion time in the menu item Settings > Account maintenance.
Backups: These are stored in encrypted form for 14 days.

Anonymisation of IP addresses

We only store anonymised IP addresses. At the web server level, this is done by storing, for example, <123.123.123. 123> is stored in the log file instead of the visitor's actual IP address, e.g. <123.123.123.XXX>, where XXX is a random value between 1 and 254. This makes it impossible to establish a personal reference.

AWStats and Report Magic

To analyse website traffic, Hetzner provides the AWStats and Report Magic statistics tools. Both statistics programmes evaluate the log files. The statistics are generated using data that has already been anonymised. It is not possible to establish a personal reference. Further information on use can be found at https://docs.hetzner.com/konsoleh/account-management/statistics/log-files/.

Requests from authorities

We regularly receive requests from authorities. Like all non-European authorities, authorities from the USA and Singapore must also comply with EU legislation. Specifically, this means:

For our data centres in Falkenstein and Nuremberg: We only accept requests and court orders from German authorities/courts. Requests and/or court orders from foreign authorities/courts will not be accepted. Only German authorities with a valid German court order will be granted access to our data centre.

It is important to emphasise that, like other hosting providers, we cannot guarantee that German authorities will not pass on data obtained under German law to foreign authorities on the basis of international agreements.

For our data centre in Helsinki: We take a similar approach at our data centre in Helsinki: We only accept requests and court orders from Finnish authorities/courts. Requests and/or court orders from foreign authorities/courts are not accepted. Only Finnish authorities with a valid Finnish court order are granted access to our data centres.

Here, too, it should be noted that Finnish authorities may pass on data obtained under Finnish law to foreign authorities on the basis of international agreements.

For our locations in the USA and Singapore: Authorities from the USA or Singapore do not have direct access to the contents of your server data in the EU. We assume that requests for legal assistance may also come from the USA or Singapore if you use the servers for illegitimate purposes. In this case – and only in this case – authorities are obliged to cooperate internationally on the basis of agreements.

In summary*: As a customer, you have a certain degree of influence over who can access your server data. However, even with data stored exclusively in Europe, there is no 100% guarantee against access by official requests and/or court orders. If you want to choose a company that has no connection whatsoever to the USA or Singapore, we unfortunately have to decline at this time. Hetzner US LLC and Hetzner Singapore Pte. Ltd. do have a certain connection. We have outlined the implications of this connection from our perspective.