ISO/IEC 27001:2022
We have ISO/IEC 27001:2022 certification. You can view our certificate at https://www.hetzner.com/assets/downloads/ISO-Certificate.pdf. You can find more information about our certificate at https://www.hetzner.com/unternehmen/zertifizierung.
Statement of Applicability (SoA)
The SoA is an internal document that we do not make available to third parties. We at Hetzner do not have any exclusions in regard to measures mentions in Annex A of ISO/IEC 27001:2022.
Technical and Organizational Measures (TOMs)
We implement a variety of measures to ensure the security of how we process personal data. We provide an overview of our Technial and organizational measures ("TOMs" for short) in the Appendix 2 of our Data Processing Agreement. You can find more information here. We arrange for our TOMs to be regularly audited by an external data protection organization. (At the moment, that is TÜV Rheinland.) We make the audit protocol available to our customers on their customer account if they have completed a Data Protection Agreement with us. It is available on customers' accounts at https://accounts.hetzner.com/account/dpa.
BSI C5
Hetzner has received a BSI C5 Type 2 certification, demonstrating the independently verified high level of security of its cloud services.
C5 stands for Cloud Computing Compliance Criteria Catalogue and is a catalogue of criteria published by the German Federal Office for Information Security (BSI). It defines minimum requirements for the information security of cloud services.
The C5 Type 2 certificate confirms that Hetzner has not only implemented the criteria in the catalogue appropriately, but has also applied them effectively over a defined period of time.
The criteria catalogue is very comprehensive and ranges from organisational, technical and operational security measures to governance and management structures, transparency obligations and legal frameworks.
The C5 incorporates all criteria of ISO/IEC 27001 into the C5 basic criteria. This means that a cloud provider that has implemented ISO/IEC 27001 has already implemented measures for many of the criteria in the catalogue. The C5 requires a management system based on ISO/IEC 27001 for the basic criteria.
KRITIS-V / NIS-2
In Germany, we are classified by the Federal Office for Information Security (BSI) as an operator of critical services in accordance with the national KRITIS regulation and certified in accordance with §8a BSIG.
PCI DSS certification
The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised security standard for companies that process or transfer credit card data. Hetzner itself does not store any credit card information. Processing is carried out exclusively by our certified German payment service provider Computop. Credit card details are entered directly into your customer account, which fully complies with the requirements of PCI DSS in its current version 4.0, Revision 1.0.
National (German) certifications and standards, like the BSI Grundschutz, NIST, SO2 and COBIT:
As we already stated above, we at Hetzner place our focus on internationally recognized certificates. For that reason, we ask you to please see the information listed above under ISO/IEC 27001:2022 and our Technical and Organizational Measures. The SOC 2 is an information security standard that is most well-known in the USA, and plays a big role there. As an international web hosting company, we at Hetzner place our focus on the ISO/IEC 27001:2022 certification because it is more applicable to an international market.