Data Privacy FAQ

Last change on 2025-09-19 • Created on 2020-03-18 • ID: GE-82054

Introduction

Data privacy is an important topic here at Hetzner. This article provides answers to common questions regarding this topic.

Web hosting packages and managed servers:

Logfiles

Log files (aka ‘logs’) are automatically created records kept by computers or programs. Every time something happens — for example, someone logs in, an error occurs, or a file is opened — the system writes a short note to this log file. These notes are called log entries; the entire file is the log file.

Log files help system administrators and developers to:

  • understand what happened when something fails
  • understand who did what (for example, with security issues)
  • identify errors to fix them more easily.

Each line contains:

  • the date and time
  • a description of the event
  • who or what triggered the event.

As an example, here is an extract from the log file of a website hosted with Hetzner, as displayed on our interface konsoleH. Log files like this are one of the most important resources for gaining insight into visitor activity on websites, amongst other things.

Example line of a log file

xyz.tld 0 1.2.3.4 - - [17/Jul/2024:13:52:46 +0200] "GET /test.php HTTP/2.0" 200 97017 "www.hetzner.com" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

Explanation of the individual components (from left to right:

  • xyz.tld requested domain (only available in live log)
  • 0 time taken to serve the request in seconds (only available in live log)
  • 1.2.3.4 client IP address (anonymized, see note)
  • - logname from identd
  • - remote user (e.g. with Basic Auth)
  • 17/Jul/2024:13:52:46 time the request was received
  • "GET /test.php HTTP/2.0" first line of request (method [tells the server what to do], destination, HTTP version)
  • 200 HTTP status code (here: success)
  • 97017 bytes sent incl. headers
  • www.hetzner.com referrer (previously visited website)
  • "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" user agent (operating system, browser type, browser version)

Please note: Some values are transmitted by the user or their browser itself, for example, the referrer or the user agent. If this value is not transmitted, a "-" appears in the log file.

Anonymization of IP addresses

We only store anonymized IP addresses. On the web server level, this means that instead of the actual IP address (e.g. 123.123.123.123), an address like 123.123.123.XXX is stored in the log file, where XXX is a random value between 1 and 254. It is no longer possible to identify the person from the IP address.

How long are log files stored?

  • Mail server logs: retention period is 7 days
  • Apache logs (access and error logs when your website is accessed): default is 7 days. You can configure the retention period yourself on konsoleH. In the menu Settings > Account maintenance, you can set the deletion date.
  • Backups: stored in encrypted form for 14 days

AWStats and Report Magic

For analyzing website access, Hetzner provides the statistics tools AWStats and Report Magic. These programs evaluate the log files. The statistics are generated using already anonymized data. It is not possible to identify a person using the information in the statistics.

You can find more information at: https://docs.hetzner.com/konsoleh/account-management/statistics/log-files/

Data processing

What is a data processing agreement (DPA)?

When you use services that involve the processing of personal data, for example, with services provided by Hetzner Online, a DPA forms the basis of the data security understanding between you and Hetzner.

The data processing agreement defines the rights and obligations between you as the “Controller/Client” and Hetzner as the “Processor/Supplier”. In the DPA, Hetzner promises, for example, to only process the personal data that you provide to us and only for the agreed purposes. We also pledge to use comprehensive measures to protect your data while processing it. You can read an overview of these measures by going to Appendix 2 of the DPA, “Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments”.

When do I need a DPA?

In accordance with Art. 28 paragraph 3 of the EU’s General Data Protection Regulation (GDPR), you are required to have DPA if Hetzner processes personal data on your behalf. In other words, you need it if you have saved personal data on a server you rent from us or by using one of our other services.

There is an exception: If you process the personal data exclusively for private reasons, you do not need to create a DPA.

What is “personal data”?

The EU’s General Data Protection Regulation defines this term in Art. 4, No. 1. In short, personal data includes information that can be connected to a specific person, and this includes things like their names, addresses, email addresses, genders, their account numbers, and many other things.

How can I create a DPA with Hetzner?

You can find a template for our data processing agreement at https://www.hetzner.com/AV/DPA_en.pdf. You can create a DPA in a few easy steps by going to your account on Hetzner Accounts.

Details about the DPA’s content

Types of data: In this section, you should define the types of personal data that we process as part of our contract with you. You can choose one of the pre-set types of data that we list, or you can add other types of data. Affected people: This section defines the groups of people whose personal data we process when we process data on your behalf. You can choose from a pre-set group of people that we list, or you can add other groups of people. Once you have finished creating your DPA, you will be able to see the list of types of data and affected people by going to Appendix 1 of the DPA.

If, after you have generated your DPA, you decide that you need to change the types of data and/or the affected people, you can do the following:

  • Choice 1: Delete the existing DPA by clicking on the trash bin icon, and then create a new DPA.
  • Choice 2: Create a second DPA in addition to the existing one. You can create up to 6 DPAs.

Do I have to sign the DPA?

It is not absolutely necessary for you to sign the DPA at this point because you have already given your consent when you generated your DPA via your customer account and checked the checkbox “I consent to the agreement” at the end of the DPA.

My organization already has its own DPA. Who can I send this to so they can sign it?

We do not generate or sign DPAs that individuals or organizations create for themselves. We require everyone who needs a DPA with us to create one using this link: https://accounts.hetzner.com/account/dpa.

Subcontractors

We work together with subcontractors to make the services that we provide as efficient as possible. Subcontractors are required by the contracts to follow data protection regulations. You can find a complete list of the subcontractors we work with here.

Locations outside the EU

Important note: We have locations in the USA and Singapore just for our Cloud products. For all of our other products, our servers and all the data stored and processed on them are located within the EU.

Information about data protection at our US locations

Who is my contract with?
Hetzner US LLC is a subsidiary of Hetzner Online GmbH and provides Hetzner Online with data center services in the USA. For you as a customer, it means that Hetzner Online GmbH is still the company that you have a contract with.

Which pieces of my personal data are transferred to the US?
Hetzner Online GmbH does not share your main customer account information (for example, your payment information) with Hetzner US LLC. Technical and customer support measures from our team generally occur within the EU.

The only data that we share with the US is data that you as a customer have saved on your cloud servers in the USA (if you have chosen cloud servers in the USA). The Hetzner Cloud products that we provide at the locations in Ashburn, Virginia and Hillsboro, Oregon run on our own Hetzner servers that are located in data centers with third-party providers there.

Examples
To give you a better idea of what we mean, we have prepared some specific examples:

  • Example 1:

    » You rent a cloud server located in Falkenstein, Nuremberg, or Helsinki

    Your general customer account information and all the data saved on your cloud server will be saved and processed within the EU. None of your data will be saved or processed on servers outside of Europe.

  • Example 2:

    » You rent a cloud server in Ashburn (Virginia) and/or in Hillsboro (Oregon)

    Your general customer account information will be saved and stored within the EU.

There is a Standard Contractual Clause (SCC) in place between Hetzner Online GmbH and Hetzner US LLC to ensure that your data at our US locations is saved and processed in accordance with the EU's General Data Protection Regulation (GDPR). By signing this agreement, Hetzner US LLC commits itself contractually to upholding the GDPR and the EU's data protection standards. (last updated 24 July 2024)

Important note: In accordance with our Data Protection Agreement, you as the customer are responsible for both the data that is stored on your rented server and for the encryption of that data. The transfer of data on your rented server from the EU to the USA is based on your express consent, which you gave when you chose to rent a server at a US location.

Information about data protection at our Singapore location

Who is my contract with?
Hetzner Singapore Pte. Ltd. is a subsidiary of Hetzner Online GmbH and provides Hetzner Online with data center services in Singapore. For you as a customer, it means that Hetzner Online GmbH is still the company that you have a contract with.

Which pieces of my personal data are transferred to Singapore?
Hetzner Online GmbH does not share your main customer account information (for example, your payment information) with Hetzner Pte. Ltd. Technical and customer support measures from our team generally occur within the EU (Falkenstein, Nuremberg, and Helsinki).

The only data that we share with Singapore is data that you as a customer have saved on your cloud servers in Singapore (if you have chosen cloud servers in Singapore). The Hetzner Cloud products that we provide in Singapore run on our own Hetzner servers that are located in data centers with third-party providers there.

Examples
To give you a better idea of what we mean, we have prepared some specific examples:

  • Example 1

    » You rent a cloud server located in Falkenstein, Nuremberg, or Helsinki

    Your general customer account information and all the data saved on your cloud server will be saved and processed within the EU. None of your data will be saved or processed on servers outside of Europe.

  • Example 2

    » You rent a cloud server in Singapore

    Your general customer account information will be saved and stored within the EU.

To ensure that the servers at the Singapore location remain protected in accordance with the EU's General Data Protection Regulation (GDPR), Hetzner Online GmbH completed a standard contractual clause (SCC) with Hetzner Singapore Pte. Ltd. This SCC makes Hetzner Singapore Pte. Ltd. contractual obliged to uphold the regulations outlined in the GDPR. (Last updated 07 August 2024.)

Important note: In accordance with our Data Protection Agreement, you as the customer are responsible for both the data that is stored on your rented server and for the encryption of that data.

Official government requests

We regularly receive requests from government authorities. Just like all non-European authorities, authorities in the USA and Singapore must also comply with EU regulations. In simple terms, that means:

  • For our data centers in Falkenstein and Nuremberg:

    We only accept requests and court orders from German authorities and courts. We do not accept requests and court orders from foreign authorities/courts. Only German authorities with a valid official request or court order are allowed access to our data centers.

    It is important to note that we, just like other data center providers, cannot guarantee that German authorities will not pass on any data they obtain under German law to foreign authorities on the basis of international agreements.


  • For our data centers in Helsinki:

    It is similar with our data center in Helsinki: We only accept requests and court orders from Finnish authorities and courts. We do not accept requests and court orders from foreign authorities/courts. Only Finnish authorities with a valid official request or court order are allowed access to our data centers.

    Similarly, Finnish authorities may pass on data they obtain under Finnish law to foreign authorities on the basis of international agreements.


  • For our locations in the USA and Singapore:

    Government authorities in the USA and Singapore do not have any direct access to the content of the data stored on your cloud servers in the EU. If you use your rented server in the USA or Singapore for unlawful purposes, we assume that there may be requests for legal assistance from authorities in the USA or Singapore. In these situations, and only in these situations, authorities are required to cooperate on the basis of international agreements.

Summary:
You as the customer have a certain degree of control over who has access to the data on your rented server. However, there is no 100% guarantee that data stored on your server will not be accessed on the basis of official requests and/or court orders, even for data completely stored and processed within the EU. If you need a company that has absolutely no connection to the USA or Singapore, then you should use a different company. There is a definite connection via Hetzner US LLC and Hetzner Singapore Pte. Ltd., and we have tried to make this connection clear from our standpoint.

Still have questions? Contact support.

If you have any other questions about DPAs, we will be happy to help. Please contact our data protection team at data-protection@hetzner.com.

Table of Contents