Data Privacy FAQ

Last change on 2024-10-17 • Created on 2020-03-18 • ID: GE-82054

Introduction

Data privacy is an important topic here at Hetzner. This article provides answers to common questions regarding this topic.

Web hosting packages and managed servers:

Which data is stored in the log files?

For our customers' websites, the log files store, among other things, the IP address, the browser visitors use, the time and date of the visits, and the system that visitors use. We at Hetzner Online only store pseudonymised IP addresses of visitors to the website. At the web server level, this happens by default by storing an IP address <123.123.123.XXX> in the log file instead of the visitor's actual IP address, for example, <123.123.123.123>. The XXX is a random value between 1 and 254, so it is no longer possible to establish the true identity of the visitor.

How long does Hetzner Online store log files?

  • Mail server log: Hetzner Online stores these log files for 7 days.
  • Apache log: Customers can configure the length of time to store their log files. They can configure this themselves by going to their account on konsoleH. To do this, go to Administration > Maintenance > Account Maintenance and then click on Activate own rules to change this setting.
  • Backups: Hetzner Online stores encrypted backups for 14 days.

If you do not want to record log files, please add a file named.no-logs to your account.

Data processing

What is a data processing agreement (DPA)?

When you use services that involve the processing of personal data, for example, with services provided by Hetzner Online, a DPA forms the basis of the data security understanding between you and Hetzner.

The data processing agreement defines the rights and obligations between you as the “Controller/Client” and Hetzner as the “Processor/Supplier”. In the DPA, Hetzner promises, for example, to only process the personal data that you provide to us and only for the agreed purposes. We also pledge to use comprehensive measures to protect your data while processing it. You can read an overview of these measures by going to Appendix 2 of the DPA, “Technical and Organizsational Measures in Accordance with Art. 32 GDPR and Amendments”.

When do I need a DPA?

In accordance with Art. 28 paragraph 3 of the EU’s General Data Protection Regulation (GDPR), you are required to have DPA if Hetzner processes personal data on your behalf. In other words, you need it if you have saved personal data on a server you rent from us or by using one of our other services.

There is an exception: If you process the personal data exclusively for private reasons, you do not need to create a DPA.

What is “personal data”?

The EU’s General Data Protection Regulation defines this term in Art. 4, No. 1. In short, personal data includes information that can be connected to a specific person, and this includes things like their names, addresses, email addresses, genders, their account numbers, and many other things.

How can I create a DPA with Hetzner?

You can find a template for our data processing agreement at https://www.hetzner.com/AV/DPA_en.pdf. You can create a DPA in a few easy steps by going to your account on Hetzner Accounts.

Details about the DPA’s content

Types of data: In this section, you should define the types of personal data that we process as part of our contract with you. You can choose one of the pre-set types of data that we list, or you can add other types of data. Affected people: This section defines the groups of people whose personal data we process when we process data on your behalf. You can choose from a pre-set group of people that we list, or you can add other groups of people. Once you have finished creating your DPA, you will be able to see the list of types of data and affected people by going to Appendix 1 of the DPA.

If, after you have generated your DPA, you decide that you need to change the types of data and/or the affected people, you can do the following:

  • Choice 1: Delete the existing DPA by clicking on the trash bin icon, and then create a new DPA.
  • Choice 2: Create a second DPA in addition to the exisiting one. You can create up to 6 DPAs.

Do I have to sign the DPA?

It is not absolutely necessary for you to sign the DPA at this point because you have already given your consent when you generated your DPA via your customer account and checked the checkbox “I consent to the agreement” at the end of the DPA.

My organization already has its own DPA. Who can I send this to so they can sign it?

We do not generate or sign DPAs that individuals or organizations create for themselves. We require everyone who needs a DPA with us to create one using this link: https://accounts.hetzner.com/account/dpa.

Subcontractors

We work together with subcontractors to make the services that we provide as efficient as possible. Subcontractors are required by the contracts to follow data protection regulations. You can find a complete list of the subcontractors we work with here.

Locations outside of the EU

Important note: We have locations in the USA and Singapore just for our Cloud products. For all of our other products, our servers and all the data stored and processed on them are located within the EU.

Information about data protection at our US locations

Who is my contract with?
Hetzner US LLC is a subsidiary of Hetzner Online GmbH and provides Hetzner Online with data center services in the USA. For you as a customer, it means that Hetzner Online GmbH is still the company that you have a contract with.

Which pieces of my personal data are transferred to the US?
Hetzner Online GmbH does not share your main customer account information (for example, your payment information) with Hetzner US LLC. Technical and customer support measures from our team generally occur within the EU.

The only data that we share with the US is data that you as a customer have saved on your cloud servers in the USA (if you have chosen cloud servers in the USA). The Hetzner Cloud products that we provide at the locations in Ashburn, Virginia and Hillsboro, Oregon run on our own Hetzner servers that are located in data centers with third-party providers there.

Examples
To give you a better idea of what we mean, we have prepared some specific examples:

  • Example 1:

    » You rent a cloud server located in Falkenstein, Nuremberg, or Helsinki

    Your general customer account information and all of the data saved on your cloud server will be saved and processed within the EU. None of your data will be saved or processed on servers outside of Europe.

  • Example 2:

    » You rent a cloud server in Asburn (Virginia) and/or in Hillsboro (Oregon)

    Your general customer account information will be saved and stored within the EU.

There is a Standard Contractual Clause (SCC) in place between Hetzner Online GmbH and Hetzner US LLC to ensure that your data at our US locations is saved and processed in accordance with the EU's General Data Protection Regulation (GDPR). By signing this agreement, Hetzner US LLC commits itself contractually to upholding the GDPR and the EU's data protection standards. (last updated 24 July 2024)

Important note: In accordance with our Data Protection Agreement, you as the customer are responsible for both the data that is stored on your rented server and for the encryption of that data. The transfer of data on your rented server from the EU to the USA is based on your express consent, which you gave when you chose to rent a server at a US location.

Information about data protection at our Singapore location

Who is my contract with?
Hetzner Singapore Pte. Ltd. is a subsidiary of Hetzner Online GmbH and and provides Hetzner Online with data center services in Singapore. For you as a customer, it means that Hetzner Online GmbH is still the company that you have a contract with.

Which pieces of my personal data are transferred to Singapore?
Hetzner Online GmbH does not share your main customer account information (for example, your payment information) with Hetzner Pte. Ltd. Technical and customer support measures from our team generally occur within the EU (Falkenstein, Nuremberg, and Helsinki).

The only data that we share with Singapore is data that you as a customer have saved on your cloud servers in Singapore (if you have chosen cloud servers in Singapore). The Hetzner Cloud products that we provide in Singapore run on our own Hetzner servers that are located in data centers with third-party providers there.

Examples
To give you a better idea of what we mean, we have prepared some specific examples:

  • Example 1

    » You rent a cloud server located in Falkenstein, Nuremberg, or Helsinki

    Your general customer account information and all of the data saved on your cloud server will be saved and processed within the EU. None of your data will be saved or processed on servers outside of Europe.

  • Example 2

    » You rent a cloud server in Singapore

    Your general customer account information will be saved and stored within the EU.

To ensure that the servers at the Singapore location remain protected in accordance with the EU's General Data Protection Regulation (GDPR), Hetzner Online GmbH completed a standard contractual clause (SCC) with Hetzner Singapore Pte. Ltd. This SCC makes Hetzner Singapore Pte. Ltd. contractual obliged to uphold the regulations outlined in the GDPR. (Last updated 07 August 2024.)

Important note: In accordance with our Data Protection Agreement, you as the customer are responsible for both the data that is stored on your rented server and for the encryption of that data.

Official government requests

We regularly receive requests from government authorities. Just like all non-European authorities, authorities in the USA and Singapore must also comply with EU regulations. In simple terms, that means:

  • For our data centers in Falkenstein and Nuremberg:

    We only accept reguests and court orders from German authorities and courts. We do not accept requests and court orders from foreign authorities/courts. Only German authorities with a valid official request or court order are allowed access to our data centers.

    It is important to note that we, just like other data center providers, cannot guarantee that German authorities will not pass on any data they obtain under German law to foreign authorities on the basis of international agreements.


  • For our data centers in Helsinki:

    It is similar with our data center in Helsinki: We only accept reguests and court orders from Finnish authorities and courts. We do not accept requests and court orders from foreign authorities/courts. Only Finnish authorities with a valid official request or court order are allowed access to our data centers.

    Similarly, Finnish authorities may pass on data they obtain under Finnish law to foreign authorities on the basis of international agreements.


  • For our locations in the USA and Singapore:

    Government authorities in the USA and Singapore do not have any direct access to the content of the data stored on your cloud servers in the EU. If you use your rented server in the USA or Singapore for unlawful purposes, we assume that there may be requests for legal assistance from authorities in the USA or Singapore. In these situations, and only in these situations, authorities are required to cooperate on the basis of international agreements.

Summary:
You as the customer have a certain degree of control over who has access to the data on your rented server. However, there is no 100% guarantee that data stored on your server will not be accessed on the basis of official requests and/or court orders, even for data completely stored and processed within the EU. If you need a company that has absolutely no connection to the USA or Singapore, then you should use a different company. There is a definite connection via Hetzner US LLC and Hetzner Singapore Pte. Ltd., and we have tried to make this connection clear from our standpoint.

Still have questions? Contact support.

If you have any other questions about DPAs, we will be happy to help. Please contact our data protection team at data-protection@hetzner.com.

Table of Contents