Certificates

Last change on 2024-10-22 • Created on 2024-07-24 • ID: GE-A42CF

ISO 27001

We have ISO/IEC 27001 certification. You can view our certificate at https://www.hetzner.com/assets/downloads/FOX-Certificate.pdf. You can find more information about our certificate at https://www.hetzner.com/unternehmen/zertifizierung.

Statement of Applicability (SoA)

The SoA is an internal document that we do not make available to third parties. We at Hetzner do not have any exclusions in regard to measures mentions in Annex A of ISO27001.

Technical and Organizational Measures (TOMs)

We implement a variety of measures to ensure the security of how we process personal data. We provide an overview of our Technial and organizational measures ("TOMs" for short) in the Appendix 2 of our Data Processing Agreement. We arrange for our TOMs to be regularly audited by an external data protection organization. (At the moment, that is TÜV Rheinland.) We make the audit protocol available to our customers on their customer account if they have completed a Data Protection Agreement with us. It is available on customers' accounts at https://accounts.hetzner.com/account/dpa.

SOC 2

The SOC 2 is an information security standard that is most well-known in the USA, and plays a big role there. As an international web hosting company, we at Hetzner place our focus on the ISO 27001 certification because it is more applicable to an international market.

National (German) certifications and standards, like the Basic Security Standards (Grundschutz) from the German Federal Office for Information Security (BSI), NIST, and COBIT:

As we already stated above, we at Hetzner place our focus on internationally recognized certificates. For that reason, we ask you to please see the information listed above under ISO 27001 and our Technical and Organizational Measures.

C5 – DigiG

We already meet a number of requirements and C5 standards with our ISO 27001 certificate. However we do not have C5 certification.

The German Digital Act (DigiG) defines the requirements for cloud usage in the healthcare industry, including the requirement of a C5 certificate. However, the DigiG also include the option for the German Federal Ministry of Health (the BMG) to define by law which other standards besides the C5 also meeet the necessary requirements.

The BMG informed us that, as an alternative to C5 certification, other forms of certification or standards may be accepted as long as they require a similar level of security. The BMG is planning to introduce an ordinance to clarify this topic in the second half of 2024.

We at Hetzner are monitoring current developments.

Table of Contents