ISO 27001
We have ISO/IEC 27001 certification. You can view our certificate at https://www.hetzner.com/assets/downloads/FOX-Certificate.pdf. You can find more information about our certificate at https://www.hetzner.com/unternehmen/zertifizierung.
Statement of Applicability (SoA)
The SoA is an internal document that we do not make available to third parties. We at Hetzner do not have any exclusions in regard to measures mentions in Annex A of ISO27001.
Technical and Organizational Measures (TOMs)
We implement a variety of measures to ensure the security of how we process personal data. We provide an overview of our Technial and organizational measures ("TOMs" for short) in the Appendix 2 of our Data Processing Agreement. We arrange for our TOMs to be regularly audited by an external data protection organization. (At the moment, that is TÜV Rheinland.) We make the audit protocol available to our customers on their customer account if they have completed a Data Protection Agreement with us. It is available on customers' accounts at https://accounts.hetzner.com/account/dpa.
SOC 2
The SOC 2 is an information security standard that is most well-known in the USA, and plays a big role there. As an international web hosting company, we at Hetzner place our focus on the ISO 27001 certification because it is more applicable to an international market.
National (German) certifications and standards, like the Basic Security Standards (Grundschutz) from the German Federal Office for Information Security (BSI), NIST, and COBIT:
As we already stated above, we at Hetzner place our focus on internationally recognized certificates. For that reason, we ask you to please see the information listed above under ISO 27001 and our Technical and Organizational Measures.
C5 – DigiG
We already meet a number of requirements and C5 standards with our ISO 27001 certificate. However we do not have C5 certification. DigiG has defined the requirements for cloud usage in the healthcare industry, including the requirement of a C5 certificate. However, the DigiG also include the option for the German Federal Ministry of Health to define by law which other standards also meeet the necessary requirements (in addition to C5). Bitkom (an organization that represents the German IT and telecomunications industry) created a statement on the draft for a new law to help acceleration the digitalization in the healthcare industry. In it, Bitkomm suggested that cloud service providers that have ISO 27001 certification should also meet the requirements for the law. The provider's certification should also cover the scope of the cloud services that are on offer for this to apply. At Hetzner, the scope of our ISO 27001 certificate covers all of our hosting services, including our cloud products. Bitkom also make a statement that they believe that ISO 27001 will be accepted in the future as an equivalent form of certification. We at Hetzner also hope that this will be the case and are monitoring current developments.