ISO 27001
We have ISO/IEC 27001 certification. You can view our certificate at https://www.hetzner.com/assets/downloads/FOX-Certificate.pdf. You can find more information about our certificate at https://www.hetzner.com/unternehmen/zertifizierung.
Statement of Applicability (SoA)
The SoA is an internal document that we do not make available to third parties. We at Hetzner do not have any exclusions in regard to measures mentions in Annex A of ISO27001.
Technical and Organizational Measures (TOMs)
We implement a variety of measures to ensure the security of how we process personal data. We provide an overview of our Technial and organizational measures ("TOMs" for short) in the Appendix 2 of our Data Processing Agreement. We arrange for our TOMs to be regularly audited by an external data protection organization. (At the moment, that is TÜV Rheinland.) We make the audit protocol available to our customers on their customer account if they have completed a Data Protection Agreement with us. It is available on customers' accounts at https://accounts.hetzner.com/account/dpa.
SOC 2
The SOC 2 is an information security standard that is most well-known in the USA, and plays a big role there. As an international web hosting company, we at Hetzner place our focus on the ISO 27001 certification because it is more applicable to an international market.
National (German) certifications and standards, like the Basic Security Standards (Grundschutz) from the German Federal Office for Information Security (BSI), NIST, and COBIT:
As we already stated above, we at Hetzner place our focus on internationally recognized certificates. For that reason, we ask you to please see the information listed above under ISO 27001 and our Technical and Organizational Measures.
C5 – DigiG
We already meet a number of requirements and C5 standards with our ISO 27001 certificate. However we do not have C5 certification.
The German Digital Act (DigiG) defines the requirements for cloud usage in the healthcare industry, including the requirement of a C5 certificate. However, the DigiG also include the option for the German Federal Ministry of Health (the BMG) to define by law which other standards besides the C5 also meeet the necessary requirements.
At the beginning of January 2025, the BMG published a regulation about an alternative to C5 certification ("C5-Äquivalenz-Verordnung"). This regulation outlines which specific forms of proof are acceptable from a technical and physical point of view to demonstrate that an alternative verification method has a security level equivalent to the C5 test certificate.
This regulation has not yet entered into force. It is still in the draft stage, and more specificially, it's in the stage in which German federal states and organizations can still contribute to the final version of the regulation.
We at Hetzner are monitoring current developments.