GDPR compliance Hetzner (On-Prem/Alternative Cloud)

  • ISO 27001: Certifies ISMS for data centers in Germany (Nuremberg, Falkenstein) and Finland.

  • SCCs for Non-EU Locations: Covers US (Virginia, Oregon) and Singapore data centers.

Data residency & control

  • EU-First Policy: Most services hosted in Germany/Finland; non-EU cloud servers require opt-in.

  • Pseudonymization: IP addresses anonymized in logs (e.g., 123.123.123.XXX).

  • Customer-Managed Encryption: Users must encrypt data on rented servers; no native key management.

Subprocessor transparency

  • Discloses subcontractors (e.g., payment processors, debt collection) with GDPR-compliant contracts.

  • Limits non-EU data transfers to cloud server content only; account data remains in the EU.

Breach notification & tools

  • DPA Terms: Requires customers to handle breach notifications for their server data.

  • Log Retention: Apache logs configurable by customers; default backups stored for 14 days.

Data location

  • EU-Centric: Most Hetzner servers and cloud services are hosted in Germany (Falkenstein, Nuremberg) or Finland, with optional U.S./Singapore locations (opt-in required).

  • Object Storage: S3-compatible storage defaults to EU data centers.

Jurisdiction

  • GDPR Compliance: Hetzner’s DPA aligns with GDPR Art. 28. Subprocessors are disclosed in appendices.

  • Local Laws: German data protection laws (e.g., BDSG) apply to EU-hosted data.

How to verify

  • Hetzner Cloud Console: Check server locations under “Projects” > “Location.”

  • DPA Documentation: Review subprocessor lists and data transfer clauses.

Detailed documentation


Last update: 2025-06-07 06:04