GDPR compliance Hetzner (On-Prem/Alternative Cloud)¶

Certifications & legal frameworks¶

• ISO 27001: Certifies ISMS for data centers in Germany (Nuremberg, Falkenstein) and Finland.

• SCCs for Non-EU Locations: Covers US (Virginia, Oregon) and Singapore data centers.

Data residency & control¶

• EU-First Policy: Most services hosted in Germany/Finland; non-EU cloud servers require opt-in.

• Pseudonymization: IP addresses anonymized in logs (e.g., 123.123.123.XXX).

• Customer-Managed Encryption: Users must encrypt data on rented servers; no native key management.

Subprocessor transparency¶

• Discloses subcontractors (e.g., payment processors, debt collection) with GDPR-compliant contracts.

• Limits non-EU data transfers to cloud server content only; account data remains in the EU.

Breach notification & tools¶

• DPA Terms: Requires customers to handle breach notifications for their server data.

• Log Retention: Apache logs configurable by customers; default backups stored for 14 days.

Data location¶

• EU-Centric: Most Hetzner servers and cloud services are hosted in Germany (Falkenstein, Nuremberg) or Finland, with optional U.S./Singapore locations (opt-in required).

• Object Storage: S3-compatible storage defaults to EU data centers.

Jurisdiction¶

• GDPR Compliance: Hetzner’s DPA aligns with GDPR Art. 28. Subprocessors are disclosed in appendices.

• Local Laws: German data protection laws (e.g., BDSG) apply to EU-hosted data.

How to verify¶

• Hetzner Cloud Console: Check server locations under “Projects” > “Location.”

• DPA Documentation: Review subprocessor lists and data transfer clauses.

Detailed documentation¶

• Hetzner: DPA Template