GDPR, ISO 27001 and CISPE Code of Conduct: a guide to European compliance with UpCloud

Customer data belongs to the customer

Customers are in control of the data they store in our cloud infrastructure and, with data residency, customer data is always stored in the country and data centre they select through the UpCloud control panel. We will not move data without customer’s requests. Governed by GDPR and Finnish and European data privacy laws and regulations, we are committed to helping customers seamlessly achieve their compliance objectives in this field.

Continuous Improvement Cycle

We have a bug bounty program open to committed security researchers and offer a public Vulnerability Disclosure Program for reporting any possible vulnerabilities. We also believe in maintaining an open dialogue with our customers about our security practices. If you have any questions or concerns about how we manage and protect our customers’ data, we’re here to answer them. We undergo regular external testing, reviews and audits, pushing ourselves to continuously improve and adapt our security posture in response to the evolving threat landscape, including reacting immediately to discovered vulnerabilities.

Shared responsibility model

When customers build IT-infrastructure with UpCloud they are entering a model where both parties, UpCloud and them – have responsibilities for maintaining the security of the services. Customers are responsible for their applications and configuring the services – but as a cloud infrastructure provider, UpCloud offers high-level security at datacentres and server/storage locations, as well as connectivity and networking solutions like load balancing, SDN, and virtual servers as a service – and additionally certain managed services such as Backups, Databases and Kubernetes containers.

In a landscape rife with cybersecurity threats, the credibility and trustworthiness of your Cloud Service Provider (CSP) are non-negotiable. At UpCloud, we make it easier for you by demonstrating our unwavering commitment to data security. Our ISO 27001 certification and CISPE Code of Conduct compliance aren’t just badges – they’re promises of robust, transparent, and secure cloud infrastructure services.

ISO 27001: The Gold Standard in Security

As an integral part of our security framework, we’re proud to be ISO 27001 certified. This international standard not only signifies our dedication to maintaining the high level of information security but also ensures that we adhere to industry-recognized best practices in managing and safeguarding your data.

Risk Management

Part of our ISO 27001 commitment involves a holistic approach to risk management. We don’t just focus on technology; we encompass people, processes, and tech in our security endeavours. Human error can be a significant security risk. We invest in regular training for our team, ensuring they’re always up to date with the latest security protocols and practices.

Regular Audits

The ISO 27001 standard is not a one-off certification. We are regularly audited by independent third parties to ensure our adherence to ISO 27001 standards and the efficiency of our security controls.

Beyond ISO 27001

While ISO 27001 remains a core component of our security compliance, we’re also committed to aligning with other global and regional security standards and regulations, ensuring a comprehensive and multi-faceted approach to security. We are aligned with ISO 31000, NIST CSF and CISPE Code of Conduct and our data centres have multiple industry certifications on top of ISO 27001.

What is the CISPE Code of Conduct?

The Cloud Infrastructure Services Providers in Europe (CISPE) is a non-profit organisation with members that include Amazon Web Services, OVH, Hetzner, Leaseweb, Aruba, and UpCloud. The CISPE Code of Conduct focuses on data protection principles, and adhering to this ensures that your data remains within your control, isn’t used for anything other than what you’ve authorized, and remains in the EEA (EU countries, Norway, Liechtenstein, and Iceland), providing an additional layer of protection given the stringent data protection laws in place.

Choosing a European CSP with ties to a legal framework protecting personal and business data can give you an edge when it comes to security promises to customers. We are committed to complying with applicable data protection and privacy laws and helping customers achieve their compliance objectives in this field. Choosing a European CSP carries unique advantages:

GDPR and Data Protection Laws

Europe boasts the world’s most robust data protection regulations, including GDPR and upcoming NIS2, the Data Act and more. With UpCloud, customers benefit from a cloud infrastructure provider that is governed by these rigorous laws, ensuring the utmost protection for your data.

No Data Offshoring

With UpCloud, your data can reside in the country of your choosing and our systems and operations are based in Europe. This means that not only is it protected by European regulations, but it’s also protected against unauthorised legal requests from other jurisdictions that might want to access your data.

Data access, retention and cooperation

Customers control their data, server storage location and determine the retention period – your data, your rules.