UpCloud stands at the forefront of the European cloud infrastructure industry, rooted in Finland’s rich tradition of technical and business excellence. Every customer who chooses to partner with us isn’t just selecting a cloud hosting solution; they’re placing their confidence, their business, and their aspirations in our hands.
Recognizing the weight of this responsibility, we believe it is imperative to shed light on our operations, ensuring all stakeholders have a clear understanding of both the opportunities and the responsibilities inherent in cloud operations.
This document serves as a testament to our commitment—offering a transparent view of our operations, with a particular focus on security measures, thereby fortifying the trust our customers and partners place in us.
As our company is registered in Finland, we comply with the privacy and data protection laws and regulations of Finland and the European Union (EU). The key piece of legislation in this area is the General Data Protection Regulation (GDPR) which applies to all countries of the European Economic Area (EEA). We are committed to complying with the applicable data protection and privacy laws and helping our customers achieve their compliance objectives in this field.
UpCloud processes personal data both in the capacities of Data Controller and Data Processor (as the terms are defined in GDPR), depending on the relationship in which we process that personal data:
Data Processing Agreement
If the Customer Data contains any personal data, the processing of such data is governed by our Data Processing Agreement (DPA), which is incorporated into our Terms of Service. We have carefully drafted a DPA that reflects the specific features of our cloud computing services and takes into account both parties’ interests. The DPA becomes binding on the parties when the customer accepts the Terms of Service, so there’s no need to sign a separate DPA with UpCloud.
Security of Personal Data
We ensure the security, integrity, confidentiality, availability and resilience of the personal data we process on behalf of our customers. You can find more information about our organisational security measures and the security features of our services on this page.
Subprocessors
We only use our 100%-owned subsidiaries as subprocessors of the Customer Data, all of which are covered by our ISO 27001 certification. The list of subprocessors can be found in Appendix 1 of the DPA. The actual subprocessors UpCloud uses in each case depend on the services the customer decides to order. As regards virtual servers deployed in our data centres located in the EU, we don’t use any subprocessors in the provision of the service.
International Transfers
All Account Information is stored in Finland but it is accessible by the members of our global support and sales teams, some of whom are working outside the EEA. The Customer Data is stored in the data centre which the customer selects through the service control panel. UpCloud doesn’t move the data from the selected data centre without the customer’s explicit request. Our operations team members’ access to the Customer Data is restricted: We have disallowed privileged full operating system remote access, physical access and live server remote consoles to all machines inside the EU for our employees located outside the EU. Non-EU operations team members will still have limited monitoring and troubleshooting capabilities to ensure our 24/7/365 operations, but they are technically prevented from accessing any Customer Data stored or processed on the systems.
In these international transfers, we rely on either the European Commission-approved Standard Contractual Clauses executed between UpCloud group companies or an adequacy decision by the European Commission as the transfer mechanism, depending on the country. You may request a copy of the Standard Contractual Clauses executed between UpCloud group companies by contacting our Legal Team at [email protected]. If you have any questions or concerns about international transfers of personal data, we are happy to assist you. Please contact our Support Team at [email protected]for any queries.
Employee Training & Awareness
We provide our employees with regular training on privacy and data protection matters.
Data Retention
The customer controls the Customer Data and determines the appropriate retention period for it. The customer can at any time delete or retrieve a copy of the Customer Data. UpCloud stores the Customer Data as long as there is a valid service agreement in place between the customer and UpCloud. After the agreement expires or is terminated, UpCloud will delete the customer’s virtual servers and any data contained therein. Account Information is retained in accordance with our Privacy Notice.
Data Breaches
As per our DPA, we will inform customers without delay of all personal data breaches concerning their Customer Data. We will also cooperate with the customer in case of data breach investigations. To minimise the risk of data breaches, we recommend customers take advantage of the additional security features of our products, such as enabling multi-factor authentication.
Security isn’t just about technology; it’s about trust. With our commitment to ISO 27001, CISPE code of conduct and broader security compliance, you can trust us to manage your data.
ISO 27001: The Gold Standard in Security
As an integral part of our security framework, we’re proud to be ISO 27001 certified. This international standard not only signifies our dedication to maintaining a high level of information security but also ensures that we adhere to recognized best practices in managing and safeguarding your data. Our Information Security Policy is available here. Our ISO27001 certification is available here.
Continuous Improvement Cycle
The ISO 27001 standard is not a one-off certification. We undergo regular reviews and audits, pushing ourselves to continuously improve and adapt our security posture in response to the evolving threat landscape.
Risk Management
Part of our ISO 27001 commitment involves a holistic approach to risk management. We don’t just focus on technology; we encompass people, processes, and tech in our security endeavours.
Employee Training & Awareness
Human error can be a significant security risk. We invest in regular training for our team, ensuring they’re always up-to-date with the latest security protocols and practices.
Regular Audits
Regularly audited by independent third parties to ensure unwavering adherence to ISO 27001 standards.
Open Dialogue
We believe in maintaining an open dialogue with our customers about our security practices. If you have any questions or concerns about how we manage and protect your data, we’re here to answer them. Contact us via email or live chat.
Beyond ISO 27001
While ISO 27001 remains a core component of our security compliance, we’re also committed to aligning with other global and regional security standards and regulations, ensuring a comprehensive and multi-faceted approach to security. We are aligned with ISO 3100, NIST CSF and CISPE Code of Conduct and our data centre providers have multiple industry certifications on top of ISO 27001:2022.
We also have a bug bounty program and offer a public Vulnerability Disclosure Program for reporting vulnerabilities.
Your trust is paramount, and our infrastructure is designed to protect against a broad spectrum of potential threats.
Managed Object Storage and Databases for Secure data
All data, both in transit and at rest, is encrypted using industry-leading protocols. Automated backups and security updates keep the infrastructure secure.
Managed Kubernetes and Load Balancer for carefree infrastructure
Managed services have automated backups and security updates that help you scale your security needs. Managed Load Balancer supports automated SSL certificate renewal and you can integrate it to Kubernetes service.
Multi-Factor Authentication (MFA)
Strengthen access controls with MFA, ensuring that only authorised personnel can access your data.
Site-to-Site VPN Gateway (Beta)
You can connect your office or data centre to the UpCloud SDN network with private encrypted traffic.
No Platform level restrictions
UpCloud allows users freedom to build their infrastructure according to their needs/standards and you can choose between more secure or more performant systems.
Private Cloud available
Private clouds are by design more secure than Public Clouds as compute hardware is dedicated allowing better data isolation, data control and the ability to meet compliance requirements that are not possible in Public Cloud.
Regular Patching & Updates
UpCloud actively monitors and promptly acts upon vulnerabilities, keeping our systems updated and secure. UpCloud utilises software created in-house to avoid vendor vulnerabilities, make patching vulnerabilities faster, and reduce the software attack surface.
Protected network
UpCloud protects networks and servers against DDOS attacks. DDOS attacks can be mitigated inside UpClouds own network and in transit providers’ networks.
Large Partner Network
UpCloud has a large partner network that can help you if you need more specialised security services.
Encryption at Rest
At Rest encryption is available for HDD and MaxIOPS block storage products to make securing your data even easier.
The security and privacy of your data is not just our commitment; it is integral to our ethos. Trust in our cloud infrastructure and know that we place your security at the forefront of everything we do.
If you need to report abuse activities, such as malware traffic, phishing websites, infringing or illegal content, or if you are a government official seeking assistance in a case, please refer to Reporting Abuse policy.