How is Hetzner security and Data protection organized?

Hetzner Online places a high emphasis on security and data protection, both digitally and physically. Here’s an overview of their physical security measures

PHYSICAL SECURITY

Hetzner Online has three data center parks located in three different towns: Nuremberg and Falkenstein/Vogtland in Germany and Helsinki in Finland.

1. Finland as server location: Hetzner Finland Oy, Huurrekuja 10, 04360 Tuusula, Finland
2. Hetzner Online GmbH Am Datacenter-Park 1, 08223 Falkenstein/Vogtland Germany
3. Hetzner Online GmbH Sigmundstraße 135, 90431 Nuremberg, Germany

A video-monitored, high-security perimeter surrounds the entire data center park. Entry is only possible via electronic access control terminals with a transponder key or admission card. All movements are recorded and documented. Ultra modern surveillance cameras provide 24/7 monitoring of all access routes, entrances, security door interlocking systems and server rooms.

Colocation rack D&Ms have their own key and access code for the secure server rack. The administration interface Robot allows Colocation customers to set up their entry authorization in advance and allows them to make appointments for their first visit to the data center and/or for a service visit from an external company.

A generated password enables on-site personnel to authenticate and issue a transponder key for the interlocking doors to the rack. The visit is logged, and the footage recorded is archived in the administration interface for monitoring purposes. The uninterrupted power supply (USV) is ensured with a 15-minute backup battery capacity and emergency diesel generated power. All UPS systems have redundant design.

Direct free cooling allows for the environmentally-friendly cooling of hardware. Climate control is affected via a raised floor system.

A modern fire detection system is directly connected to the fire alarm center of the local fire department.

NETWORK SECURITY

Multiple redundant connections to the largest German internet exchange point, DE-CIX, ensure smooth data transfer.

All existing upstreams and peerings are integrated in the backbone via state-of-the-art routers from Juniper.

Networks in order to boost the network’s capacity and in order to safeguard servers, and IT infrastructure from DDoS attacks, Hetzner Online utilizes its automatic DDoS protection system.

SYSTEM SECURITY

Security updates are continuously performed on managed servers.

There is a central back-up server to save backed-up data. The RAID-1 hard disk system reduces the likelihood of data loss.

See our back-up that provide the highest level of availability. Qualified experts are available 24/7 to provide individual support.

Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments

Confidentiality

• Physical access control

  • Data center parks in Nueremberg, Falkenstein and Helsinki
    • electronic physical entry control system with log
    • high security perimeter fencing around the entire data center park
    • documented distribution of keys to employees and colocation customers for colocation racks (each D&M only for his rack)
    • policies for accompanying and designating guests in the building
    • data center staff present 24/7
    • video monitoring at entrances and exits; security door interlocking systems and server rooms
    • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee.
  • Monitoring
    • electronic physical access control system with log
    • video surveillance for all entrances and exits

• Electronic access control

  • for dedicated root server, colocation server, cloud server and storage box principal commissions
    • server passwords, which, after the initial deployment, can only be changed by D&M and are not known to Hetzner
    • The password for the administration interface is determined by the D&M himself; the password must comply with predefined guidelines. In addition, the D&M employs two-factor authentication to further secure his account.
    • Access is password-protected and only employees of D&M have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis.

• Internal access control

  • for the Hetzner's internal administration systems
    • The Hetzner prevents unauthorized access by applying security updates regularly by using state of the art technology.
    • a revision-proof, compulsory process for allocating authorization for Hetzner employees
  • for dedicated root server, colocation server, cloud server and storage box principal commissions
    • The responsibility for access control is incumbent upon the D&M.
  • for managed server, web hosting and storage share principal commissions
    • The Hetzner prevents unauthorized access by applying security updates regularly by using state of the art technology.
    • a revision-proof, compulsory process for allocating authorization for Hetzner employees
    • Only the D&M is responsible for transferred data/software with regard to security and updates.

• Transfer control

  • Data center parks in Nueremberg, Falkenstein and Helsinki
    • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection policies upon termination of the contract. After thorough testing, the swiped drives will be reused.
    • Defective drives that cannot be securely deleted are destroyed (shredded) directly in the Falkenstein data center.

• Isolation control

  • for the Hetzner's internal administration systems
    • Data shall be physically or logically isolated and saved separately from other data.
    • Backups of data shall also be performed using a similar system of physical or logical isolation.
  • for dedicated root server, colocation server, cloud server and storage box server principal commissions
    • The D&M is responsible for isolation control.
  • for managed server, web hosting and storage share principal commissions
    • Data shall be physically or logically isolated and saved separately from other data.
    • Backups of data shall also be performed using a similar system of physical or logical isolation.

• Pseudonymization

  • The D&M is responsible for pseudonymization.

Integrity (Art. 32 Para.1 Clause b GDPR)

• Data transfer control

  • All employees are trained in accordance with Art. 32 Para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.
  • Deletion of data in accordance with data protection regulations after termination of the contract.
  • Encrypted data transmission options are provided within the scope of the service description of the principal commission.

• Data entry control

  • for the Hetzner's internal administration systems
    • Data is entered by the D&M.
    • Changes in data are logged.
  • for dedicated root server, colocation server, cloud server and storage box principal commissions
    • The responsibility for input control is incumbent upon the D&M.
    • Data is entered or collected by the D&M.
    • Changes in data are logged.

Availability and Resilience (Art. 32 Para. 1 Clause b GDPR)

Availability control

• for the Hetzner's internal administration systems
  • backup and recovery concept with daily backups of all relevant data
  • professional employment of security programs (virus scanners, firewalls, encryption programs, spam filters)
  • employment of disk mirroring on all relevant servers
  • monitoring of all relevant servers
  • employment of an uninterruptible power supply system or emergency power supply system
  • permanently active DDoS protection
• for dedicated root server, colocation server, cloud server and storage box principal commissions
  • Data backup is incumbent upon the D&M.
  • employment of an uninterruptible power supply system or emergency power supply system
  • permanently active DDoS protection

Rapid recovery measures (Art. 32 Para. 1 Clause c GDPR)

• For all internal systems, there is a defined escalation chain which specifies who is to be informed in the event of an error in order to restore the system as quickly as possible.

Procedures for regular testing, assessment, and evaluation (Art. 32 Para. 1 Clause d GDPR; Art. 25 Para. 1 GDPR)

• The data protection management system and the information security management system have been combined into a DIMS (data protection information security management system).
• Incident response management is available.
• Data-protection-friendly default settings are taken into account for software development (Art. 25 Para. 2 GDPR).

• Agreement or contract control
  • Hetzner Onling GmbH employees are regularly instructed in data protection law and are familiar with the procedural instructions and user guidelines for data processing on behalf of the D&M also with regard to the D&M's right of instruction.
  • Hetzner Online GmbH has appointed a company Data Protection Officer and an Information Security Officer. The data protection organization and the information security management systems integrate both officers into the relevant operational procedures.