A component of Hetzner’s shared and Dedicated Managed hosting products is the storage of customers’ Website and Email data. As we store the data, under the GDPR we are viewed as a processor of the data.
Hetzner has no knowledge of the actual data which our customers store on our hosting platform, which may include personal data. As we have no involvement with the data other than storing it, our obligations relating to the GDPR in this context are limited.
Contrast this to the personal data of our customers that we store in our customer database; here we are fully obligated under the GDPR as a data controller.
When a customer signs up with us, they voluntarily provide us with their personal data as part of the sign up process. We have full knowledge and control of this data. If a customer requests that we make visible to them what data of theirs we have, we are able to do so. Customers are able to independently access contact and banking details associated with their hosting accounts and update or remove this data via the konsoleH control panel.
When a customer uploads their Web application and associated data to our managed hosting platform, we don’t know the type nor the content of the data uploaded. Should our customer in turn store their end customer’s personal data, only our customer can make visible to the end customer what data about them is stored. Here the end customer is the controller, our customer the processor and we are the sub-processor of any personal data.
Hetzner’s security obligations and how we fulfil them
Hetzner is obliged to implement appropriate technical and organisational measures to prevent a breach into our managed hosting servers which may allow access to personal data stored on the servers. We have always viewed this as an obligation on us, and therefore at a technology level, GDPR does not change anything for us in the context of these products.
Our servers are managed in accordance with security best practices for servers on the internet, providing a mass market managed hosting service.
- We do not run any services on our servers which are not required to deliver the hosting service. Having extraneous services active on a server increase the attack risk unnecessarily.
- We apply software package security updates provided by our Linux distribution (Debian) as follows:
- Non-critical updates are applied within a week of release.
- Critical updates are aimed to be applied within 24 hours of release.
- We do not store customer’s mailbox, FTP or MySQL database passwords in clear text.
- Passwords are stored using a salted, one-way hashing algorithm.
- Vulnerability scans and penetration tests are performed against our managed hosting servers and any critical issues exposed are resolved as a priority.
- Firewalls are employed to restrict access to any services on the servers which are not purposed for public consumption.
- Various intrusion detection mitigation systems are employed at the server level.
- A basic Web Application Firewall is employed to mitigate a certain degree of relevant attacks.
- An advanced Web Application Firewall (Cloudbric) is available as an optional extra for customers who store particularly sensitive data.
Encryption of data stored by customers on our managed servers
Hetzner does not encrypt any data stored by customers on our managed servers. The reasons for this are:
- The controller of the data (ie. our customer) is the only one positioned to know whether or not data should be encrypted.
- Our view is that the most effective place to encrypt personal data is at the point where the controller is able to effect the encryption (and decryption).
- Sensitive emails should be encrypted at the source and decrypted only by the recipient (i.e. utilising asymmetric key pair encryption)
- Web application files and database tables should be encrypted and decrypted by the Web application itself.