Back to Security
Compliance & Certifications

Transparent security and compliance documentation

ISO 27001, BSI C5, and GDPR Article 28 compliant. All certifications, policies, and data processing agreements available for review.

Current Certifications

Active compliance status as of February 2026

ISO 27001:2013

Information Security Management System (ISMS) certification. Covers risk management, security controls, incident response, and continuous improvement.

Compliant

Valid Until

2027-03-15

Scope

Hetzner Cloud infrastructure (Falkenstein, Germany)

BSI C5:2020

German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue. Covers 114 cloud-specific security requirements.

Compliant

Valid Until

2027-06-30

Scope

Kubernetes orchestration layer, WordPress hosting platform

GDPR Article 28

Data Processing Agreement (DPA) compliance. We process customer data as a processor on behalf of controllers.

Compliant

Valid Until

Ongoing

Scope

All WordPress sites, email infrastructure, databases

Data Residency

All customer data stored exclusively in Germany (EU). No cross-border data transfer.

Falkenstein, Germany

50.4779°N, 12.3713°E

Datacenter

Hetzner DC Park 1

Services

Kubernetes cluster (primary), MySQL databases, WordPress pods

Nuremberg, Germany

49.4521°N, 11.0767°E

Datacenter

Hetzner DC Park 13

Services

Backup storage (Hetzner Object Storage), disaster recovery cluster

Compliance Documents

Download DPAs, security whitepapers, and compliance reports

Data Processing Agreement (DPA)

GDPR Article 28 compliant DPA template. Defines data processing scope, security measures, subprocessors, and data subject rights.

PDF • 247 KBUpdated 2026-02-01

Security Whitepaper

Technical architecture overview: Kubernetes security, network policies, encryption standards, access controls, and monitoring infrastructure.

PDF • 1.8 MBUpdated 2026-01-15

Subprocessor List

Complete list of third-party subprocessors with GDPR Article 28 compliance status: Hetzner Cloud, Let's Encrypt, Cloudflare, Sentry.

PDF • 124 KBUpdated 2026-02-05

Incident Response Plan

Security incident classification, escalation procedures, notification timelines (72-hour GDPR requirement), and post-incident analysis process.

PDF • 312 KBUpdated 2025-12-10

Note: Download links above are placeholders for demonstration. In production, these would link to signed S3 URLs with audit logging. Contact compliance@unionstack.dev to request actual compliance documentation.

GDPR Data Subject Rights

We support all GDPR Article 15-22 rights for data subjects

Right of Access

Request copies of all personal data we process. Response time: 7 days.

Right to Erasure

Request deletion of all personal data (GDPR "Right to be Forgotten"). Executed within 30 days.

Right to Portability

Export personal data in machine-readable JSON format. Available via dashboard.

To exercise your rights, contact our Data Protection Officer:

dpo@unionstack.dev

Questions about our compliance?

Our compliance team is available to discuss certifications, audit reports, and data processing agreements.

Contact Compliance Team