Information Security Program
Public statement of DanubeData's Information Security Program: scope, accountability, security objectives, control catalogue, governance cadence, and how customers can verify compliance.
1. Purpose
This document describes the DanubeData Information Security Program (the "Program") — the set of policies, procedures, controls, and governance activities by which DanubeData identifies and manages information-security risks across the cloud infrastructure services it provides. The Program is the umbrella under which all other security documentation (Annex A mapping, Risk Management, Incident Response, Shared Responsibility, Records of Processing, Sub-Processors) operates.
The Program is aligned with the ISO/IEC 27001:2022 framework and is designed to satisfy Section 4.3 (Security) and Section 5.6 (Information Security Management System) of the CISPE Code of Conduct for Cloud Infrastructure Service Providers.
2. Scope
The Program applies to:
- All DanubeData production services: VPS, Managed Databases, Cache, Object Storage, Serverless Containers, Static Sites, Managed Applications, Storage Share, Queues, Volumes & Snapshots.
- The control plane (dashboard, API, billing engine, GitOps pipelines).
- The supporting infrastructure operated by DanubeData on Hetzner dedicated servers in Falkenstein and Nuremberg, Germany.
- All Customer Data processed in connection with those services.
- All personnel (employees and contractors) of IFAS Consult SRL with logical or physical access to the production environment or to Customer Data.
- Sub-processors engaged by DanubeData to deliver the services, with respect to the obligations imposed on them by contract.
The Program does not extend to the customer's own use of the services (application code, data classification, customer-side access management) — those responsibilities are addressed in the Shared Responsibility Model.
3. Accountability
Information security accountability is assigned as follows:
| Role | Held by | Responsibilities |
|---|---|---|
| Executive Sponsor | Managing Director, IFAS Consult SRL | Approves the Program; allocates resources; reviews annual security report; signs Statement of Applicability. |
| Security Lead (CISO function) | Designated DanubeData Security Lead | Owns and maintains the Program; chairs quarterly security reviews; owns the risk register; coordinates incident response; named contact for the CISPE Monitoring Body. |
| Data Protection Officer (DPO) | DanubeData DPO — dpo@danubedata.ro | GDPR oversight; data-subject and controller liaison; supervisory-authority point of contact; reviews DPIAs. |
| Operations Lead | DanubeData Operations Lead | Implements operational controls (patching, hardening, monitoring); on-call escalation owner. |
| All personnel | Every employee and contractor | Comply with the Acceptable Use Policy; complete annual security training; report suspected incidents. |
Names of the individuals currently holding these roles are recorded in the internal Statement of Applicability and are made available to the CISPE Monitoring Body and to customers under NDA on request to dpo@danubedata.ro.
4. Security Objectives
The Program pursues the following measurable objectives:
| Objective | Target | Reporting cadence |
|---|---|---|
| Confidentiality of Customer Data | Zero unauthorised disclosures | Quarterly |
| Integrity of Customer Data | Zero data-corruption incidents per quarter | Quarterly |
| Service availability | Per-service SLA targets (see SLA) | Monthly |
| Patch SLA compliance | ≥ 95% of critical patches applied within 24 hours | Monthly |
| Backup success | ≥ 99% scheduled backups completed successfully | Monthly |
| Incident response | Customer notification within 24 hours of confirmed personal-data breach | Per incident |
| Personnel training | 100% completion of annual security training | Annual |
| External assessment | Annual third-party penetration test; findings tracked to closure | Annual |
5. Control Catalogue
The Program implements controls organised by domain. The catalogue below references the detailed mapping in the CISPE Annex A document, which provides a per-control evidence trail.
| Domain | Owner | Detail reference |
|---|---|---|
| Physical and environmental security | Hetzner (sub-processor) / Operations Lead | Annex A §3 |
| Network security | Operations Lead | Annex A §4 |
| Access management | Security Lead | Annex A §5 |
| Personnel security | Managing Director / Security Lead | Annex A §6 |
| Operational security & secrets | Operations Lead | Annex A §7 |
| Cryptography & key management | Security Lead | Annex A §8 |
| Data isolation & multi-tenancy | Operations Lead | Annex A §9 |
| Incident management | Security Lead / DPO | Incident Response Policy |
| Change management | Operations Lead | Annex A §11 |
| Business continuity & DR | Operations Lead | Risk Management & BCP |
| Logging, monitoring, auditability | Operations Lead | Annex A §13 |
| Vulnerability & patch management | Operations Lead | Annex A §14 |
6. Risk Management Integration
The Program is risk-driven. Risks are identified, scored, and treated under the methodology described in the Risk Management & Business Continuity framework. The risk register is owned by the Security Lead and reviewed quarterly. Material risks are escalated to the Executive Sponsor for treatment decisions, including explicit acceptance of residual risk where applicable.
Data Protection Impact Assessments (DPIAs) under GDPR Article 35 are commissioned by the DPO when introducing new processing activities or technologies that present a high risk to data subjects. DPIA outcomes feed into the risk register.
7. Statement of Applicability
DanubeData maintains an internal Statement of Applicability (SoA) listing each ISO/IEC 27001:2022 Annex A control, indicating its applicability, the implementation reference, and the justification for any exclusion. The SoA is approved annually by the Executive Sponsor and is made available to the CISPE Monitoring Body and to customers under NDA on request.
8. Governance Cadence
| Activity | Cadence | Owner | Output |
|---|---|---|---|
| Risk register review | Quarterly | Security Lead | Updated risk register; treatment plan |
| KRI / SLO reporting | Monthly | Operations Lead | Internal dashboard |
| Sub-processor reassessment | Annual + on material change | DPO | Updated sub-processor list; refreshed DPAs |
| Backup restore verification | Quarterly | Operations Lead | Restore verification report |
| Personnel access review | Quarterly | Security Lead | Access review log; revocations completed |
| DR drill | Annual | Operations Lead | DR drill report; lessons-learned |
| External penetration test | Annual | Security Lead | Pentest report; remediation plan |
| Security training | Annual + on hire | Security Lead | Attendance log |
| Management review | Annual | Executive Sponsor + Security Lead | Annual security report; updated SoA; updated Program |
9. Continuous Improvement
The Program follows the ISO/IEC 27001 plan-do-check-act cycle. Inputs to improvement include: incident post-mortems, KRI trends, audit findings (internal and external), supervisory-authority guidance, regulatory developments, customer feedback, and lessons-learned from DR drills and pentest engagements. Material changes to the Program are communicated to customers via email and a dashboard banner, and are reflected in this document.
10. Demonstrating Compliance to Customers
DanubeData supports customers in meeting their controller obligations under GDPR Art. 28(3)(h) by:
- Publishing this Program, the Annex A mapping, the Security Program, and related documents on a free, public basis.
- Providing the most recent independent penetration-test summary on request to customers under NDA.
- Providing the annual report produced by the CISPE Monitoring Body once issued.
- Maintaining a documented procedure for handling controller audit requests, with response within 30 days, in accordance with Section 4.6 of the CISPE Code.
Customers should direct compliance and audit requests to dpo@danubedata.ro.
11. Document Control
Owner: Security Lead. Approver: Managing Director, IFAS Consult SRL. Review cadence: annual, or on material change. Distribution: public.
The "Last updated" date at the top of this page reflects the most recent revision. Earlier revisions are archived internally.
Questions about this policy?
If you have any questions or concerns, please contact our legal team.
Contact Us