Information Security Program

1. Introduction & Scope

DanubeData is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to us by our customers, partners, and stakeholders. This Information Security Program describes the policies, procedures, and technical measures we maintain to safeguard customer data and ensure the secure operation of our cloud infrastructure services.

The scope of this program encompasses all DanubeData services and the supporting infrastructure on which they operate, including:

• VPS Instances — KubeVirt-based virtual machines with dedicated and shared CPU options
• Managed Databases — MySQL, PostgreSQL, and MariaDB with optional read replicas
• Cache Instances — Redis, Valkey, and Dragonfly in-memory data stores
• Object Storage — S3-compatible storage with versioning, lifecycle rules, and CORS support
• Serverless Containers (Rapids) — Knative-based serverless deployments with scale-to-zero
• Static Sites — Git-integrated static site hosting with automatic builds and custom domains
• Managed Applications — Pre-configured applications (n8n, WordPress, Ghost)
• Storage Share — Nextcloud-based file storage and collaboration

This program is aligned with the principles of the ISO/IEC 27001:2022 framework and is designed to satisfy the requirements of the CISPE Code of Conduct for Cloud Infrastructure Service Providers. It applies to all DanubeData personnel, contractors, and third parties who have access to DanubeData systems or customer data.

2. Information Security Governance (CISPE 4.3)

2.1 Operating Entity

DanubeData is operated by IFAS Consult SRL, a company registered in Romania:

• Tax Identification Number (CUI): RO46614360
• Trade Register Number: J30/870/2022
• Registered Office: Satu Mare, Romania
• EU Member State: Romania

As the operating entity, IFAS Consult SRL bears full responsibility for the implementation and maintenance of the information security program described herein.

2.2 Management Commitment

Senior management of IFAS Consult SRL is directly involved in establishing, implementing, and maintaining the information security program. Management demonstrates its commitment through:

• Allocating adequate resources for information security activities
• Defining and communicating the information security policy and objectives
• Ensuring security requirements are integrated into business processes
• Conducting regular management reviews of the security program's effectiveness
• Promoting a culture of security awareness across the organisation

2.3 Security Roles and Responsibilities

The following roles are designated within our security governance structure:

• Data Protection Officer (DPO): Responsible for overseeing GDPR compliance and data protection matters. Reachable at dpo@danubedata.ro.
• Security Operations Team: Responsible for day-to-day security operations, including monitoring, incident response, vulnerability management, and access control enforcement.
• Infrastructure Team: Responsible for maintaining the security posture of production Kubernetes clusters, networking, and compute infrastructure.

2.4 Policy Review Cycle

All information security policies are reviewed at least annually, or sooner when triggered by:

• Significant changes to the threat landscape or regulatory environment
• Major infrastructure changes or new service launches
• Findings from security incidents, audits, or risk assessments
• Changes to organisational structure or key personnel

2.5 Security Awareness

All personnel with access to DanubeData systems receive security awareness training upon onboarding and on an ongoing basis. Training covers topics including data protection principles, secure coding practices, phishing awareness, incident reporting procedures, and the responsible handling of customer data.

3. Security Objectives & Standards (CISPE 5.2)

3.1 Core Security Objectives

DanubeData's information security program is built around the three pillars of the CIA triad:

3.2 Referenced Standards and Frameworks

Our information security program draws upon the following internationally recognised standards and regulatory requirements:

3.3 Continuous Improvement

DanubeData follows a Plan-Do-Check-Act (PDCA) cycle to ensure continuous improvement of its security posture. Security objectives are reviewed regularly and adapted based on evolving threats, technological developments, regulatory changes, and lessons learned from incidents and audits.

4. Information Security Management System (CISPE 5.6)

4.1 ISMS Scope and Boundaries

The Information Security Management System (ISMS) encompasses all DanubeData production systems, including:

• Kubernetes clusters (k3s on Hetzner dedicated servers in Germany)
• Customer-facing services (VPS, databases, cache, object storage, serverless, static sites, managed applications, storage share)
• Control plane components (API, web dashboard, GitOps pipelines, ArgoCD)
• Supporting infrastructure (monitoring, logging, backup systems, DNS, certificate management)
• Administrative systems (internal tools, documentation, communication channels)

4.2 Risk-Based Approach

DanubeData adopts a risk-based approach to information security, consistent with the requirements of ISO/IEC 27001. This involves:

• Risk identification: Systematic identification of threats and vulnerabilities affecting information assets
• Risk analysis: Assessment of the likelihood and potential impact of identified risks
• Risk evaluation: Prioritisation of risks based on the organisation's risk appetite and tolerance
• Risk treatment: Selection and implementation of appropriate controls to mitigate, transfer, accept, or avoid risks
• Risk monitoring: Ongoing review and reassessment of the risk landscape

4.3 Document Hierarchy

The ISMS documentation follows a structured hierarchy to ensure clarity and consistency:

4.4 Key ISMS Processes

The ISMS addresses the following control domains, aligned with ISO/IEC 27001 Annex A:

• Asset management: Inventory and classification of information assets, ownership assignment, and acceptable use
• Access control: User access management, authentication, authorisation, and privilege management
• Cryptographic controls: Encryption policies, key management, and certificate lifecycle management
• Physical security: Data center physical access controls (managed by Hetzner), equipment security
• Operations security: Change management, capacity management, malware protection, logging, and vulnerability management
• Communications security: Network security management, information transfer policies, and network segmentation
• Supplier relationships: Third-party security assessments, contractual security requirements, and ongoing supplier monitoring
• Compliance: Identification of applicable legal and regulatory requirements, privacy protection, and regular compliance reviews

4.5 ISMS Review Schedule

• Management review: Conducted annually to assess the overall effectiveness and strategic direction of the ISMS
• Operational review: Conducted quarterly to evaluate the performance of security controls, review incidents, and assess emerging risks
• Ad-hoc reviews: Triggered by significant security incidents, major infrastructure changes, or regulatory developments

5. Technical Security Measures (CISPE 5.5)

5.1 Infrastructure Security

DanubeData's infrastructure is hosted on dedicated servers provided by Hetzner Online GmbH in Germany. Hetzner's data centers hold ISO 27001 certification and SOC 1/SOC 2 Type II attestations. Physical security measures at these facilities include:

• 24/7 on-site surveillance with CCTV monitoring
• Biometric and multi-factor physical access controls
• On-site security personnel
• Redundant power supply (UPS and diesel generators)
• Environmental controls (fire suppression, climate management)

At the platform level, DanubeData implements the following infrastructure security measures:

• Network segmentation: Kubernetes namespaces combined with Cilium network policies enforce strict tenant isolation and limit lateral movement
• DDoS protection: Layer 3/4 and Layer 7 DDoS mitigation provided at the network edge
• Firewall management: Platform-level firewall rules complemented by customer-configurable security groups
• Ingress control: TLS-terminating ingress controllers with automatic certificate provisioning via cert-manager
• GitOps-driven deployment: All infrastructure changes are committed to version control and deployed through ArgoCD, ensuring auditability and preventing configuration drift

5.2 Data Protection

DanubeData employs defence-in-depth measures to protect customer data at rest and in transit:

• Encryption in transit: All client-facing connections require TLS 1.2 or higher, with TLS 1.3 preferred. Internal service-to-service communication uses mutual TLS where applicable.
• Encryption at rest: Object storage data is encrypted using AES-256. Volume-level encryption is applied to persistent storage backing database and cache instances.
• Key management: Cryptographic keys are managed through a dedicated Key Management Service (HashiCorp Vault) with strict access controls, automatic rotation capabilities, and audit logging.
• Backup encryption: Offsite backups via Velero are encrypted before transmission to our self-hosted S3-compatible object storage (Ceph RGW), ensuring data confidentiality throughout the backup lifecycle.
• Data isolation: Each customer team operates within an isolated Kubernetes namespace with dedicated resource quotas and network policies preventing cross-tenant access.

5.3 Access Control

DanubeData enforces strict access control measures across all layers of the platform:

• Role-based access control (RBAC): Team-based permissions ensure that users can only access resources belonging to their team. Kubernetes RBAC further restricts internal service access.
• Multi-factor authentication (MFA): Customers can enable TOTP-based two-factor authentication or hardware-backed Passkeys (WebAuthn/FIDO2) for account protection.
• SSH key authentication: VPS instances and database connections support SSH key-based authentication, eliminating password-based access where possible.
• API key management: API tokens are scoped with specific permissions and support configurable expiration. Tokens are hashed before storage and never exposed after creation.
• Session management: User sessions incorporate IP binding and browser fingerprinting to detect unauthorised session reuse. Idle sessions expire automatically.
• Administrative access: Internal administrative access to production infrastructure requires multi-factor authentication, is logged comprehensively, and follows the principle of least privilege.

5.4 Monitoring & Logging

Comprehensive monitoring and logging capabilities ensure visibility into the security posture of the platform:

• Audit logging: All resource operations (create, modify, delete), authentication events, and API calls are recorded in immutable audit logs.
• Real-time monitoring: Prometheus-based metrics collection provides continuous health and performance monitoring for all infrastructure components and customer services.
• Automated alerting: Configurable alert thresholds trigger notifications for anomalous behaviour, resource exhaustion, and security-relevant events.
• Centralised log aggregation: Logs from all platform components are aggregated via Loki and Alloy, enabling efficient search and correlation across the entire infrastructure.
• Log retention: Audit logs are retained for a minimum of 90 days. Customers can export audit data in CSV or JSON format for their own compliance and archival purposes.
• Dashboards: Grafana dashboards provide real-time visibility into infrastructure health, resource utilisation, and security metrics.

6. Personnel Security (CISPE 4.8)

DanubeData recognises that personnel represent both a critical asset and a potential risk to information security. The following measures are in place to manage personnel-related security risks:

6.1 Confidentiality Agreements

All personnel, contractors, and third parties with access to customer data or DanubeData systems are required to sign legally binding confidentiality and non-disclosure agreements prior to being granted access. These agreements remain in effect after the termination of the employment or contractual relationship.

6.2 Background Verification

Individuals assigned to roles that involve access to production infrastructure or customer data undergo background verification proportionate to the sensitivity of the role and in accordance with applicable laws and regulations.

6.3 Security Awareness Training

All personnel receive security awareness training that covers:

• Data protection and GDPR obligations
• Secure handling of customer data
• Recognising and reporting phishing and social engineering attempts
• Incident reporting procedures
• Acceptable use of company systems and resources
• Secure development and operational practices

Training is provided upon onboarding and refreshed periodically. Completion is documented and tracked.

6.4 Principle of Least Privilege

Access to systems, data, and infrastructure is restricted to the minimum level required for each individual to fulfil their assigned duties. Elevated or administrative privileges are granted only when necessary and are subject to additional scrutiny and logging.

6.5 Access Provisioning and Revocation

• Provisioning: All access requests require documented approval from the appropriate authority before access is granted.
• Role changes: Access rights are reviewed and adjusted promptly when an individual's role, responsibilities, or employment status changes.
• Termination: Access is revoked immediately upon termination of employment or contractual relationship. All credentials, tokens, and keys are invalidated.

6.6 Access Reviews

Formal access reviews are conducted quarterly to verify that all access rights remain appropriate and that no excessive or orphaned privileges exist. Findings from access reviews are documented and any identified issues are remediated promptly.

6.7 Customer Data Access

DanubeData personnel access customer data only when strictly necessary for service maintenance, support, or incident resolution, and only with proper authorisation. All such access is logged and subject to review. Customer data is never used for purposes other than the provision of the contracted services.

7. Demonstrating Compliance (CISPE 4.6)

7.1 Infrastructure Provider Certifications

DanubeData's infrastructure relies on certified third-party providers. The following certifications and attestations are maintained by our key suppliers:

7.2 DanubeData Compliance

DanubeData maintains the following compliance commitments:

• CISPE Code of Conduct: DanubeData adheres to the CISPE Code of Conduct for Cloud Infrastructure Service Providers through a self-assessment process, demonstrating that our services meet the transparency and data protection requirements for cloud infrastructure providers operating in the European Union.
• GDPR compliance: DanubeData operates as a data processor under GDPR. Our Data Processing Agreement (DPA) sets out the terms under which we process personal data on behalf of our customers (data controllers). We implement appropriate technical and organisational measures as required by Article 32 of the GDPR.
• Annual internal security reviews: We conduct comprehensive internal reviews of our security controls, policies, and procedures on an annual basis to identify areas for improvement and ensure continued alignment with our security objectives.
• Penetration testing: Annual penetration testing is performed by qualified professionals. Identified vulnerabilities are tracked to remediation, with critical findings addressed within defined SLA timeframes.

7.3 Customer Audit Rights

DanubeData recognises and supports the audit rights of its customers and their supervisory authorities:

• Information on request: Customers may request information about our security measures and compliance status as described in Section 10 of our Data Processing Agreement.
• Monitoring Body verification: DanubeData's compliance with the CISPE Code of Conduct is subject to verification by the designated Monitoring Body, in accordance with Section 7.2 of the CISPE Code.
• Third-party audit: Upon justified request and under controlled conditions (as outlined in the DPA), customers may arrange for a third-party audit of DanubeData's security and data processing practices. Such audits are subject to reasonable advance notice, scope agreement, and confidentiality protections.

7.4 Security Inquiries

Customers, prospects, and regulators may direct security-related inquiries to our dedicated security contact:

• Security contact: security@danubedata.ro
• Response commitment: Standard security inquiries are acknowledged and responded to within 5 business days.
• Scope: We address questions regarding our security architecture, compliance posture, data processing practices, and sub-processor information.

8. Policy Updates

This Information Security Program document is reviewed at least annually, or whenever significant changes occur to our services, infrastructure, organisational structure, or the applicable regulatory landscape. Material updates will be reflected in the "Last updated" date shown at the top of this page.

Customers will be notified of material changes to this document through the email address associated with their DanubeData account. Continued use of DanubeData services after notification constitutes acceptance of the updated terms.

9. Contact

For questions about this Information Security Program, data protection matters, or to report a security concern:

Security Team: security@danubedata.ro
Data Protection Officer: dpo@danubedata.ro
General Inquiries: Contact Form

IFAS Consult SRL
Satu Mare, Romania
CUI: RO46614360 | J30/870/2022