The security and compliance answers procurement asks for.

Security and compliance documentation requests follow predictable patterns. A procurement team scoping a hosting contract typically asks the same fifteen questions about data residency, encryption, backup retention, breach response, GDPR posture, accreditation status, subprocessor lists, business continuity, and supplier risk. Most hosting providers answer these questions in scattered places across their site or wait for the buyer to ask formally. We've collected the answers in one place because the second hardest part of any procurement is finding the documentation, and the hardest is the supplier who can't produce it.

Formal certifications and alignment we operate under: Cyber Essentials certification with current annual renewal, ISO 27001 certified upstream datacentre partners (currently Hetzner and equivalent UK partners) with certification documentation available on request, UK GDPR registered controller status with public ICO entry, Information Commissioner's Office registration with current annual fee, named registered data protection arrangement for customers requiring formal DPA documentation, and Green Web Foundation verified hosting directory entry. We don't claim certifications we don't hold; the page is structured to be specific about which level of evidence applies.

Operational security practices we run as standard: encryption in transit using TLS 1.2 or higher across all customer-facing endpoints, encryption at rest on backup storage, web application firewall management on all GreenStack tiers with custom rule writing available, structured incident response with documented escalation paths, structured backup retention with 30-day point-in-time recovery, immutable backup copies for ransomware resistance, named subprocessor list maintained and made available to customers under DPA, regular penetration testing by independent third parties with remediation documentation available, and access controls reviewed quarterly with privileged access management.

Procurement documentation we can hand over before contract signature: data processing agreement template, named subprocessor list with locations and roles, business continuity and disaster recovery statement, security policy summary, environmental policy statement, named technical contacts, breach response procedure summary, and where required, completed standard procurement questionnaires (Cyber Essentials self-assessment evidence, ISO 27001 upstream certificates, supplier sustainability questionnaires). Tell us during scoping which framework or questionnaire you're working to and we'll prepare the right pack rather than dumping a generic one.