Information Security Program
Public statement of DanubeData's Information Security Program: scope, accountability, security objectives, control catalogue, governance cadence, and how customers can verify compliance.
1. Purpose
This document describes the DanubeData Information Security Program (the "Program") — the set of policies, procedures, controls, and governance activities by which DanubeData identifies and manages information-security risks across the cloud infrastructure services it provides. The Program is the umbrella under which all other security documentation (Annex A mapping, Risk Management, Incident Response, Shared Responsibility, Records of Processing, Sub-Processors) operates.
The Program is aligned with the ISO/IEC 27001:2022 framework and is designed to satisfy Section 4.3 (Security) and Section 5.6 (Information Security Management System) of the CISPE Code of Conduct for Cloud Infrastructure Service Providers.
2. Scope
The Program applies to:
- All DanubeData production services: VPS, Managed Databases, Cache, Object Storage, Serverless Containers, Static Sites, Managed Applications, Storage Share, Queues, Volumes & Snapshots.
- The control plane (dashboard, API, billing engine, GitOps pipelines).
- The supporting infrastructure operated by DanubeData on Hetzner dedicated servers in Falkenstein and Nuremberg, Germany.
- All Customer Data processed in connection with those services.
- The sole administrator of IFAS Consult SRL, and any future employee or contractor, with logical or physical access to the production environment or to Customer Data.
- Sub-processors engaged by DanubeData to deliver the services, with respect to the obligations imposed on them by contract.
The Program does not extend to the customer's own use of the services (application code, data classification, customer-side access management) — those responsibilities are addressed in the Shared Responsibility Model.
3. Accountability
DanubeData is operated by its sole administrator, Adrian Silaghi, who holds every role in the table below. Information security accountability is assigned as follows:
| Role | Held by | Responsibilities |
|---|---|---|
| Executive Sponsor | Adrian Silaghi, sole administrator, IFAS Consult SRL | Approves the Program; allocates resources; reviews annual security report; signs Statement of Applicability. |
| Security Lead (CISO function) | Adrian Silaghi, sole administrator | Owns and maintains the Program; chairs quarterly security reviews; owns the risk register; coordinates incident response; named contact for the CISPE Monitoring Body. |
| Data protection contact point | Adrian Silaghi, sole administrator — dpo@danubedata.ro | GDPR oversight; data-subject and controller liaison; supervisory-authority point of contact; reviews DPIAs. |
| Operations Lead | Adrian Silaghi, sole administrator | Implements operational controls (patching, hardening, monitoring); on-call escalation owner. |
| All personnel | Adrian Silaghi (sole administrator); any future employee or contractor | Comply with the Acceptable Use Policy; complete recorded security training; report suspected incidents. |
Because one person holds all of these roles, the following compensating controls address segregation-of-duties risk: a versioned GitOps history giving a durable, attributable record of every change; mandatory multi-factor authentication or passkeys on all administrative accounts; an automated CI test run on every change (making this a mechanically enforced merge gate is planned for July 2026); access-controlled audit logging of administrative actions; and independent external verification — a planned external internal audit (target September 2026) and, once contracted, an ISO/IEC 27001 certification audit. Further detail is recorded in the internal Statement of Applicability and is made available to the CISPE Monitoring Body and to customers under NDA on request to dpo@danubedata.ro.
4. Security Objectives
The Program pursues the following measurable objectives:
| Objective | Target | Reporting cadence |
|---|---|---|
| Confidentiality of Customer Data | Zero unauthorised disclosures | Quarterly |
| Integrity of Customer Data | Zero data-corruption incidents per quarter | Quarterly |
| Service availability | Per-service SLA targets (see SLA) | Monthly |
| Patch SLA compliance | Critical CVEs on internet-facing components patched within 72 hours of disclosure; all other critical/high CVEs patched within 30 days | Monthly |
| Backup success | ≥ 99% scheduled backups completed successfully | Monthly |
| Incident response | Customer notification within 24 hours of confirmed personal-data breach | Per incident |
| Personnel training | 100% completion of the recorded, self-directed annual security training programme; any future contractor completes an equivalent briefing before access is granted | Annual |
| Vulnerability management | Continuous image and dependency CVE scanning and OS patch monitoring; independent third-party security testing commissioned when risk warrants, with findings tracked to closure | Continuous / per engagement |
5. Control Catalogue
The Program implements controls organised by domain. The catalogue below references the detailed mapping in the CISPE Annex A document, which provides a per-control evidence trail.
| Domain | Owner | Detail reference |
|---|---|---|
| Physical and environmental security | Hetzner (sub-processor) / Operations Lead | Annex A §3 |
| Network security | Operations Lead | Annex A §4 |
| Access management | Security Lead | Annex A §5 |
| Personnel security | Managing Director / Security Lead | Annex A §6 |
| Operational security & secrets | Operations Lead | Annex A §7 |
| Cryptography & key management | Security Lead | Annex A §8 |
| Data isolation & multi-tenancy | Operations Lead | Annex A §9 |
| Incident management | Security Lead / data protection contact point (DPO) | Incident Response Policy |
| Change management | Operations Lead | Annex A §11 |
| Business continuity & DR | Operations Lead | Risk Management & BCP |
| Logging, monitoring, auditability | Operations Lead | Annex A §13 |
| Vulnerability & patch management | Operations Lead | Annex A §14 |
6. Risk Management Integration
The Program is risk-driven. Risks are identified, scored, and treated under the methodology described in the Risk Management & Business Continuity framework. The risk register is owned by the Security Lead and reviewed quarterly. Material risks are escalated to the Executive Sponsor for treatment decisions, including explicit acceptance of residual risk where applicable.
Data Protection Impact Assessments (DPIAs) under GDPR Article 35 are commissioned by the DPO when introducing new processing activities or technologies that present a high risk to data subjects. DPIA outcomes feed into the risk register.
7. Statement of Applicability
DanubeData maintains an internal Statement of Applicability (SoA) listing each ISO/IEC 27001:2022 Annex A control, indicating its applicability, the implementation reference, and the justification for any exclusion. The SoA is approved annually by the Executive Sponsor and is made available to the CISPE Monitoring Body and to customers under NDA on request.
8. Governance Cadence
| Activity | Cadence | Owner | Output |
|---|---|---|---|
| Risk register review | Quarterly | Security Lead | Updated risk register; treatment plan |
| KRI / SLO reporting | Monthly | Operations Lead | Internal dashboard |
| Sub-processor reassessment | Annual + on material change | DPO | Updated sub-processor list; refreshed DPAs |
| Backup restore verification | Quarterly | Operations Lead | Restore verification report |
| Personnel access review | Quarterly | Security Lead | Access review log; revocations completed |
| DR drill | Annual | Operations Lead | DR drill report; lessons-learned |
| Vulnerability & CVE monitoring | Continuous | Security Lead | CVE/advisory triage log; independent security testing commissioned when risk warrants |
| Security training | Annual + on any future hire or contractor engagement | Security Lead | Training log (records/trainings.md) |
| Management review | Annual | Executive Sponsor + Security Lead | Annual security report; updated SoA; updated Program |
9. Continuous Improvement
The Program follows the ISO/IEC 27001 plan-do-check-act cycle. Inputs to improvement include: incident post-mortems, KRI trends, audit findings (internal and external), supervisory-authority guidance, regulatory developments, customer feedback, and lessons-learned from DR drills and any independent security testing commissioned. Material changes to the Program are communicated to customers via email and a dashboard banner, and are reflected in this document.
10. Demonstrating Compliance to Customers
DanubeData supports customers in meeting their controller obligations under GDPR Art. 28(3)(h) by:
- Publishing this Program, the Annex A mapping, the Security Program, and related documents on a free, public basis.
- Providing an independent security-testing summary on request to customers under NDA, once one has been commissioned.
- Providing the annual report produced by the CISPE Monitoring Body once issued.
- Maintaining a documented procedure for handling controller audit requests, with response within 30 days, in accordance with Section 4.6 of the CISPE Code.
Customers should direct compliance and audit requests to dpo@danubedata.ro.
11. Document Control
Owner: Security Lead. Approver: Adrian Silaghi, sole administrator, IFAS Consult SRL. Review cadence: annual, or on material change. Distribution: public.
The "Last updated" date at the top of this page reflects the most recent revision. Earlier revisions are archived internally.
Questions about this policy?
If you have any questions or concerns, please contact our legal team.
Contact Us