Legal

Information Security Program

Public statement of DanubeData's Information Security Program: scope, accountability, security objectives, control catalogue, governance cadence, and how customers can verify compliance.

Last updated: July 3, 2026

1. Purpose

This document describes the DanubeData Information Security Program (the "Program") — the set of policies, procedures, controls, and governance activities by which DanubeData identifies and manages information-security risks across the cloud infrastructure services it provides. The Program is the umbrella under which all other security documentation (Annex A mapping, Risk Management, Incident Response, Shared Responsibility, Records of Processing, Sub-Processors) operates.

The Program is aligned with the ISO/IEC 27001:2022 framework and is designed to satisfy Section 4.3 (Security) and Section 5.6 (Information Security Management System) of the CISPE Code of Conduct for Cloud Infrastructure Service Providers.

2. Scope

The Program applies to:

  • All DanubeData production services: VPS, Managed Databases, Cache, Object Storage, Serverless Containers, Static Sites, Managed Applications, Storage Share, Queues, Volumes & Snapshots.
  • The control plane (dashboard, API, billing engine, GitOps pipelines).
  • The supporting infrastructure operated by DanubeData on Hetzner dedicated servers in Falkenstein and Nuremberg, Germany.
  • All Customer Data processed in connection with those services.
  • The sole administrator of IFAS Consult SRL, and any future employee or contractor, with logical or physical access to the production environment or to Customer Data.
  • Sub-processors engaged by DanubeData to deliver the services, with respect to the obligations imposed on them by contract.

The Program does not extend to the customer's own use of the services (application code, data classification, customer-side access management) — those responsibilities are addressed in the Shared Responsibility Model.

3. Accountability

DanubeData is operated by its sole administrator, Adrian Silaghi, who holds every role in the table below. Information security accountability is assigned as follows:

RoleHeld byResponsibilities
Executive SponsorAdrian Silaghi, sole administrator, IFAS Consult SRLApproves the Program; allocates resources; reviews annual security report; signs Statement of Applicability.
Security Lead (CISO function)Adrian Silaghi, sole administratorOwns and maintains the Program; chairs quarterly security reviews; owns the risk register; coordinates incident response; named contact for the CISPE Monitoring Body.
Data protection contact pointAdrian Silaghi, sole administrator — dpo@danubedata.roGDPR oversight; data-subject and controller liaison; supervisory-authority point of contact; reviews DPIAs.
Operations LeadAdrian Silaghi, sole administratorImplements operational controls (patching, hardening, monitoring); on-call escalation owner.
All personnelAdrian Silaghi (sole administrator); any future employee or contractorComply with the Acceptable Use Policy; complete recorded security training; report suspected incidents.

Because one person holds all of these roles, the following compensating controls address segregation-of-duties risk: a versioned GitOps history giving a durable, attributable record of every change; mandatory multi-factor authentication or passkeys on all administrative accounts; an automated CI test run on every change (making this a mechanically enforced merge gate is planned for July 2026); access-controlled audit logging of administrative actions; and independent external verification — a planned external internal audit (target September 2026) and, once contracted, an ISO/IEC 27001 certification audit. Further detail is recorded in the internal Statement of Applicability and is made available to the CISPE Monitoring Body and to customers under NDA on request to dpo@danubedata.ro.

4. Security Objectives

The Program pursues the following measurable objectives:

ObjectiveTargetReporting cadence
Confidentiality of Customer DataZero unauthorised disclosuresQuarterly
Integrity of Customer DataZero data-corruption incidents per quarterQuarterly
Service availabilityPer-service SLA targets (see SLA)Monthly
Patch SLA complianceCritical CVEs on internet-facing components patched within 72 hours of disclosure; all other critical/high CVEs patched within 30 daysMonthly
Backup success≥ 99% scheduled backups completed successfullyMonthly
Incident responseCustomer notification within 24 hours of confirmed personal-data breachPer incident
Personnel training100% completion of the recorded, self-directed annual security training programme; any future contractor completes an equivalent briefing before access is grantedAnnual
Vulnerability managementContinuous image and dependency CVE scanning and OS patch monitoring; independent third-party security testing commissioned when risk warrants, with findings tracked to closureContinuous / per engagement

5. Control Catalogue

The Program implements controls organised by domain. The catalogue below references the detailed mapping in the CISPE Annex A document, which provides a per-control evidence trail.

DomainOwnerDetail reference
Physical and environmental securityHetzner (sub-processor) / Operations LeadAnnex A §3
Network securityOperations LeadAnnex A §4
Access managementSecurity LeadAnnex A §5
Personnel securityManaging Director / Security LeadAnnex A §6
Operational security & secretsOperations LeadAnnex A §7
Cryptography & key managementSecurity LeadAnnex A §8
Data isolation & multi-tenancyOperations LeadAnnex A §9
Incident managementSecurity Lead / data protection contact point (DPO)Incident Response Policy
Change managementOperations LeadAnnex A §11
Business continuity & DROperations LeadRisk Management & BCP
Logging, monitoring, auditabilityOperations LeadAnnex A §13
Vulnerability & patch managementOperations LeadAnnex A §14

6. Risk Management Integration

The Program is risk-driven. Risks are identified, scored, and treated under the methodology described in the Risk Management & Business Continuity framework. The risk register is owned by the Security Lead and reviewed quarterly. Material risks are escalated to the Executive Sponsor for treatment decisions, including explicit acceptance of residual risk where applicable.

Data Protection Impact Assessments (DPIAs) under GDPR Article 35 are commissioned by the DPO when introducing new processing activities or technologies that present a high risk to data subjects. DPIA outcomes feed into the risk register.

7. Statement of Applicability

DanubeData maintains an internal Statement of Applicability (SoA) listing each ISO/IEC 27001:2022 Annex A control, indicating its applicability, the implementation reference, and the justification for any exclusion. The SoA is approved annually by the Executive Sponsor and is made available to the CISPE Monitoring Body and to customers under NDA on request.

8. Governance Cadence

ActivityCadenceOwnerOutput
Risk register reviewQuarterlySecurity LeadUpdated risk register; treatment plan
KRI / SLO reportingMonthlyOperations LeadInternal dashboard
Sub-processor reassessmentAnnual + on material changeDPOUpdated sub-processor list; refreshed DPAs
Backup restore verificationQuarterlyOperations LeadRestore verification report
Personnel access reviewQuarterlySecurity LeadAccess review log; revocations completed
DR drillAnnualOperations LeadDR drill report; lessons-learned
Vulnerability & CVE monitoringContinuousSecurity LeadCVE/advisory triage log; independent security testing commissioned when risk warrants
Security trainingAnnual + on any future hire or contractor engagementSecurity LeadTraining log (records/trainings.md)
Management reviewAnnualExecutive Sponsor + Security LeadAnnual security report; updated SoA; updated Program

9. Continuous Improvement

The Program follows the ISO/IEC 27001 plan-do-check-act cycle. Inputs to improvement include: incident post-mortems, KRI trends, audit findings (internal and external), supervisory-authority guidance, regulatory developments, customer feedback, and lessons-learned from DR drills and any independent security testing commissioned. Material changes to the Program are communicated to customers via email and a dashboard banner, and are reflected in this document.

10. Demonstrating Compliance to Customers

DanubeData supports customers in meeting their controller obligations under GDPR Art. 28(3)(h) by:

  • Publishing this Program, the Annex A mapping, the Security Program, and related documents on a free, public basis.
  • Providing an independent security-testing summary on request to customers under NDA, once one has been commissioned.
  • Providing the annual report produced by the CISPE Monitoring Body once issued.
  • Maintaining a documented procedure for handling controller audit requests, with response within 30 days, in accordance with Section 4.6 of the CISPE Code.

Customers should direct compliance and audit requests to dpo@danubedata.ro.

11. Document Control

Owner: Security Lead. Approver: Adrian Silaghi, sole administrator, IFAS Consult SRL. Review cadence: annual, or on material change. Distribution: public.

The "Last updated" date at the top of this page reflects the most recent revision. Earlier revisions are archived internally.

Questions about this policy?

If you have any questions or concerns, please contact our legal team.

Contact Us