Skip to content
OS Domains
Compliance

Honest about what we hold — and what we do not.

Below is our complete compliance posture: the standards our controls are built against, the regulatory frameworks we operate under, the supporting documentation we provide to customer security teams. We treat compliance as an operational discipline — the same controls that an ISO 27001 certification is built around are the ones that keep customers' email flowing, not separate paperwork that gets dusted off for the annual audit. Where we do not hold a certification, or do not offer something (HIPAA BAA, PCI-DSS), we say so directly rather than pretending.

For procurement questionnaires, audit reports, or specific compliance documentation, contact [email protected]. We typically respond in 1 business day; security questionnaires (SIG, CAIQ, custom) are turned around in 5 business days.

Certifications

What we hold today, what is in audit, who audits us.

Certification Status Since Valid until Auditor Evidence
ISO/IEC 27001:2022 Certified 2026 2030 Bureau Veritas Certificate ISMS-2026-680 — ISMS for the provision, operation and support of the OS Domains cloud hosting platform, certified against ISO/IEC 27001:2022.
ISO/IEC 27017:2015 Certified 2026 2030 Bureau Veritas Assessed against ISO/IEC 27017:2015 for cloud-specific information security controls applicable to cloud service providers and cloud service customers.
ISO/IEC 27018:2019 Certified 2026 2029 Bureau Veritas Controls aligned with ISO/IEC 27018:2019 for the protection of PII processed in cloud services — data privacy, consent, access restriction and secure deletion.
SOC 2 Type I Attested As of Mar 31, 2026 2029 KPMG KPMG opinion: controls for Security, Availability and Confidentiality were suitably designed as of March 31, 2026. SOC 2 is point-in-time and re-issued each cycle.
SOC 2 Type II Attested Jan 1 – Jun 30, 2026 2029 KPMG KPMG opinion: controls for Security, Availability and Confidentiality operated effectively over Jan 1 – Jun 30, 2026. SOC 2 reports cover a period and are re-issued annually.
Regulatory frameworks

Eight frameworks, our specific status in each.

Each framework below has a concrete status, the role we play in it, and the specific documentation we can produce for customer compliance teams.

GDPR (EU 2016/679)

Compliant

Our role: Controller for site visitors; Processor for customer message data

Our Data Protection Officer is reachable at [email protected]. Article 28 DPA published at /dpa. Sub-processor list public at /dpa#sub-processors with 30-day change notice. Breach notification commitment: 48 hours (stricter than the 72-hour regulatory floor). Records of Processing Activities (Article 30) maintained. Multiple DPIA exercises completed with regulated-industry customers.

Documentation →

NIS2 Directive (EU 2022/2555)

Article 21 ready

Our role: Important entity in the digital infrastructure sector

NIS2 entered force across EU Member States in October 2024 and is fully in effect throughout 2025-2026. Our security risk management (Article 21) follows the ten technical and organizational measures explicitly: policies on risk analysis, incident handling, business continuity, supply chain security, network security, access control, multi-factor authentication, cryptography, asset management, and human resources security. Incident notification readiness is 24 hours / 72 hours / 1 month as required by Article 23.

Documentation →

DORA (EU 2022/2554)

Compatible · contractually accommodated

Our role: ICT third-party service provider to financial entities

DORA applies to financial entities and their critical ICT third-party providers. We are not a Critical ICT Third-Party Provider (CTPP) ourselves at our current scale, but we have several customers in EU banking, insurance, and fintech who require DORA-compatible contract terms. Our standard Enterprise DPA addendum includes Article 30(2) contractual provisions, exit-and-portability rights, sub-contracting controls, and audit rights as required by DORA Article 30. We provide annual operational resilience attestations to financial-sector customers.

Documentation →

Schrems II (CJEU Case C-311/18)

TIAs documented

Our role: Data exporter to non-EEA sub-processors

For each cross-border data transfer (Cloudflare US entity, Stripe US parent, our own DFW and PTY PoPs), we maintain a current Transfer Impact Assessment evaluating destination-country laws (CLOUD Act, FISA Section 702, EO 12333 for the US; equivalent analyses for Panama). Supplementary measures documented: encryption in transit (TLS 1.3), encryption at rest (AES-256), pseudonymization where applicable, contractual NDA chains. Enterprise customers can prohibit any non-EEA processing.

Documentation →

EU European Accessibility Act (Directive 2019/882)

Partially conformant

Our role: Digital service provider to EU consumers and businesses

The EAA entered enforcement on 28 June 2025. Our public website conforms to WCAG 2.2 AA via EN 301 549 v3.2.1 with three documented minor exceptions (see /accessibility for the gap register). The customer portal is audited separately; conformance documentation available on request. We do not use accessibility overlay widgets — the European Disability Forum has stated overlays do not satisfy EAA requirements.

Documentation →

EU AI Act (Regulation 2024/1689)

No high-risk AI systems

Our role: Provider of digital services without AI components

OS Domains does not deploy AI systems classified as high-risk under Annex III of the AI Act. We do not use AI for hiring decisions, customer scoring, or any other regulated use case. Some internal tooling uses machine-learning models for spam classification and anomaly detection in our own logs; these operate on aggregated, pseudonymized data and do not make decisions about identifiable natural persons. No conformity assessment under Article 43 is required for our current operations.

PCI-DSS

Out of scope

Our role: Not a payment processor

We do not process, store, or transmit payment card data. Customer subscription payments are processed by Stripe Payments Europe Ltd., which is PCI-DSS Level 1 certified. Card data never touches our infrastructure. For Enterprise customers in financial services who require contractual confirmation, we provide a signed letter of attestation that we are out of scope for PCI-DSS.

HIPAA (US healthcare)

No BAAs offered

Our role: Not a US healthcare-sector vendor

We are not a HIPAA Business Associate and do not offer Business Associate Agreements. Our customer base is overwhelmingly EU-based and we do not optimize for the US healthcare market. Customers handling US Protected Health Information should use a HIPAA-compatible vendor. EU-based healthcare customers (covered under GDPR Article 9) are accommodated through standard DPA terms and custom Special Category Data addenda.

For your security and procurement teams

Eight artifacts we provide to customers.

Security questionnaire response (SIG Lite, CAIQ, custom)

Turnaround:
5 business days
Audience:
Procurement, vendor risk
Request →

Penetration test executive summary

Turnaround:
Same day · NDA required
Audience:
Security teams
Request →

ISO/IEC 27001:2022 certificate + control-mapping evidence pack

Turnaround:
On request · NDA required
Audience:
Auditors, procurement
Request →

SOC 2 Type I & II report (Security, Availability, Confidentiality)

Turnaround:
On request · NDA required
Audience:
Auditors, customers
Request →

Sub-processor list (public)

Turnaround:
Always current at this URL
Audience:
Everyone
Request →

Transfer Impact Assessment template (Schrems II)

Turnaround:
5 business days · NDA
Audience:
DPOs, legal
Request →

Annual operational resilience attestation (for DORA customers)

Turnaround:
Annually · January
Audience:
Financial-sector CISO
Request →

Business continuity plan summary

Turnaround:
5 business days · NDA
Audience:
Customer security teams
Request →
How we approach compliance

Four principles that shape our compliance program.

01

Compliance is operational, not documentary

We do not treat compliance as a checklist to satisfy auditors. The same technical controls that an ISO 27001 certification is built around are the controls that prevent customer outages — they run daily and are tested continuously, not annually before an audit.

02

Publish what we can

Sub-processor list is public. DPA is public. Cookies policy is public. Privacy policy is public. Accessibility statement is public. We only require NDA for materials that contain genuinely sensitive details (penetration test specifics, internal incident reports, ISO certificate scans).

03

Honest about gaps

Three known accessibility issues are listed openly with target fix dates. The certification table lists each standard with its issuer, validity and certificate reference, and says plainly where a standard is not held (HIPAA, PCI-DSS). We do not stretch the truth on certifications.

04

Customer-driven

New certifications are added when customers need them, not when marketing wants a badge. We do not chase certifications that no customer has requested.

Procurement-ready

Send your security questionnaire to [email protected]. We turn it around in 5 business days.

SIG Lite, CAIQ, custom enterprise — we answer these regularly. The full evidence pack including ISO 27001 control-mapping evidence, pre-certification control evidence, penetration test summary, and Schrems II TIAs is available under NDA the same day you sign one.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment