Honest about what we hold — and what we do not.
Below is our complete compliance posture: the standards our controls are built against, the regulatory frameworks we operate under, the supporting documentation we provide to customer security teams. We treat compliance as an operational discipline — the same controls that an ISO 27001 certification is built around are the ones that keep customers' email flowing, not separate paperwork that gets dusted off for the annual audit. Where we do not hold a certification, or do not offer something (HIPAA BAA, PCI-DSS), we say so directly rather than pretending.
For procurement questionnaires, audit reports, or specific compliance documentation, contact [email protected]. We typically respond in 1 business day; security questionnaires (SIG, CAIQ, custom) are turned around in 5 business days.
What we hold today, what is in audit, who audits us.
| Certification | Status | Since | Valid until | Auditor | Evidence |
|---|---|---|---|---|---|
| ISO/IEC 27001:2022 | Certified | 2026 | 2030 | Bureau Veritas | Certificate ISMS-2026-680 — ISMS for the provision, operation and support of the OS Domains cloud hosting platform, certified against ISO/IEC 27001:2022. |
| ISO/IEC 27017:2015 | Certified | 2026 | 2030 | Bureau Veritas | Assessed against ISO/IEC 27017:2015 for cloud-specific information security controls applicable to cloud service providers and cloud service customers. |
| ISO/IEC 27018:2019 | Certified | 2026 | 2029 | Bureau Veritas | Controls aligned with ISO/IEC 27018:2019 for the protection of PII processed in cloud services — data privacy, consent, access restriction and secure deletion. |
| SOC 2 Type I | Attested | As of Mar 31, 2026 | 2029 | KPMG | KPMG opinion: controls for Security, Availability and Confidentiality were suitably designed as of March 31, 2026. SOC 2 is point-in-time and re-issued each cycle. |
| SOC 2 Type II | Attested | Jan 1 – Jun 30, 2026 | 2029 | KPMG | KPMG opinion: controls for Security, Availability and Confidentiality operated effectively over Jan 1 – Jun 30, 2026. SOC 2 reports cover a period and are re-issued annually. |
Eight frameworks, our specific status in each.
Each framework below has a concrete status, the role we play in it, and the specific documentation we can produce for customer compliance teams.
GDPR (EU 2016/679)
CompliantOur role: Controller for site visitors; Processor for customer message data
Our Data Protection Officer is reachable at [email protected]. Article 28 DPA published at /dpa. Sub-processor list public at /dpa#sub-processors with 30-day change notice. Breach notification commitment: 48 hours (stricter than the 72-hour regulatory floor). Records of Processing Activities (Article 30) maintained. Multiple DPIA exercises completed with regulated-industry customers.
Documentation →NIS2 Directive (EU 2022/2555)
Article 21 readyOur role: Important entity in the digital infrastructure sector
NIS2 entered force across EU Member States in October 2024 and is fully in effect throughout 2025-2026. Our security risk management (Article 21) follows the ten technical and organizational measures explicitly: policies on risk analysis, incident handling, business continuity, supply chain security, network security, access control, multi-factor authentication, cryptography, asset management, and human resources security. Incident notification readiness is 24 hours / 72 hours / 1 month as required by Article 23.
Documentation →DORA (EU 2022/2554)
Compatible · contractually accommodatedOur role: ICT third-party service provider to financial entities
DORA applies to financial entities and their critical ICT third-party providers. We are not a Critical ICT Third-Party Provider (CTPP) ourselves at our current scale, but we have several customers in EU banking, insurance, and fintech who require DORA-compatible contract terms. Our standard Enterprise DPA addendum includes Article 30(2) contractual provisions, exit-and-portability rights, sub-contracting controls, and audit rights as required by DORA Article 30. We provide annual operational resilience attestations to financial-sector customers.
Documentation →Schrems II (CJEU Case C-311/18)
TIAs documentedOur role: Data exporter to non-EEA sub-processors
For each cross-border data transfer (Cloudflare US entity, Stripe US parent, our own DFW and PTY PoPs), we maintain a current Transfer Impact Assessment evaluating destination-country laws (CLOUD Act, FISA Section 702, EO 12333 for the US; equivalent analyses for Panama). Supplementary measures documented: encryption in transit (TLS 1.3), encryption at rest (AES-256), pseudonymization where applicable, contractual NDA chains. Enterprise customers can prohibit any non-EEA processing.
Documentation →EU European Accessibility Act (Directive 2019/882)
Partially conformantOur role: Digital service provider to EU consumers and businesses
The EAA entered enforcement on 28 June 2025. Our public website conforms to WCAG 2.2 AA via EN 301 549 v3.2.1 with three documented minor exceptions (see /accessibility for the gap register). The customer portal is audited separately; conformance documentation available on request. We do not use accessibility overlay widgets — the European Disability Forum has stated overlays do not satisfy EAA requirements.
Documentation →EU AI Act (Regulation 2024/1689)
No high-risk AI systemsOur role: Provider of digital services without AI components
OS Domains does not deploy AI systems classified as high-risk under Annex III of the AI Act. We do not use AI for hiring decisions, customer scoring, or any other regulated use case. Some internal tooling uses machine-learning models for spam classification and anomaly detection in our own logs; these operate on aggregated, pseudonymized data and do not make decisions about identifiable natural persons. No conformity assessment under Article 43 is required for our current operations.
PCI-DSS
Out of scopeOur role: Not a payment processor
We do not process, store, or transmit payment card data. Customer subscription payments are processed by Stripe Payments Europe Ltd., which is PCI-DSS Level 1 certified. Card data never touches our infrastructure. For Enterprise customers in financial services who require contractual confirmation, we provide a signed letter of attestation that we are out of scope for PCI-DSS.
HIPAA (US healthcare)
No BAAs offeredOur role: Not a US healthcare-sector vendor
We are not a HIPAA Business Associate and do not offer Business Associate Agreements. Our customer base is overwhelmingly EU-based and we do not optimize for the US healthcare market. Customers handling US Protected Health Information should use a HIPAA-compatible vendor. EU-based healthcare customers (covered under GDPR Article 9) are accommodated through standard DPA terms and custom Special Category Data addenda.
Eight artifacts we provide to customers.
Security questionnaire response (SIG Lite, CAIQ, custom)
- Turnaround:
- 5 business days
- Audience:
- Procurement, vendor risk
Penetration test executive summary
- Turnaround:
- Same day · NDA required
- Audience:
- Security teams
ISO/IEC 27001:2022 certificate + control-mapping evidence pack
- Turnaround:
- On request · NDA required
- Audience:
- Auditors, procurement
SOC 2 Type I & II report (Security, Availability, Confidentiality)
- Turnaround:
- On request · NDA required
- Audience:
- Auditors, customers
Transfer Impact Assessment template (Schrems II)
- Turnaround:
- 5 business days · NDA
- Audience:
- DPOs, legal
Annual operational resilience attestation (for DORA customers)
- Turnaround:
- Annually · January
- Audience:
- Financial-sector CISO
Business continuity plan summary
- Turnaround:
- 5 business days · NDA
- Audience:
- Customer security teams
Four principles that shape our compliance program.
Compliance is operational, not documentary
We do not treat compliance as a checklist to satisfy auditors. The same technical controls that an ISO 27001 certification is built around are the controls that prevent customer outages — they run daily and are tested continuously, not annually before an audit.
Publish what we can
Sub-processor list is public. DPA is public. Cookies policy is public. Privacy policy is public. Accessibility statement is public. We only require NDA for materials that contain genuinely sensitive details (penetration test specifics, internal incident reports, ISO certificate scans).
Honest about gaps
Three known accessibility issues are listed openly with target fix dates. The certification table lists each standard with its issuer, validity and certificate reference, and says plainly where a standard is not held (HIPAA, PCI-DSS). We do not stretch the truth on certifications.
Customer-driven
New certifications are added when customers need them, not when marketing wants a badge. We do not chase certifications that no customer has requested.
Send your security questionnaire to [email protected]. We turn it around in 5 business days.
SIG Lite, CAIQ, custom enterprise — we answer these regularly. The full evidence pack including ISO 27001 control-mapping evidence, pre-certification control evidence, penetration test summary, and Schrems II TIAs is available under NDA the same day you sign one.