Trusted Zones: Cloud solutions dedicated to strategic European data and services
Protecting critical infrastructure and sensitive data is a major issue, and an important way of ensuring that countries can preserve their security and sovereignty. To address this need, OVHcloud has designed cloud solutions specifically for European administrations, Operators of Vital Importance and Operators of Essential Services, with particular commitments in terms of security and data sovereignty protection. These solutions benefit from robust physical, organisational and contractual security.
They are available in datacentres located in France, isolated from OVHcloud’s other European datacentres. Customer data is only hosted and processed within the European Union, guaranteeing its sovereignty and protection from non-European extraterritorial laws.
Stricter service access controls and physical security in Trusted Zone datacentres, with extended contract engagement. ISO 27001, 27701 certified, and for some SOC II, C5 and SecNumCloud.
Services operated 24/7 exclusively in the European Union, with the guarantee that your data will not be transferred outside of this territory. Your data is not subject to any non-European extraterritorial laws.
Services available in OVHcloud European Trusted Zones
Stronger protection for sovereign data
Dedicated datacentres and enhanced security
Our Trusted Zone datacentres have specific physical security features. These include biometric access (2FA), extended video surveillance, restricted perimeter access for authorised personnel, and a sub-zone for destroying hard drives.
Our security model is based on a strict identity-based access control process. Customer access is secured using the zero-trust model. Supervision and traceability actions are also strengthened.
Immunity from non-EU regulations
Trusted Zone services are operated and supported exclusively by personnel located within European Union territory. Support is available 24/7, with an exclusive customer request management process.
The information and production systems for the services hosted in our two dedicated datacentres are partially isolated from the rest of OVHcloud’s infrastructures. Moreover, none of the customer data stored there is accessible outside the European Union.
SecNumCloud qualification and certifications
Our Trusted Zones host services that meet the very strictest standards in terms of security and European sovereignty, including ISO 27001, ISO 27701, the CISPE and SWIPO codes of conduct, and many others.
Our Hosted Private Cloud powered by VMware range is hosted in Trusted Zones, and has earned the SecNumCloud qualification from ANSSI in France, along with the C5 reports from BSI in Germany. In addition to this, compliance for hosting healthcare data (HDS certification), financial services (PSEE and EBA contracts) and banking data (PCI-DSS certification) is also ensured for these services.
Your questions answered
Which laws apply to my data?
The data hosted with a cloud provider is subject to the territorial laws that apply in its head office location. The data is also subject to whichever regulations are in force in the countries where it is transferred, processed and stored. This topic is currently at the forefront of concerns in Europe, especially since the Privacy Shield was invalidated last July.
As an example, we can look at data hosted in the European Union by a US cloud provider. In this scenario, the data is subject to both European and American legislation. This means that it must comply with the GDPR, as well as with US extraterritorial surveillance laws (FISA 702, EO 12333, etc.) and the CLOUD Act. Similarly, data hosted by Chinese cloud providers is subject to China's National Intelligence Law.
With the Trusted Zone option, the only legislations that can apply to your data are local and EU legislations.
How does my cloud provider manage security and data protection?
To assess the level of security offered by your cloud provider, ensure that they meet the most well-known compliance standards: ISO/IEC 27001, AICPA SOC II type 2 and ISO/IEC 27701 (on data privacy).
For your most sensitive data, national agencies have developed specific qualifications, such as the SecNumCloud security visa issued by ANSSI in France. To protect your data privacy, your cloud provider should also run a script automatically after your data has been deleted, in accordance with current standards — such as NIST SP 800-88, for example.
The Trusted Zone option offers the strongest commitments in terms of security and data protection.