Skip to content

Security & Compliance

Exoscale manages the physical infrastructure, the hypervisor, and the network fabric underneath your workloads. What runs on top — how you control access, what can communicate with what, and where your data lives — is yours to design. The Shared Responsibility Model documents this boundary clearly.

Who can access what?

Access design starts with a straightforward question: what does each part of your system actually need to do? Granting more access than necessary is one of the most common and avoidable sources of risk — not because of attacks, but because mistakes become more consequential when permissions are broad.

Exoscale IAM lets you express access precisely. API keys can be scoped to specific operations and services, and roles can reflect the real needs of each team member or application. All API-level activity across your organisation is recorded in the Audit Trail, giving you a clear record of who did what and when — useful both for day-to-day operations and for compliance purposes.

What can reach what?

Network isolation is one of the most effective architectural decisions you can make early. Services that do not need to be public should not be — this limits exposure by default, without relying on any other control working correctly.

Security Groups control which traffic can reach your instances. Private Networks let your services communicate internally without ever touching the public internet. A common and sensible pattern is to expose only a load balancer publicly, while keeping application servers and databases entirely on private networks.

What are your regulatory obligations?

If your workload handles personal data, health records, or operates in a regulated sector, zone selection and data handling are compliance decisions — not just infrastructure ones. All Exoscale zones are in Europe. Data does not leave Europe unless you move it yourself. See Data Center Zones for the full list of locations.

Exoscale holds ISO 27001, SOC-2, and BSI C5 certifications. A Data Processing Addendum is available for GDPR purposes. For health data specifically, see Hosting Health Data on Exoscale.

Going deeper

  • IAM overview — roles, policies, and API key scoping
  • Security Groups — stateful firewall rules for your instances
  • Private Networks — isolated internal networking between services
  • Private Connect — private connectivity to external environments without using the public internet
  • Audit Trail — organisation-wide API activity log
  • Compliance — certifications, DPA, and health data documentation
Last updated on