# Security & Compliance

Exoscale manages the physical infrastructure, the hypervisor, and the network fabric underneath your workloads. What runs on top — how you control access, what can communicate with what, and where your data lives — is yours to design. The [Shared Responsibility Model](/platform/compliance/shared-responsability-model/) documents this boundary clearly.

## Who can access what?

Access design starts with a straightforward question: what does each part of your system actually need to do? Granting more access than necessary is one of the most common and avoidable sources of risk — not because of attacks, but because mistakes become more consequential when permissions are broad.

Exoscale [IAM](/product/iam/) lets you express access precisely. API keys can be scoped to specific operations and services, and roles can reflect the real needs of each team member or application. All API-level activity across your organisation is recorded in the [Audit Trail](/platform/audit-trail/), giving you a clear record of who did what and when — useful both for day-to-day operations and for compliance purposes.

## What can reach what?

Network isolation is one of the most effective architectural decisions you can make early. Services that do not need to be public should not be — this limits exposure by default, without relying on any other control working correctly.

[Security Groups](/product/networking/security-group/) control which traffic can reach your instances. [Private Networks](/product/networking/private-network/) let your services communicate internally without ever touching the public internet. A common and sensible pattern is to expose only a load balancer publicly, while keeping application servers and databases entirely on private networks.

## What are your regulatory obligations?

If your workload handles personal data, health records, or operates in a regulated sector, zone selection and data handling are compliance decisions — not just infrastructure ones. All Exoscale zones are in Europe. Data does not leave Europe unless you move it yourself. See [Data Center Zones](/platform/dc-zones/) for the full list of locations.

Exoscale holds ISO 27001, SOC-2, and BSI C5 certifications. A [Data Processing Addendum](/platform/compliance/dpa/) is available for GDPR purposes. For health data specifically, see [Hosting Health Data on Exoscale](/platform/compliance/health-data/).

## Going deeper

- [IAM overview](/product/iam/) — roles, policies, and API key scoping
- [Security Groups](/product/networking/security-group/) — stateful firewall rules for your instances
- [Private Networks](/product/networking/private-network/) — isolated internal networking between services
- [Private Connect](/product/networking/private-connect/) — private connectivity to external environments without using the public internet
- [Audit Trail](/platform/audit-trail/) — organisation-wide API activity log
- [Compliance](/platform/compliance/) — certifications, DPA, and health data documentation