Compliance, Security & Certifications

Introduction

ayedo specializes in tailored container solutions and operating complex applications, ensuring business-critical software runs reliably at all times. Information security and quality are firmly anchored in our corporate culture. We have established and successfully certified an integrated management system (IMS) that meets the requirements of ISO/IEC 27001:2022 (Information Security Management) and ISO 9001:2015 (Quality Management). Security is not a buzzword for us, but a core part of our DNA. This document summarizes the technical infrastructure, security measures and compliance aspects of our platform – with the goal of giving IT and compliance managers a comprehensive overview of “what they get with us.”

Technical Platform: Managed Kubernetes and Managed Apps

All our services are based on our Managed Kubernetes Platform. This means customers either get complete Kubernetes clusters operated by ayedo (Managed Kubernetes) or applications within these clusters managed by us as Managed Apps.

Managed Kubernetes from ayedo is a fully managed Kubernetes environment operated on European infrastructure and certified according to ISO/IEC 27001:2022. Unlike many public cloud offerings, we provide not just bare cluster operation, but a service package specifically for highly available SaaS operation including personal support from our platform team. The customer can focus on development, we handle operations, updates, security and monitoring. We ensure Kubernetes versions are always kept up to date and the environment runs stable and secure.

Managed Apps are our understanding of Platform-as-a-Service: ayedo handles deployment, monitoring, security and maintenance of your applications within the Kubernetes cluster. The customer can either choose from a catalog of ready-made Managed Apps or bring their own application. On request, we containerize (“package”) the application and deploy it in your cluster, set up the necessary platform infrastructure and then reliably operate the app. We take care of 24/7 monitoring, backups and alerts as well as continuous optimizations. We place particular emphasis on individual requirements: we also support special needs regarding security, configuration or identity management of your application.

Infrastructure and Hosting Options

Our Managed Kubernetes clusters and apps can be operated on various infrastructure options, depending on customer compliance and performance requirements. We fundamentally operate all systems exclusively in highly secure data centers in Germany or the EU, which are ISO 27001 certified. The following hosting models are available:

ayedo Private Cloud (Bare Metal in SAAR1)

On request, we operate your Kubernetes environment in a Private Cloud on dedicated ayedo hardware. These servers are located in the SAAR1 data center in Saarland, a highly available Tier III data center with strict security standards (certified according to ISO/IEC 27001, among others). In this model, one or more Kubernetes clusters as well as all platform components (e.g. identity management, storage, CI/CD tools) are virtually isolated only for you. Through dedicated infrastructure and data storage in your Private Cloud, it is ensured that workloads and data are completely separated from other customers. The SAAR1 data center of our colocation partner offers redundant power supply (>99.99% availability), early fire detection and suppression systems, multi-redundant fiber optic connectivity as well as 24/7 video surveillance and multi-level access controls on site. Physical access to hardware is strictly regulated and only possible for authorized personnel – an important aspect for maintaining data protection and information security.

Public Cloud on Hetzner

Alternatively, we offer Managed Kubernetes on resources from Hetzner Cloud or Hetzner Dedicated Root Servers. Hetzner is a renowned German infrastructure provider whose data centers in Nuremberg, Falkenstein (DE) and Helsinki (FI) are certified according to DIN ISO/IEC 27001. This ensures that infrastructure, operations and support at Hetzner follow a verified information security management system. Data storage is exclusively in Germany on request – Hetzner operates several locations within Germany. Through ISO 27001 certification, Hetzner commits to strictly protecting confidentiality, integrity and availability of customer data and continuously improving its ISMS (regular audits included). For our customers, this results in a cost-effective cloud solution on German infrastructure, combined with ayedo’s full management service (updates, monitoring, support, etc.). Of course, this option is also GDPR-compliant, as no data flows to insecure third countries.

Public Cloud on IONOS

On request, we also support operation on IONOS Cloud (a German cloud provider, formerly 1&1). IONOS is particularly well-known in the enterprise and public sector for high compliance standards: They are the first cloud provider certified according to the BSI C5 catalog and have a security level verified by the Federal Office for Information Security (BSI). Specifically, IONOS has both the BSI C5 attestation (Cloud Computing Compliance Criteria Catalogue) and a BSI IT-Grundschutz certification, as well as ISO/IEC 27001. The IONOS data centers (e.g. in Frankfurt am Main and Berlin) meet the highest security requirements and run 100% on green electricity. This option is particularly suitable for customers who value officially verified cloud compliance (C5) – e.g. in the public sector or regulated industries. With IONOS too, data remains within Germany; the offering is fully GDPR-compliant and offers maximum transparency regarding security and data protection.

Certifications and Audits

Our security and quality promises have been verified and confirmed by independent bodies. An overview of the most important certifications and attestations:

• ISO/IEC 27001:2022 – Information Security Management System: ayedo has been certified according to the latest ISO 27001 since 2024. The certification was performed by GUTcert and attests to an effective ISMS for the scope “Development, operation and hosting of container solutions”. This externally validates that we systematically protect confidentiality, integrity and availability of sensitive information. Our ISMS includes risk analyses, security policies, organizational measures and regular audits for continuous improvement. ISO 27001 certification guarantees our customers verified cybersecurity according to international standards, which builds trust and helps meet compliance requirements (e.g. from IT security law or industry-specific standards). We are happy to provide the valid certificate upon request.
• ISO 9001:2015 – Quality Management System: At the same time, we have expanded our management system with quality management aspects and had it certified according to ISO 9001 as well. The integration of ISMS and QMS means that security and quality go hand in hand with us. We follow defined processes for service quality, error prevention and customer satisfaction. The certified QMS confirms that we are capable of consistently providing services at a high level and continuously improving (e.g. through customer feedback, internal audits and management reviews). For our customers – often ISO-certified themselves – this is an important indicator that we demonstrably have reliable and documented processes.

Data Center Certifications of Our Partners

Our infrastructure partners have further certificates that underpin physical security and availability.

Netbuild GmbH (SAAR1)

The SAAR1 data center (our main location for bare-metal hosting) is operated by Netbuild GmbH and meets the ANSI/TIA-942 Standard Tier III for high availability. It is also certified by TÜV Saarland according to “tekit” at Security Level 3 and also ISO/IEC 27001 certified. On-site measures include redundant UPS and diesel generators (emergency power), early fire detection with Novec suppression system, biometric access controls, video surveillance and 24/7 security service.

Hetzner Online GmbH

Hetzner Online is also ISO/IEC 27001 certified (by FOX Certification) for all three data center locations in Germany and Finland. The scope of Hetzner’s ISMS covers infrastructure, data center operations and customer support, i.e. security processes apply at all levels of operation. Hetzner publishes its certificate and expressly allows customers to reference this certification in their own compliance context.

IONOS Cloud

IONOS Cloud as the third major infrastructure partner holds the following quality seals:

• BSI C5 attestation (Cloud Security Controls),
• BSI Grundschutz certificate (based on IT-Grundschutz catalog)
• ISO/IEC 27001.

Thus IONOS covers both internationally recognized standards and specific German government requirements. Companies choosing ayedo on IONOS infrastructure benefit from a demonstrably audit-proof cloud environment. IONOS also emphasizes full GDPR compliance of its services and exclusive storage in EU data centers.

Technical and Organizational Security Measures (TOMs)

To ensure a high level of security in operations and development, ayedo implements a variety of technical and organizational measures (TOM). The following summarizes the key security measures of our platform:

Isolated Infrastructure & Tenant Separation

Each customer deployment is logically isolated from others. In our multi-tenant Kubernetes environment, mechanisms such as Kubernetes namespaces and Role-Based Access Control ensure separation; for larger environments, we set up dedicated clusters or even dedicated hardware for the customer. Through using the eBPF-based CNI plugin Cilium, we implement fine-grained network segmentation and policy enforcement between services. For example, services of different customers or different applications are strictly isolated from each other. The private cloud option additionally offers complete physical separation of infrastructure. Tenant isolation and secure tenant separation were also considered in the design of our ayedo Cloud Platform.

Network and Access Security

All servers and clusters are protected by a host firewall – restrictive ingress rules apply by default (e.g. only approved ports/IPs) and additional firewall rules can be set customer-specifically. For access to Kubernetes cluster management interfaces (Control Plane/API), we use secure authentication mechanisms; management tools only work over encrypted channels and with appropriate permissions. Within the cluster, network access is limited to the minimum necessary via Kubernetes Network Policies and Cilium (zero-trust principle “deny by default”).

Ingress

For incoming traffic to applications, we use a hardened Ingress Controller that supports security features such as Web Application Firewall (WAF) and rate limiting. DDoS protection can also be activated depending on infrastructure (e.g. our DC partner offers upstream DDoS protection).

Identity and Access Management

The ayedo platform has an integrated Identity Management based on open-source solutions (Keycloak or Authentik). This allows users, roles and access rights to be managed centrally. Customers receive their own instance of this IAM solution in their Private Cloud on request, which particularly for regulated environments provides the basis for audit security and traceability. Our solution supports Single Sign-On and integration with existing directory services (e.g. Microsoft Active Directory). Thus existing user and permission structures can be transferred into the Kubernetes ecosystem. The principle of least privilege is consistently applied – each user only receives the access they need for their task. Through this role-based access management and possible AD connectivity, we enable companies to build a zero-trust architecture across all components.

Data Encryption

All external interfaces and application endpoints are provided TLS-encrypted without exception. We use automated certificate management (e.g. Let’s Encrypt via Cert-Manager) so that valid TLS certificates are automatically issued and renewed for each deployed application. This ensures data transmission between end users and your application is always secured (HTTPS). Internal communication paths in the platform are also cryptographically secured wherever possible – e.g. communication between microservices within the cluster via mTLS when using Service Mesh or encrypted connections to databases. At storage level, our solutions – depending on need – also offer encryption: Managed databases like MongoDB, PostgreSQL etc. can be configured so that stored data is encrypted. In the underlying cloud infrastructures (e.g. IONOS, Hetzner), volume encryption mechanisms are also available that we can use for sensitive data. Thus data is protected at rest and in transit.

Monitoring, Logging & Incident Response

The ayedo Cloud Platform includes a comprehensive observability stack out of the box. Metrics and logs from all workloads are automatically captured and stored in central tools. We use established solutions such as Prometheus/VictoriaMetrics for metrics, Loki/VictoriaLogs for log data and Grafana for dashboards. Customers and our engineers can thus monitor the status of all systems in real time.

Alerting

We have 24/7 monitoring with configured alerts – when thresholds are exceeded or errors occur, our on-call DevOps engineers are immediately notified. This allows us to proactively respond to problems, often before the customer notices anything. In case of incidents, defined incident response processes apply: root cause analysis, quick countermeasures (scaling, restart, fallback, etc.) and transparent communication to the customer. Serious incidents are internally reviewed (post-mortem analysis) to learn from them. All logs and access are retained for audit purposes in a revision-proof manner.

Backup & Recovery

For all Managed Services (whether Kubernetes cluster or applications), ayedo provides a backup solution. By default, we perform an automated full backup of all relevant data daily between 0:00 and 7:00. These backups are retained for at least 14 days and can be quickly restored by the ayedo team if needed. Backup data is secured in separate storage systems. Longer retention periods or special backup intervals can also be agreed with the customer. Through regular test restores, we ensure that recovery works in an emergency. In addition to database and file system backups, complete cluster snapshots can also be created to restore an entire Kubernetes setup in a disaster case. Together with our high availability architecture (see below), this results in a very robust disaster recovery concept.

High Availability and Fault Tolerance

Our platform is designed for redundancy and minimal downtime.

• Kubernetes Control Plane: For our larger clusters, this is provided highly available and geo-redundant – i.e. there are multiple master components distributed across up to 3 availability zones in Europe. If a control plane node or even an entire data center fails, the others take over automatically.
• Worker Nodes: Workloads are distributed across multiple hosts; through automatic scheduling and (where supported) across multiple AZs, a hardware failure can be compensated without application downtime.
• Load Balancing: For external services, we use geo-redundant load balancing – for example, we can distribute traffic to multiple data center locations via anycast or DNS-based load distribution. This not only increases performance (shorter paths to users) but also ensures that if one location fails, traffic is automatically redirected to the other.
• Databases and Storage: We offer highly available storage solutions (e.g. distributed Ceph storage or cloud volumes with automatic mirroring), so that data exists redundantly. Our CI/CD and DevOps services (container registry, Git, etc.) can also be provided in redundant configuration, especially in private cloud scenarios, so that central services don’t become a single point of failure. Overall, depending on the booked package, we can guarantee very high service availability (see SLA below), technically underpinned by redundancy at all levels.

Patch Management and Maintenance

Security patches and updates are applied promptly by us to quickly close known vulnerabilities. In our Managed Service understanding, our administrators handle both regular planned updates (e.g. new Kubernetes versions, operating system updates of nodes) as well as short-notice security updates outside the normal maintenance window when necessary. We actively monitor common security advisories (e.g. CVEs) for the software in use and respond immediately to critical vulnerabilities. Updates are performed either automatically (where possible) or manually by our team – always controlled and tested on a staging environment to ensure stability. During planned maintenance work, we inform our customers in good time. However, many updates can be performed without downtime (rolling updates of container workloads). Thanks to our 24/7 standby team, an urgent patch can be implemented even outside regular hours (e.g. at night or on weekends) should an acute threat arise. This significantly increases the security of your systems, as the attack surface through known exploits is kept minimal.

Data Protection Compliance

In addition to technical security measures, ayedo strictly observes compliance with the General Data Protection Regulation (GDPR) and other data protection laws. All customer data is stored and processed within the EU. We conclude data processing agreements (DPA) according to Art. 28 GDPR with our customers, in which technical and organizational measures are documented in detail and the obligations of both parties are defined. The TOMs of our subprocessors (e.g. data center operators like Hetzner or IONOS) are also included, as transparency is our top priority for customers. Our Privacy Policy also explains how we handle personal data, and our employees are committed to confidentiality. The ISO 27001 certification also confirms that we appropriately handle and regularly evaluate data protection risks. For particularly sensitive data, additional protective measures can be agreed (e.g. encryption by the customer themselves, dedicated hardware without multi-tenancy, etc.). In short: ayedo offers a secure and GDPR-compliant cloud environment where your data is just as well protected as in a traditional in-house data center solution – but with the advantages of the cloud (scalability, flexibility) and our expert operations.

Organizational Measures & Internal Security

Internally, ayedo has established clear processes and responsibilities for security. There is a designated Information Security Officer (ISO) who monitors compliance with and development of security policies, as well as a Quality Management Officer (QMO) for process quality. Employees are regularly trained on information security and data protection topics. Access to customer systems by our staff follows the principle of least privilege and only on a need-to-know basis; administrative access is limited to a few authorized specialists who authenticate strongly (e.g. SSO and mandatory MFA) and whose access is logged. We have an internal wiki and central knowledge management to keep lessons learned and security requirements up to date. Changes to infrastructure are subject to a defined change management process, including approvals and customer coordination where appropriate. We also conduct regular internal and external audits of our IMS and perform annual management reviews of our security and quality objectives. All this ensures that the security level is not just achieved but continuously improved. External penetration tests and emergency exercises round out our organizational security concept.

(Note: This section provides an overview of the key measures. In our detailed documentation – such as the Technical and Organizational Measures (TOM) annex to the DPA – further details are listed, such as password policies, patch management processes, contingency plans, etc. We are happy to provide these documents to interested customers on request.)

Service Levels, Contracts and Other Compliance Aspects

In addition to technical security, ayedo values transparent contractual arrangements and reliable service, so you always have confidence in the operation of your applications. Key points:

Service Level Agreement (SLA)

Our guarantees regarding response time and availability are formally set out in the SLA. We guarantee a basic availability of our systems of 99.5% annual average (network and hardware availability of the cloud infrastructure). This availability commitment applies to all core components within our area of responsibility. If actual availability falls below the guaranteed value, the SLA provides for credits for the customer – e.g. 5% of the monthly fee is refunded for each 1% shortfall (with a cap of 25% p.a.). This defines financial compensation mechanisms that underpin our commitment. The SLA also defines response times for support requests: during business hours we respond within short deadlines, for critical incidents (e.g. failure of a production system) also very quickly outside core hours. We offer multi-tier support levels (Basic vs. Priority Support), with the highest level guaranteeing 24/7 on-call service. Customers can reach us through various channels – ticket system, email and for emergencies also by phone – and we ensure that a qualified engineer is always available to handle the issue. Our personal customer service is valued by many customers: we communicate clearly, in German or English, and actively involve the customer in decisions on request. The SLA document can be viewed in full on our website.

General Terms and Conditions (GTC)

Our GTCs set out the legal framework of cooperation. Important to know: We exclusively address commercial customers (B2B), meaning all services are contracted on a professional basis with companies, authorities or organizations. The GTCs regulate, among other things, scope of services, liability issues, customer and ayedo obligations, contract terms and notice periods. For example, it is stipulated that ayedo is entitled to use subcontractors (such as data center providers) for service provision, while ayedo remains responsible for their performance. Our liability is, as is customary in the industry, limited to intentional and grossly negligent behavior, and we recommend customers additionally back up important data (although we ourselves offer robust backup, see above). The GTCs and SLA are provided to the customer at contract conclusion and are an integral part of the contract. We have tried to make these documents as understandable and fair as possible.

Data Protection and Data Processing

As mentioned in the TOM section, we conclude a Data Processing Agreement (DPA) with our customers whenever we process personal data on their behalf. This covers all points required under Art. 28 GDPR: subject and duration of processing, type of personal data, ayedo’s obligations as processor, customer’s right to issue instructions, subprocessing relationships, etc. An essential component are the above-outlined technical and organizational measures, which are an integral part of the contract. We disclose which subprocessors (e.g. Hetzner Online GmbH, IONOS SE, Loopback UG) may be involved and ensure that corresponding DPAs/sub-DPAs exist with them. The customer has the right to verify our compliance with the agreed measures or have them verified by auditors (audit right), which we facilitate in practice through our ISO certification, as many compliance auditors accept these certificates as evidence. ayedo itself as a German company is of course also subject to GDPR and BDSG. We have appointed an internal data protection officer who monitors compliance with regulations. We are also members of data sovereignty initiatives and are committed to maximally transparent cloud solutions. Our Privacy Policy can be found on our website; it explains what data we process and what rights data subjects have.

Other Compliance Topics

ayedo supports industry-specific compliance requirements on request. For example, we can help our customers conduct penetration tests in their environment, and we respond constructively to security tests from the customer side. For customers from the financial sector (BaFin-regulated) or healthcare, we can provide additional documentation, such as emergency manuals, risk analyses or mapping of our controls to common frameworks (e.g. DORA), as required. We have an internal compliance team that addresses the requirements of regulations (KRITIS, TISAX, PCI-DSS for payment data, etc.) and develops solutions for how our platform meets them. Thus we are also prospectively aiming for our own BSI C5 and other certifications to further underpin our suitability for highly sensitive use cases. However, even now the combination of our ISO certifications, the certified data centers and our documented security measures allows customers to meet their compliance requirements with ayedo. We are happy to compile all relevant evidence and documents for you on request. Just contact us if specific documents or information are needed in your specific case.