Certified Infrastructure

Compliance & Certifications

We comply with the highest security standards and European regulations to ensure the protection of your data in a certified environment.

Request an Audit verified View Certifications
Status
Compliant
Compliance Framework
check_circle
ISO 27001:2022
Information Security
Certified
schedule
ENS Alto
Spanish National Security Framework
Coming Soon
Final Certification Feb 2026
check_circle
GDPR
European Data Protection
Compliant
check_circle
PCI DSS
Payment Security
Compliant
check_circle
TIER III+
Datacenter Compliance
Compliant
Certified / Compliant In Progress
ISO 27001:2022 SGS Certificate

ISO 27001:2022

CERTIFIED

Information Security Management System

ISO 27001:2022 certification demonstrates our commitment to information security. This international standard establishes the requirements for implementing, maintaining and continuously improving an Information Security Management System (ISMS).

policy

Security Policies

Access control and risk management

lock

Data Encryption

Protection in transit and at rest

monitoring

24/7 Monitoring

Real-time threat detection

history

Regular Audits

Continuous verification of controls

picture_as_pdf View ISO 27001 Certificate
local_police

ENS Alto

HIGH LEVEL Coming Soon (Final Certification Feb 2026)

Spanish National Security Framework

The National Security Framework (ENS) at Alto (High) level is the highest certification level established by the Spanish Government. It guarantees that our systems meet the most demanding security requirements for the protection of Public Administration information.

account_balance

Public Sector

Suitable for government and sensitive data

gavel

Legal Compliance

Royal Decree 311/2022

verified_user

600+ Measures

Implemented security controls

flag

Data Sovereignty

Data hosted in Spain

Additional Compliance

Our services also comply with the following regulations

euro

GDPR

EU General Data Protection Regulation

eco

ISO 14001

Environmental Management and sustainability

apartment

TIER III+

Uptime Institute data center compliance

payments

PCI DSS

Payment card data security

link Compliance Chain

Mandatory Supplier Requirement

At EDH, security does not end at our facilities. All our suppliers must mandatorily comply with ISO 27001 and ENS Alto as an essential condition to work with us.

This ensures that every link in the service chain maintains the same security standards that we demand internally, from the data center and connectivity to software and auxiliary services.

shield

ISO 27001

Mandatory for all suppliers who manage or access client data.

local_police

ENS Alto

Mandatory for infrastructure, connectivity and critical service providers.

fact_check

Continuous Auditing

Periodic verification of each supplier's certification compliance.

handshake

Contractual Agreements

Security and compliance clauses integrated into all third-party contracts.

Implemented Security Measures

Our commitment to security goes beyond certifications. We implement technical and organizational controls across all layers.

security

Physical Security

Biometric access control, 24/7 CCTV, security personnel

vpn_key

End-to-End Encryption

AES-256 at rest, TLS 1.3 in transit

backup

Backup & DR

Geo-redundant copies and business continuity plans

manage_accounts

Access Management

RBAC, mandatory MFA, least privilege principle

bug_report

Vulnerability Management

Periodic pentesting and bug bounty program

description

Logging & Auditing

Immutable logs and regulatory-compliant retention

Shared Responsibility Model

Security is a joint effort. This model clearly defines what EDH covers and what responsibilities belong to the client.

shield

EDH Responsibility

  • check_circle Physical data center security (biometric access, CCTV, 24/7 surveillance)
  • check_circle Network, power and cooling infrastructure with N+1 redundancy
  • check_circle DDoS protection and network perimeter security
  • check_circle Hypervisor, firmware and base platform patching
  • check_circle Infrastructure regulatory compliance (ISO 27001, ENS Alto, GDPR)
  • check_circle Monitoring, alerts and infrastructure incident response
person

Client Responsibility

  • check_circle Operating system, applications and deployed middleware
  • check_circle User management, credentials and access policies for their systems
  • check_circle Application-level data encryption and key management
  • check_circle Firewall configuration and security rules at VM/server level
  • check_circle Backup and recovery policy for their data and applications
  • check_circle Sector-specific and industry regulatory compliance

With our Cloud Managed Services, EDH can take over the complete management of client responsibilities.

description

DPA — Data Processing Agreement

AVAILABLE

GDPR-compliant Data Processing Agreement

EDH offers a standard Data Processing Agreement (DPA) to all its clients, complying with Articles 28 and 29 of the GDPR. This document formalizes how we process personal data on behalf of our clients.

check Standard Contractual Clauses (SCCs) included
check Documented record of processing activities
check Breach notification within 72 hours
check Data processed exclusively in the EU (Madrid, Spain)
check Client audit rights
Request DPA arrow_forward
security_update_good

NIS2 — European Directive

COMING SOON

Network and Information Systems Security Directive

The NIS2 Directive (EU 2022/2555) strengthens cybersecurity obligations for critical infrastructure providers in the EU. As a provider of essential digital services, EDH is actively preparing for compliance, pending transposition of the regulation into Spanish law.

check Enhanced cybersecurity risk management
check Mandatory incident notification within 24 hours
check Supply chain security
check Business continuity and recovery plans
check Governance and executive-level accountability

info Pending transposition into Spanish law. EDH already meets most requirements through ISO 27001 and ENS Alto.

Security Incident Management

Structured response process aligned with GDPR and NIS2 to ensure swift and transparent action in the event of any incident.

Phase 1
sensors

Detection

24/7 monitoring with automated alerts. Initial incident classification by severity (critical, high, medium, low).

Phase 2
shield

Containment

Immediate isolation of the affected system to prevent propagation. Activation of the incident response team.

Phase 3
build

Remediation

Root cause elimination, system restoration and integrity verification before returning to production.

Phase 4
analytics

Post-Mortem

Forensic analysis, detailed client report, lessons learned and preventive control updates.

schedule Notification SLAs

< 1h

Critical Incident

Data breach, total service outage or security compromise

< 4h

High Incident

Significant degradation or actively exploited vulnerability

< 24h

Medium Incident

Contained incident with no direct impact on client data

Aligned with the GDPR 72-hour notification requirement and the NIS2 24-hour directive.

Need compliance documentation?

Request our certificates.

mail Request Documentation apartment View Facilities