Security, privacy & compliance no asterisks
A Dutch company, an EU-only stack, and the paperwork your security team needs, all on one page.
EU-only data residency
All customer data is stored in Tier-3 datacentres in the Netherlands. No replicas leave the EU, ever.
ISO 27001-aligned
Our ISMS follows ISO 27001. Annual third-party audit reports available under NDA.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit, per-tenant key separation. Customer-managed keys on Enterprise.
SSO & MFA built in
SAML 2.0, OIDC, SCIM provisioning. TOTP, WebAuthn and hardware-key MFA included on every plan.
Full audit trail
Every read, write, share and admin action logged for 365 days. Export to SIEM via webhook.
99.95% uptime SLA
Status page with historical data. Credits issued automatically on SLA breaches.
Owned hardware, audited racks, EU operators
vBoxxCloud runs on bare metal we own, hosted in Tier-3 Dutch datacentres operated by EU citizens. No hyperscaler dependency means no CLOUD Act, no FISA 702, no Schrems-style headaches.
- Biometric access, 24/7 guarded, N+1 power & cooling
- Per-tenant encryption keys, isolated storage pools
- Daily off-site backups inside the EU, 30-day retention
Granular policies, no surprises
Set link-expiry defaults, allowed download domains, geo restrictions and password requirements org-wide. Override per team when you need to.
Sub-processors
We use the smallest possible vendor list. Every sub-processor is contracted, GDPR-bound and EU-located.
| Vendor | Purpose | Location |
|---|---|---|
| Maincubes AMS01 (Amsterdam) | Datacenter 1, primary | NL |
| Greenhouse Datacenters (Naaldwijk) | Datacenter 2, secondary | NL |
| Maincubes FRA01 (Frankfurt) | Datacenter 3, DR / EU-DE region | DE |
| Fiberring (Amsterdam) | Connectivity / transit | NL |
| Worldstream (Naaldwijk) | Connectivity / transit | NL |
| euNetworks (Frankfurt) | Connectivity / transit | DE |
| Matomo (self-hosted) | Privacy-friendly analytics | NL |
| HetrixTools | External uptime monitoring (no customer data, public endpoints only) | EU |
Documents
Download or request under NDA.
Data Processing Agreement
Pre-signed DPA covering GDPR Art. 28.
ISO 27001 Statement of Applicability
Available under NDA on request.
Penetration test summary
Annual external pen-test. Latest report Q1 2026.
Sub-processor list (PDF)
Updated whenever sub-processors change. Notice via email.
Security whitepaper
Architecture, key management, incident response.
GDPR & Schrems II memo
Why vBoxxCloud is unaffected by US CLOUD Act and FISA 702.
Privacy means people know what they're signing up for, in plain language, and repeatedly.