Audit reports / evidence pack
Why important?
Without evidence, reviews fail (regulator, internal audit).
How measured?
Scale 0–5 + N/A:
- 0 = No reports/evidence packs available
- 1 = Marketing/statements only, no verifiable material
- 2 = Some artifacts, but incomplete/scope unclear
- 3 = Evidence pack available (often via portal/NDA), scope partly clear
- 4 = Comprehensive artifacts (SOC/C5/ISO/reports) with good freshness, few gaps
- 5 = Comprehensive + current + scope transparent + easily accessible (public/trust center) evidenced
- N/A = no reliable evidence
Sources / Evidence
- https://www.aboutamazon.eu/news/aws/built-operated-controlled-and-secured-in-europe-aws-unveils-new-sovereign-controls-and-governance-structure-for-the-aws-european-sovereign-cloud
- https://cloud.ionos.de/zertifikate
- https://stackit.com/en/sovereign-cloud/data-sovereign-cloud/
- https://www.ovhcloud.com/pl/bare-metal/secnumcloud/
- https://www.open-telekom-cloud.com/en/blog/benefits/open-telekom-cloud-certified-according-to-bsi-c5-2020-and-and-soc-1-soc-2-soc-3
- https://www.plusserver.com/en/company/certificates-and-attestations/
- https://www.exoscale.com/compliance/
- https://docs.hetzner.com/general/company-and-policy/information-security-at-hetzner/
- https://www.scaleway.com/en/security-and-resilience/
- https://community.exoscale.com/platform/compliance/
- https://www.plusserver.com/unternehmen/zertifikate-und-testate/
- https://www.plusserver.com/wp-content/uploads/2023/09/20250430_Bericht_BSI-C5_ISAE3402_Typ2_plusserver-GmbH-2024-3.pdf
- https://www.plusserver.com/wp-content/uploads/2023/09/20251014_plusserver-ISO-27001-2022-Zertifikat-und-Statement-of-Applicability-SoA-DE.pdf
- https://www.plusserver.com/wp-content/uploads/2023/09/20250820_plusserver-ISO-9001-Zertifikat-gu%CC%88ltig-bis-12.08.2028.pdf
- https://www.plusserver.com/wp-content/uploads/2025/07/20250708_plusserver-ISO-50001_01-407-2401781_DE.pdf
- https://www.plusserver.com/wp-content/uploads/2024/01/PCI-DSS-2025-certificate-AOC-letter-to-the-customer-plusserver-EN-1.pdf
- https://www.plusserver.com/wp-content/uploads/2023/09/IDW-PH-9.860.1-Bericht-2024-mit-Disclaimer.pdf
- https://www.plusserver.com/wp-content/uploads/2023/09/Datasheet-Umwelt-Zertifizierungen-plusserver-DE.pdf
- https://www.plusserver.com/unternehmen/rechenzentren/
Validation questions (RFP)
- Is there a standardized evidence pack (SOC reports, C5, pen-test summaries)? How quickly available?
Scores comparison
| Providers | Score | |
|---|---|---|
| Microsoft Sovereign Cloud | 5.0 | |
| AWS European Sovereign Cloud | 4.0 | |
| Exoscale | 4.0 | |
| Hetzner Cloud | 4.0 | |
| STACKIT | 4.0 | |
| Scaleway | 4.0 | |
| SysEleven OpenStack Cloud | 4.0 | |
| Cloud Temple Trusted Cloud | 4.0 | SecNumCloud qualification (ANSSI) = comprehensive audit. ISO 27001 certificate. HDS certificate. Documentation via GitHub (docs). Evidence through SecNumCloud process. |
| Infomaniak Public Cloud | 3.0 | ISO 27001:2022 certificate (PDF download). ISO 9001/14001/50001. B Corp certification (2025). No SecNumCloud/C5 audit. Certificates publicly referenced. |
| T Cloud Public | 4.0 | |
| pluscloud open | 4.0 | |
| IONOS Cloud | 3.0 | |
| OVHcloud Public Cloud (inkl. SecNumCloud) | 3.0 | |
| Oracle EU Sovereign Cloud | 3.0 | |
| UpCloud | 3.0 | |
| noris Sovereign Cloud | 3.0 | |
| Delos Cloud | N/A |