Trust & Compliance

The General Data Protection Regulation (GDPR) governs how personal data may be processed. It sets the rules for how organisations may collect, use, store, share, secure and otherwise process personal data, and requires that all processing is lawful, transparent and limited to specific purposes.

GDPR applies to any organisation that processes personal data about data subjects (people) in EU, whether the organisation acts as a data controller or as a data processor.

Under GDPR Article 28(3), any processing of personal data carried out by a processor on behalf of a controller must be governed by a contract (“data processing agreement”). The agreement must specify the subject matter, duration, nature and purpose of the processing, the types of personal data, the categories of data subjects, and the rights and obligations of the controller.

When you use Cloud Factory’s license management platform, Cloud Factory processes personal data on your behalf (such as user information, access logs and account-related data). This constitutes a processor relationship under the GDPR, which requires a formal Data Processing Agreement.

It is important to note that when reselling the services to end customers, the end customers will use these services for a different purpose. Consequently, they must enter into a separate data processing agreement directly with the relevant third-party provider. Cloud Factory is not a data processor for that processing activity.

We use the following sub-processors in order to provide our license management platform:

Primary sub processors

Secondary sub processors

Read more about our supplier structure here.

Cloud Factory regularly updates written risk assessments covering processing activities related to the license management platform. These assessments evaluate risks to confidentiality, integrity and availability, identify relevant threats and vulnerabilities, and document the technical and organizational measures implemented in accordance with GDPR Article 32. The risk assessments are internal and confidential documents, but are reviewed by external auditors during our annual ISAE3000 audit.

Cloud Factory’s license management platform is hosted in Denmark by Netic, a Danish infrastructure provider operating ISO 27001-certified data centres. All primary systems, production environments and backups are stored within Netic’s facilities.

Partner inactivity and offboarding

For Partners with zero license consumption for at least six consecutive months, Cloud Factory may, after prior notice to the Partner, deactivate and subsequently delete the Partner’s platform access, as such inactivity typically indicates silent churn.

If a Partner notifies us that they are transitioning to another distributor or otherwise terminating the relationship, and requests deletion of personal data, Cloud Factory will delete the relevant personal data within the agreed timeframe.

User accounts

Cloud Factory deletes platform user accounts that have been inactive for 24 consecutive months, or earlier if requested by the Partner. This deletion includes the user’s platform data and the personal data associated with the individual user profile.

Certain information may, however, be retained where we have an obligation or another legitimate reason to do so, for example in connection with ongoing license consumption, billing, security logging, dispute handling, or an active Partner relationship that requires the user to maintain access. In such cases, the data is kept for as long as these purposes apply.

Yes. We enter into data processing agreements with all sub processors that process personal data on our behalf.

This is tested by an external auditor on a yearly basis and documented in our ISAE3000 audit report.

We rely on our internal vendor-management framework. This includes:

• Pre-contract assessments, including evaluation of security measures, certifications, sub-processor lists, and data-flow implications.

• Contractual safeguards, such as data processing clauses, confidentiality, and restrictions on international transfers.

• Continuous monitoring, including annual reviews of certifications (e.g., ISO, ISAE, SOC), TIA updates, and documented reassessments when there are material changes.

This is reviewed by an external auditor on a yearly basis and documented in our ISAE3000 audit report.

We maintain documented evidence of our compliance framework, including but not limited to:

• Independent assurance reports, such as an ISAE 3000 report or equivalent third-party audits covering security, access control, governance and data protection processes.

• Internal governance documentation, including data flow mappings, retention schedules, access logs, incident procedures and records of policy reviews.

• Records of processing activities (RoPA) covering all relevant data-processing purposes.

• Documented risk assessments for systems and processing activities.

• Evidence of technical and organisational measures, which are regularly reviewed and updated.

We consider data protection training as an integrated part of the employee journey. All new employees complete mandatory onboarding training in data protection, information security and our internal policies. This includes practical guidance on handling customer data, use of tools, and how to recognise and report incidents.

During employment, we follow up with regular awareness activities and refresher training to keep knowledge up to date and adapted to the employee’s role. This may include e-learning, targeted sessions for specific functions (e.g. support, development, sales) and periodic tests or campaigns. Completion of training is logged so we can document to management and external auditors that employees have received and maintained the necessary competencies in data protection.

NIS2 is a cybersecurity directive aimed at strengthening the resilience of essential and important entities across the Union.

The directive applies to organisations operating in sectors considered critical to society or the economy, such as digital infrastructure, cloud services, managed service providers, public administration, finance, and healthcare. Whether an organisation is in scope depends on its sector, size, and overall criticality.

While entities may not be directly subject to NIS2, the directive requires in-scope entities to manage and document cybersecurity risks throughout their supply chain. Consequently, suppliers are indirectly affected because customers increasingly need to:

• assess the security posture of key vendors,

• obtain documentation demonstrating adequate technical and organisational controls,

• ensure appropriate contractual safeguards are in place, and

• monitor supplier risks on an ongoing basis.

This creates a practical expectation that suppliers align with NIS2-level security standards, even if they are not legally in scope.

The NIS2 directive strengthens and harmonises cybersecurity requirements for essential and important entities in EU. In-scope entities must establish a structured risk management approach that includes, at a minimum:

• Technical and organisational cybersecurity measures, such as access control and authentication, encryption, network segmentation, vulnerability and patch management, secure development practices, logging and monitoring, and robust backup and recovery strategies.

• Governance and management involvement, including clear allocation of security responsibilities, board-level oversight, regular reporting on cyber risks, and explicit accountability for management bodies.

• Incident handling procedures, covering detection, analysis, containment, recovery and mandatory notification of significant incidents to the competent authorities within prescribed timelines.

• Supply-chain and third-party risk management, requiring organisations to identify, assess and continuously monitor risks arising from vendors, outsourcing arrangements and other digital service providers that support critical processes.

• Business continuity and crisis management, including disaster recovery planning, continuity of critical services, and tested response plans for major cyber incidents.

NIS2 is risk-based, meaning each in-scope entity must determine and implement security measures that are appropriate to its specific risk profile, threat landscape, size, and operational context. This means the directive does not prescribe a single technical setup, but expects a defensible, documented rationale for how risks are identified, mitigated and monitored over time.

We document our security controls and compliance posture through an information security management framework. This includes:

• Policies and procedures, updated regularly and aligned with recognised standards.

• Risk assessments covering internal operations as well as dependencies on vendors and critical systems.

• Audit reports, such as ISAE 3000/3402 reports and internal reviews.

• Incident logs and response procedures.

• Vendor due diligence reports and continuous monitoring of suppliers.

• Documentation of technical controls, such as access rights, logging, backup strategies, and update/patch management.

We have implemented a vendor-management framework. This includes:

• Pre-contract assessments, including evaluation of security measures, certifications, sub-processor lists, and data-flow implications.

• Contractual safeguards, such as data processing clauses, confidentiality, and restrictions on international transfers.

• Continuous monitoring, including annual reviews of certifications (e.g., ISO, ISAE, SOC) and documented reassessments when there are material changes.

We will undergo our first external NIS2 audit in May 2026. After that external audits will be conducted on a yearly basis.

We apply secure development practices including code reviews, automated security scanning, monitoring, separation of environments, and controlled deployment processes. This is reviewed during external and internal audits.

Our service levels follow the SLAs defined for our platform and support services. Partners can download the applicable SLA documentation directly from the Partner Portal.

ESG refers to the environmental, social, and governance factors that organisations are expected to manage as part of responsible and sustainable business practices.

For a technology-focused organisation like Cloud Factory, ESG extends beyond environmental considerations to include data governance, security, operational resilience, diversity, and ethical business conduct.

Cloud Factory is not directly in scope of the Corporate Sustainability Reporting Directive (CSRD). However, because ESG is an important element of good corporate governance and increasingly relevant to our stakeholders, we have prepared a voluntary ESG report based on the VSME standard for small and medium-sized enterprises.

Our voluntary ESG report can be downloaded here.

We conduct regular ESG risk assessments covering:

• environmental footprint,

• workplace rights and employee well-being,

• diversity and inclusion,

• supply-chain risks,

• governance, ethics, and compliance,

• operational resilience and data protection.

Risks are prioritised based on likelihood, impact, and dependency, applying the same structured methodology we use in information security and compliance.

Yes. We maintain documented ESG-related policies, including environmental practices, diversity and inclusion, ethical conduct, anti-corruption, and governance procedures. These policies are reviewed and updated regularly to reflect regulatory developments and best practice.

Suppliers are evaluated through our vendor-management process that includes due diligence, documentation review, contractual safeguards, and ongoing monitoring.
We expect suppliers to maintain appropriate environmental, social, and governance standards and to provide transparent evidence of compliance in accordance with our Supplier Code of Conduct.

As a Partner, you are free to terminate the agreement at any time. Our business model is based on flexibility and on the expectation that Partners choose, and remain with, Cloud Factory because of the value and services we deliver, not because they are locked in.

The Partner Agreement applies to all products and services that are made available through Cloud Factory’s license management platform, unless otherwise expressly stated. For each individual cloud service, the underlying vendor’s own terms, product conditions and data protection documentation will apply in addition to the Partner Agreement.

The Partner Agreement governs the overall relationship between Cloud Factory and the Partner, including access to the platform, ordering and management of services, billing, data protection between Cloud Factory and the Partner, and general rights and obligations.

For each individual cloud service, the vendor’s own product and service terms apply to the use of that specific service. This typically covers:

• the service description and functionality

• licence conditions and usage rights

• service levels and support obligations

• the vendor’s own data protection and security commitments

• acceptable use and any export or sanctions restrictions

In practice, this means:

• For matters between Cloud Factory and the Partner (e.g. invoicing, platform access, our liability and role), the Partner Agreement applies and takes precedence.

• For matters relating to the specific cloud service and the relationship between the vendor, the Partner and/or the end-customer, the vendor’s terms apply.

Cloud Factory does not change or override the vendors’ product terms. Partners should always review the relevant vendor terms and privacy documentation when deciding how to offer and configure a service for their end-customers.

The contractual relationship for the cloud services is between the Partner and its customers ("end-customers"). Claims from end-customers (including service issues, credits, refunds and similar) should be directed to and handled by the Partner.

If a claim relates to matters for which Cloud Factory is responsible under the Partner Agreement, the Partner may raise a corresponding claim with Cloud Factory in accordance with the agreement. End-customers do not have a direct contractual relationship with Cloud Factory.

When we refer to distribution vendors in this context, we mean the third-party providers whose cloud services and software products are provisioned via the Cloud Factory platform by our Partners to their end-customers.

These are not our own infrastructure or tooling providers, but the upstream vendors behind the products you can order, manage and bill through our platform.

Cloud Factory’s distribtion vendors can be found here.

Data processing locations are determined by the individual distribution vendor and by how the specific product is configured and used. In practice, this depends on factors such as:

• which region or data centre is selected during setup

• how tenants, environments, logging and backups are configured

• which features, integrations and add-ons are enabled

Many distribution vendors offer hosting options within the EU/EEA. Where data is transferred outside the EU/EEA, vendors will typically rely on recognised safeguards (such as adequacy decisions or standard contractual clauses).

Because these details, and the impact of your configuration choices, vary from product to product, Partners should always refer to the vendor’s own documentation (e.g. data processing agreements, security and privacy pages, regional setup guides) for precise information about data flows and locations.

To support this, Cloud Factory has prepared an overview containing links to each distribution vendor’s processing and compliance information, so Partners can quickly find more detail on where and how data is processed for the individual services they use. This overview can be found here.