Trust Center
Swedish-owned. Data stored in Sweden. Certified security. Open standards. Here you will find information about how we protect data, meet regulatory requirements and build a platform trusted by organizations with the highest demands for security, compliance and control.
Why organizations trust Elastx
Digital Sovereignty
Swedish jurisdiction and free from the U.S. CLOUD Act.
Data Stays in Sweden
Data is stored and managed in Sweden.
Certified Security
ISO 27001, ISO 27017, ISO 27018 and ISO 14001 certified.
High Availability
Built with redundancy, continuous monitoring and expert support around the clock.
No Vendor Lock-In
Open standards and full control over your data.
Do we as a customer have the right to audit you?NIS2GDPRDORA
Yes, the right to audit follows from your agreements with us and can arise in several ways. If we process personal data on your behalf, our Data Processing Agreement (DPA) gives you the right to conduct annual audits of the processing covered by the agreement, yourself or through a third party you appoint, at your own expense (GDPR Article 28.3(h)). For customers covered by DORA, audit and access rights are regulated in a dedicated contract addendum, and for those of you with supplier oversight requirements under Cybersäkerhetslagen (NIS2), we provide the documentation you need. In many cases, the need can also be met by our certificates and summaries of completed security reviews, which can be shared on request. Contact us and we will help you plan an audit.
How do we dispute an invoice or claim SLA compensation?Service delivery & SLA
If you believe an invoice is incorrect, create a support ticket in our support portal (support.elastx.se) with priority Normal and we will investigate. The same applies if you believe we have not met our support SLA or availability SLA: create a support ticket with priority Normal, and we will investigate the event and handle any compensation in the ticket. The compensation levels are set out in the availability SLA.
Can we get metrics for our own environmental impact?Sustainability & environment
Yes. We can produce metrics for your environmental impact - energy consumption and carbon dioxide emissions - based on your resource usage in our OpenStack IaaS. You request such a data extract via a support ticket, and the data can be used in, for example, your sustainability reporting or supplier follow-up.
Do your staff have access to our data?Data protection & encryptionGDPR
No, not in day-to-day operations. Our staff work on the underlying platform without visibility into your data content, and do not have access to your instances or applications. Access to your environment takes place only if you explicitly request and approve it, for example in a support ticket, and is then limited to the specific need. All privileged access to the infrastructure uses personal accounts, requires multi-factor authentication and is logged.
Who owns our data?Digital sovereignty & independenceDigital sovereignty
You own your data, always. We make no claims to it and do not use it for our own purposes. You can export your data programmatically via open standard APIs at any time, not just ahead of a termination, and we apply no mandatory lock-in periods. When a service is decommissioned, or upon your written request, your data is securely erased.
Which certifications does Elastx hold?Certifications & audits
We are certified toISO/IEC 27001:2022 for information security and apply all of the standard's controls across our entire operation. We also hold ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (protection of personal data in the cloud), as well asISO 14001:2015 (environmental management). The certificates are available for download.
Do you undergo an independent SOC 2 type audit?Certifications & audits
ISO/IEC 27001 is our primary framework for information security. We also undergo an independent ISAE 3000 Type II audit, which is the international equivalent of SOC 2 Type II.
How often is Elastx audited externally and can we access the reports?Certifications & audits
We carry out an external audit of our ISO/IEC 27001 and ISO 14001 management systems once a year, and security reviews and penetration tests are conducted recurrently throughout the year. Over the past year this has included an external audit of ISO/IEC 27001:2022 as well as security reviews of our Cloud Console with associated APIs. Our certificates are available for download, and summaries can be shared with customers on request.
Do you carry out internal audits?Certifications & audits
Yes. We perform an internal audit once a year according to an audit plan. Management appoints two employees who review evidence and interview the owners of the controls. The outcome is reported to management and any deviations are logged for remediation. Independent assurance of our management system additionally comes from our external ISAE 3000 audit and our ISO certifications.
Do you carry out technical compliance reviews?Certifications & audits
Yes. Information systems are reviewed regularly against our information security policies and standards, both through automated checking of configuration and secure baselines and through recurring technical audits, for example vulnerability assessments and penetration tests. Deviations are documented and tracked to remediation.
What does digital sovereignty mean at Elastx?Digital sovereignty & independenceDigital sovereignty
Our foundation is fully Swedish digital infrastructure under exclusively Swedish and European jurisdiction. Elastx is a Swedish company with Swedish owners and background-checked staff who are EU citizens, and your data on the platform stays within Sweden's borders. We own and operate our own hardware, and only Elastx staff administer the platform. We build on open standards and open source. Because we have no corporate ties outside Sweden, we are not subject to third-country legislation such as the US CLOUD Act and FISA or equivalent legislation in other countries. This gives you control over where your data is stored, who can access it, and the ability to move it whenever you want.
Are your services free from foreign legislation such as the CLOUD Act?Digital sovereignty & independenceGDPRDigital sovereignty
Yes. As a Swedish company with no corporate ties outside Sweden, we are not subject to third-country legislation such as the US CLOUD Act and FISA nor equivalent legislation in other countries.
The applicability of legislation such as the US CLOUD Act depends on where the service provider is established, not solely on where its data centers are located. Choosing an EU data centre operated by a non-EU provider does not, by itself, remove the legal implications of third-country legislation.
Customer data on the Elastx Cloud Platform is governed by Swedish and EU legislation. Furthermore, GDPR Article 48 states that judgments or administrative decisions from third countries cannot, on their own, serve as a legal basis for transferring personal data unless supported by an applicable international agreement.
Learn more about how we support digital sovereignty and why Elastx is part of the EuroStack movement.
What does your exit strategy look like if we want to leave?Digital sovereignty & independenceDORADigital sovereignty
The goal is that you should never feel locked in. We build on open standards and open source (including OpenStack and Kubernetes), which means you can move your applications and data to another environment. You can export your data ahead of a termination, and we apply no mandatory lock-in periods, in line with the EU Data Act.
How does Elastx work with compliance on an ongoing basis?Governance & compliance
We have a Compliance team that meets every two weeks and on which management is represented. The work is structured and traceable, from requirement through policy and instruction to how the control works in practice. Each control has a designated owner who is responsible for the entire chain and who is interviewed during internal and external reviews.
How is management involved in information security?Governance & complianceNIS2
Management reviews our management system quarterly to assess that it is relevant and effective. The review is based on any events since the previous occasion, including risks, deviations and incidents. The security work we carry out and our material risks are also reported at board level.
Which laws and regulations do you comply with?Governance & complianceNIS2
In addition to the ISO standards, we comply with Swedish and European laws and regulations, including Cybersäkerhetslagen (NIS2), GDPR, the Data Act and the AI Act.
How do you handle deviations?Governance & compliance
Deviations are captured systematically through internal and external audits, technical compliance reviews and continuously in day-to-day work. Each deviation is logged centrally for traceability and evaluated to determine the root cause. It is assigned to a control or process owner who is responsible for developing and implementing a remediation, and progress is followed up regularly and reported to management at the quarterly reviews.
How do you ensure security awareness among staff?Governance & complianceNIS2AI Act
All staff, including management, undergo mandatory and recurring training in information security, data protection and responsible use of AI, and new staff are trained before system access is granted. We reinforce the security culture continuously, including with recurring phishing simulations, external penetration tests and ongoing internal sharing of vulnerability information. We contractually require subcontractors to maintain strict security awareness among their own staff and to comply with relevant regulations and security requirements.
How do you govern the IT strategy?Governance & compliance
The board and management set the IT strategy based on business objectives, security requirements and industry standards, and follow up and reassess it regularly so that services are delivered securely both now and going forward. Customers can influence the prioritization of new services and features through dialogue with us.
How is security responsibility divided between you and us (shared responsibility)?Governance & compliance
We apply a shared responsibility model. Elastx is responsible for the security of the underlying infrastructure - physical security in the data centers, hypervisor and network isolation, platform availability and basic hardening. You are responsible for the security of what you build on top of the platform: your applications, data, identities, configurations and backup of your data. The model applies to both infrastructure services (IaaS) and container services (CaaS), and a detailed responsibility matrix is available in our cloud security policy (ISO/IEC 27017) and can be shared on request.