Trust Center

Question 1

Which certifications does Elastx hold?

Accepted Answer

We are certified to ISO/IEC 27001:2022 for information security and apply all of the standard's controls across our entire operation. We also hold ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (protection of personal data in the cloud), as well as ISO 14001:2015 (environmental management). The certificates are available for download.

Question 2

Do you undergo an independent SOC 2 type audit?

Accepted Answer

ISO/IEC 27001 is our primary framework for information security. We also undergo an independent ISAE 3000 Type II audit, which is the international equivalent of SOC 2 Type II.

Question 3

How often is Elastx audited externally, and can we access the reports?

Accepted Answer

We carry out an external audit of our ISO/IEC 27001 and ISO 14001 management systems once a year, and security reviews and penetration tests are conducted recurrently throughout the year. Over the past year this has included an external audit of ISO/IEC 27001:2022 as well as security reviews of our Cloud Console with associated APIs. Our certificates are available for download, and summaries can be shared with customers on request.

Question 4

Do you carry out internal audits?

Accepted Answer

Yes. We perform an internal audit once a year according to an audit plan. Management appoints two employees who review evidence and interview the owners of the controls. The outcome is reported to management and any deviations are logged for remediation. Independent assurance of our management system additionally comes from our external ISAE 3000 audit and our ISO certifications.

Question 5

Do you carry out technical compliance reviews?

Accepted Answer

Yes. Information systems are reviewed regularly against our information security policies and standards, both through automated checking of configuration and secure baselines and through recurring technical audits, for example vulnerability assessments and penetration tests. Deviations are documented and tracked to remediation.

Question 6

What does digital sovereignty mean at Elastx?

Accepted Answer

Our foundation is fully Swedish digital infrastructure under exclusively Swedish and European jurisdiction. Elastx is a Swedish company with Swedish owners and background-checked staff who are EU citizens, and your data on the platform stays within Sweden's borders. We own and operate our own hardware, and only Elastx staff administer the platform. We build on open standards and open source. Because we have no corporate ties outside Sweden, we are not subject to third-country legislation such as the US CLOUD Act and FISA or equivalent legislation in other countries. This gives you control over where your data is stored, who can access it, and the ability to move it whenever you want.

Question 7

Are your services free from foreign legislation such as the CLOUD Act?

Accepted Answer

Yes. As a Swedish company with no corporate ties outside Sweden, we are not subject to third-country legislation, neither the US CLOUD Act and FISA nor equivalent legislation in other countries. Your data is therefore not subject to foreign compelled disclosure. Furthermore, under GDPR Article 48, a judgment or an authority decision from a third country may not be recognised as grounds for disclosing personal data except on the basis of an international agreement.

Question 8

What does your exit strategy look like if we want to leave?

Accepted Answer

The goal is that you should never feel locked in. We build on open standards and open source (including OpenStack and Kubernetes), which means you can move your applications and data to another environment. You can export your data ahead of a termination, and we apply no mandatory lock-in periods, in line with the EU Data Act.

Question 9

How does Elastx work with compliance on an ongoing basis?

Accepted Answer

We have a Compliance team that meets every two weeks and on which management is represented. The work is structured and traceable, from requirement through policy and instruction to how the control works in practice. Each control has a designated owner who is responsible for the entire chain and who is interviewed during internal and external reviews.

Question 10

How is management involved in information security?

Accepted Answer

Management reviews our management system quarterly to assess that it is relevant and effective. The review is based on any events since the previous occasion, including risks, deviations and incidents. The security work we carry out and our material risks are also reported at board level.

Question 11

Which laws and regulations do you comply with?

Accepted Answer

In addition to the ISO standards, we comply with Swedish and European laws and regulations, including Cybersäkerhetslagen (NIS2), GDPR, the Data Act and the AI Act.

Question 12

How do you handle deviations?

Accepted Answer

Deviations are captured systematically through internal and external audits, technical compliance reviews and continuously in day-to-day work. Each deviation is logged centrally for traceability and evaluated to determine the root cause. It is assigned to a control or process owner who is responsible for developing and implementing a remediation, and progress is followed up regularly and reported to management at the quarterly reviews.

Question 13

How do you ensure security awareness among staff?

Accepted Answer

All staff, including management, undergo mandatory and recurring training in information security, data protection and responsible use of AI, and new staff are trained before system access is granted. We reinforce the security culture continuously, including with recurring phishing simulations, external penetration tests and ongoing internal sharing of vulnerability information. We contractually require subcontractors to maintain strict security awareness among their own staff and to comply with relevant regulations and security requirements.

Question 14

How do you govern the IT strategy?

Accepted Answer

The board and management set the IT strategy based on business objectives, security requirements and industry standards, and follow up and reassess it regularly so that services are delivered securely both now and going forward. Customers can influence the prioritisation of new services and features through dialogue with us.

Question 15

How is security responsibility divided between you and us (shared responsibility)?

Accepted Answer

We apply a shared responsibility model. Elastx is responsible for the security of the underlying infrastructure - physical security in the data centers, hypervisor and network isolation, platform availability and basic hardening. You are responsible for the security of what you build on top of the platform: your applications, data, identities, configurations and backup of your data. The model applies to both infrastructure services (IaaS) and container services (CaaS), and a detailed responsibility matrix is available in our cloud security policy (ISO/IEC 27017) and can be shared on request.

Question 16

Organisational chart and responsibility model

Accepted Answer

We have a clearly defined and documented organisational chart with delineated areas of responsibility that are well communicated and understood across the organisation.

Question 17

How do you separate duties and responsibilities?

Accepted Answer

Duties and areas of responsibility that are incompatible, that is, that should not be performed by one and the same person, are kept separate. One example is that the person who performs a sensitive action should not also be able to approve it alone. This reduces the risk of unauthorised or accidental changes and of misuse of assets.

Question 18

Documented structure for policies, processes and procedures

Accepted Answer

Policies are defined, documented and communicated to meet business requirements and to clarify responsibility for working methods, processes and procedures. We use a GRC tool to document, structure, communicate and follow up the framework.

Question 19

How are roles and responsibilities for information security allocated?

Accepted Answer

Security work is systematically organised with clearly defined and documented roles and responsibilities. Each control and security area has a designated owner, the work is coordinated by our Compliance group, and ultimate responsibility rests with the CEO. This ensures that tasks do not fall through the cracks and that it is always clear who is accountable for a given matter.

Question 20

Which information security policies do you have?

Accepted Answer

We have a coherent framework of policies that are approved by management and communicated to employees and relevant external parties. It includes, among others, an overarching information security policy, a cloud security policy (ISO/IEC 27017), an access control policy, a vulnerability management policy, a backup and continuity policy, a secure development policy and a policy for AI ethics and AI governance. The public version of the information security policy is available for download.

Question 21

How often are your information security policies reviewed?

Accepted Answer

The policies are reviewed at least once a year and additionally upon material changes, for example new threats, new legislation or major changes in the business. Each policy has an owner responsible for the review, and changes are approved by management before they are published.

Question 22

What do your documented operating procedures cover?

Accepted Answer

Recurring operational activities are documented as procedures and made available to those who need them. This applies, for example, to operation and monitoring of the platform, backup and recovery, patching and change management, and incident handling. The documentation ensures that work is carried out uniformly and securely regardless of individuals.

Question 23

Compliance with security policies and standards

Accepted Answer

Managers regularly assess that information processing and procedures within their areas of responsibility comply with relevant security policies and standards.

Question 24

Management responsibility

Accepted Answer

Management makes clear the requirements regarding the Code of Conduct, integrity and information security through clear communication, and employees and consultants periodically confirm that they have read and understood applicable policies and procedures. All staff are background-checked, and the check is repeated annually for roles with access to customer data.

Question 25

Are you covered by Cybersäkerhetslagen?

Accepted Answer

Yes. We are covered by Cybersäkerhetslagen (the Swedish Cybersecurity Act, 2025:1506), which implements the NIS2 Directive and entered into force on 15 January 2026. We are covered as a provider of essential and critical infrastructure, partly through the transposition of the CER Directive, and as a provider of cloud services, data center services and CDN. PTS (the Swedish Post and Telecom Authority) is the supervisory authority for digital infrastructure, and Myndigheten för Civilt Försvar (MCF, the Swedish Civil Defence Agency) is the national coordinating authority and recipient of incident reports. We meet the law's requirements regarding security measures, management responsibility, training and incident reporting. Oversight of subcontractors and the supply chain is a central part of the requirements.

Question 26

Can you enter into security protection agreements (SUA)?

Accepted Answer

For security-sensitive customers, for example in the public sector, we can where needed enter into a säkerhetsskyddsavtal (SUA, a Security Protection Agreement) under säkerhetsskyddslagen (the Swedish Protective Security Act, 2018:585). Such an agreement is notified to Säkerhetspolisen (the Swedish Security Service).

Question 27

Compliance process

Accepted Answer

We have an organisation and monitoring in place to stay in control of new or amended regulations, laws and standards relevant to the services. We maintain a legal register that tracks compliance requirements, including GDPR, Swedish security laws, NIS2, DORA and contractual requirements, and we keep our procedures and controls updated against it.

Question 28

How do you maintain contact with authorities?

Accepted Answer

We have documented and maintained contact channels to the authorities relevant to our operations, including PTS as supervisory authority and Myndigheten för Civilt Försvar (MCF) as recipient of incident reports. These contacts allow us to quickly report incidents, receive guidance and stay updated on changing requirements.

Question 29

Do you meet accessibility requirements (WCAG and EN 301 549)?

Accepted Answer

We follow the accessibility requirements under the EU Accessibility Directive (in Sweden, lagen om vissa produkters och tjänsters tillgänglighet, 2023:254) for those of our digital interfaces that are in scope, primarily our public websites and self-service interfaces. We work towards the guidelines in WCAG and the European standard EN 301 549.

Question 30

ICT risk management

Accepted Answer

We ensure and maintain an adequate level of digital operational resilience, and risks within information and communication technology (ICT) are managed within our risk management process.

Question 31

How do you report serious ICT incidents?

Accepted Answer

We have a documented, communicated and tested process for reporting serious ICT incidents and cyber threats to customers and competent authorities. Reporting follows applicable rules, including Cybersäkerhetslagen (which implements NIS2) and, for incidents affecting financial entities we deliver to, DORA. For a significant incident we apply the NIS2 model: early warning within 24 hours, an incident report within 72 hours and a final report no later than one month thereafter.

Question 32

Testing of digital operational resilience

Accepted Answer

We carry out recurring tests of our resilience. Penetration tests are performed by an independent external party, while continuity exercises are conducted internally. Tests are documented and followed by a plan for remediation and upcoming tests.

Question 33

How do you share information about threats and vulnerabilities?

Accepted Answer

We continuously monitor and identify cyber threats and vulnerabilities via established sources and have a procedure for sharing relevant threat information, both internally and with affected customers and collaboration partners where appropriate. The aim is to be able to act quickly on new threats and to contribute to stronger shared resilience.

Question 34

Management of ICT third-party risk

Accepted Answer

Appropriate controls are applied at procurement and on an ongoing basis throughout the contract term to reduce risks linked to critical subcontractors.

Question 35

Exit strategy and migration plan

Accepted Answer

Contracts with critical subcontractors contain exit clauses and a documented process that secures continued delivery during a migration. We validate that the process works through recurring reviews and scenario-based tests of the exit and migration plan, so that it can be carried out in practice if a supplier needs to be replaced.

Question 36

Risk analysis and system security

Accepted Answer

Risk-based analyses and risk-reducing measures are carried out in accordance with applicable law and recognised standards, primarily ISO/IEC 27001 and ISO 31000.

Question 37

Incident management

Accepted Answer

For security and personal data incidents we have a documented incident management procedure to detect, handle and report incidents in accordance with applicable law, including Cybersäkerhetslagen (NIS2) and, for personal data breaches, GDPR.

Question 38

Continuity and crisis management

Accepted Answer

We have plans for, among other things, backup, disaster recovery and crisis management to secure uninterrupted delivery in accordance with laws and contracts.

Question 39

Supply chain security

Accepted Answer

We have controls for our direct suppliers and service providers, that is, those with whom we have a contractual relationship, to ensure that their services meet our security requirements. The requirements are adapted to how critical the supplier is to our delivery.

Question 40

Security in the acquisition, development and maintenance of networks and IT systems

Accepted Answer

Security is integrated into the acquisition, development and maintenance of networks and information systems, including the handling and reporting of vulnerabilities.

Question 41

How do you evaluate that the security measures are effective?

Accepted Answer

We have documented policies and procedures to regularly evaluate the effectiveness of the measures for cybersecurity risk, with criteria, responsibilities, evidence, reporting and remediation.

Question 42

Cyber hygiene and training

Accepted Answer

An awareness and training plan ensures that staff and relevant stakeholders have the security knowledge their role requires.

Question 43

Personnel security

Accepted Answer

We ensure that staff who handle sensitive information and critical systems meet high security requirements. Staff are background-checked before employment, and permissions are granted, reviewed and revoked throughout employment according to the principle of least privilege and zero trust, with multi-factor authentication and clearly defined roles and responsibilities.

Question 44

Access management

Accepted Answer

We have a documented plan and governance for, among other things, multi-factor or continuous authentication and secure communication channels, where appropriate.

Question 45

Do you have cyber insurance?

Accepted Answer

Yes. We have cyber insurance that covers, among other things, liability, business interruption, data recovery and costs associated with a cyber or information incident, including forensic investigation, handling of personal data breaches and access to incident response around the clock. The cover applies globally and complements our technical and organisational security measures.

Question 46

Reporting of weaknesses

Accepted Answer

Our risk policy and procedure allow anyone to report risks and weaknesses to risk management, for example via a ticket or directly to W&C. Reporting is encouraged, the cases are captured and remediated where relevant.

Question 47

Governance of risk control

Accepted Answer

The risk assessment process identifies, assesses and manages risks that affect the organisation's ability to reach its objectives. In practice, this means we carry out contextual risk assessments of technical vulnerabilities based on our unique environment and apply a framework according to ISO 31000 to proactively evaluate and govern risks in our supply chain.

Question 48

Risk awareness and learning

Accepted Answer

The board, management and relevant staff have knowledge of risks and how they are managed, resolved or reduced to an acceptable level. This is ensured through recurring risk reviews, training and by following up risks and remediations in management reviews.

Question 49

Assessment of information security risks

Accepted Answer

Information security risks are automatically given higher priority in the process so that resolution or reduction is handled promptly. In our operational work, this means that detected vulnerabilities are immediately risk-assessed based on system exposure and impact on critical services, which triggers timeframes for patching and mitigating measures.

Question 50

Response to information security risks

Accepted Answer

Risks relating to information security and integrity are reported according to the standard process. Particularly sensitive risks are reported to a small number of designated individuals. In practice, this means that standard risks are tracked through our internal ticketing systems, while critical or confidential matters are escalated directly to the management team or handled via our protected whistleblower channel to ensure confidentiality and immediate action.

Question 51

How do you govern access and permissions?

Accepted Answer

We apply the principle of least privilege, so that each employee receives only the rights required for their role, and administrators have unique, personal accounts. Access is protected in several layers, including with multi-factor authentication and hardware-based security keys for sensitive access. Permissions are reviewed regularly and adjusted or removed upon a change in or termination of employment.

Question 52

Is multi-factor authentication required for administrative access to the production environment?

Accepted Answer

Yes. All administrative access to the production environment goes through secured paths and requires multi-factor authentication. For administrative accounts, hardware-based MFA according to FIDO2/WebAuthn is required, and administrators are equipped with a physical hardware token as the primary factor. We also support time-based one-time passwords (TOTP).

Question 53

Do you background-check your staff?

Accepted Answer

Yes. A background check is carried out on all final candidates before an employment decision is made, and the check is repeated annually for all roles with access to customer data. The checks are carried out in cooperation with an external certified partner and include, among other things, verification of identity, criminal records and court judgments, and financial situation, drawn from public registers or from authorised providers.

Question 54

How are your employees' computers and devices protected?

Accepted Answer

Company devices are subject to encryption, central device management and endpoint security monitoring (EDR), with a local firewall that blocks inbound traffic and automatic updates. We apply clean desk and clean screen rules as well as mandatory automatic screen locking. Devices that can be used to administer customer environments or access customer data are subject to stricter requirements than other devices. Employees are given access only to the systems they have been explicitly authorised for.

Question 55

Mobile device policy

Accepted Answer

A policy and supporting security measures address the risks that the use of mobile devices entails, for example encryption, screen lock and the ability to wipe a device remotely if it is lost or stolen. Devices are additionally protected with extended endpoint protection (XDR) that continuously monitors and alerts on suspicious activity and behaviour.

Question 56

How do remote work and access to the production environment work?

Accepted Answer

All access to the production environment goes through secured paths and requires multi-factor authentication. There are three ways in: a Corporate Proxy, which is the general path for daily access for most employees; a VPN path for maintenance that requires access to multiple systems or to systems not reachable via the proxy; and a separate out-of-band VPN (OOB VPN) used during disaster recovery. Information handled and stored during remote work is additionally protected by policy and technical security measures.

Question 57

Restriction of software installation

Accepted Answer

Rules for which software users may install are established and enforced, so that only approved and secure software runs in the environment and the risk of malicious or insecure code is reduced.

Question 58

Responsibility upon terminated or changed employment

Accepted Answer

Information security responsibilities that apply after terminated or changed employment are defined, communicated and enforced. This includes, among other things, that confidentiality and non-disclosure undertakings remain in force, that assets are returned and that access is revoked, so that the protection of information is maintained even after the role has changed or ended.

Question 59

How are user permissions granted and revoked?

Accepted Answer

We have a formal process for the entire lifecycle of user accounts. When a person joins, the account is registered and granted the permissions the role requires according to the principle of least privilege. Upon a change of role the permissions are adjusted, and when an employment or contract ends the account is deregistered and access is revoked immediately, including SSH keys and VPN credentials, while confidentiality undertakings remain. The process covers all user types and all systems and services, and permissions are reviewed regularly.

Question 60

How do you handle privileged (administrative) permissions?

Accepted Answer

Privileged access rights, that is, elevated administrative permissions, are handled more strictly than ordinary user access. They are granted restrictively and only to named, personal accounts, limited to what the role requires and followed up specifically. Administrative access to the production environment always requires multi-factor authentication.

Question 61

How is secret authentication information (for example passwords and keys) handled?

Accepted Answer

The assignment and handling of secret authentication information, such as passwords, API keys and certificates, is governed by a formal process. Such information is distributed securely, stored protected and rotated when needed, and secrets are never stored in plaintext in source code. We use a password management system that maintains good password quality.

Question 62

What is expected of users regarding secret authentication information?

Accepted Answer

Users follow the organisation's procedures for protecting passwords and other secret authentication information, including not sharing login credentials and handling them securely.

Question 63

Is the environment monitored around the clock?

Accepted Answer

Yes. We monitor the platform's operation and network traffic around the clock, year-round (24/7/365), with automatic alerts going directly to our engineers. The real-time monitoring tracks platform health, security metrics and network traffic and alerts on anomalies, and central dashboards watch for, among other things, unauthorised access attempts and abnormal traffic patterns. Operational and security logs are collected centrally, and we work continuously to strengthen our ability to detect security events.

Question 64

Is privileged access to the infrastructure logged?

Accepted Answer

Yes. We keep audit logs for all infrastructure, which includes logins and privileged access to underlying systems. The logs are collected centrally and retained for an extended period, and relevant extracts can be provided on request - for example in connection with a security or personal data incident.

Trust Center

Why organizations trust Elastx

Digital Sovereignty

Data Stays in Sweden

Certified Security

High Availability

No Vendor Lock-In