[unilynx]

Are you sure they're actually saying that?

A lot of hosting providers actually say that their data centers are ISO 27001 compliant, but that doesn't make the provider itself compliant

(and it seems scaleway is still doing that too on https://www.scaleway.com/en/datacenter/)

[madaxe_again]

Well, that’s ridiculous - an asset cannot be compliant - an organisation, and their processes and controls are what are meant to be compliant.

If just their data centres are compliant, I guess there’s nothing to stop their staff or contractors just stealing data, as they have here - as compliance purely around physical security for a data centre is 100% meaningless if you’re just ignoring cryptographic controls and human security controls.

I’m guessing their certification body isn’t themselves certified. Actually, the fact that they neither say who their certifying body is nor include a link to their certificate, suggests to me that they are lying - which is far more common than you would think.

[unilynx]

I assume they don't mean to refer to the physical building, but to the organisation responsible for the building and its physical security. Anyway that's a thing for auditors to have fun with (so you say you're hosting provider is certified, can you show me their certificate?) as you're not supposed to lean on their website information anyway.

I don't think many of the competitors in this space (eg Linode and DigitalOocean) own their datacenters either.

As Linode put it: Linode as an entity is not ISO27001 and we rely on the data centers we colocate with to obtain and maintain these certifications

Or DigitalOcean in 2017: Our FRA1 facility is ISO9001:2008, ISO27001:2005, and ISO22301:2012 certified.

(DigitalOcean later got their own certification)