[unilynx]

I assume they don't mean to refer to the physical building, but to the organisation responsible for the building and its physical security. Anyway that's a thing for auditors to have fun with (so you say you're hosting provider is certified, can you show me their certificate?) as you're not supposed to lean on their website information anyway.

I don't think many of the competitors in this space (eg Linode and DigitalOocean) own their datacenters either.

As Linode put it: Linode as an entity is not ISO27001 and we rely on the data centers we colocate with to obtain and maintain these certifications

Or DigitalOcean in 2017: Our FRA1 facility is ISO9001:2008, ISO27001:2005, and ISO22301:2012 certified.

(DigitalOcean later got their own certification)