What ISO 27001 Hosting Actually Means for Your Documents
You have seen the badge. “ISO 27001-certified” sits on a hundred vendor pages, usually next to a padlock icon and some reassuring blue. For most researchers it reads as generic trust-signalling, the software equivalent of “as seen on TV.” That is a shame, because ISO 27001 hosting is one of the few security claims with real teeth, and understanding what it does (and does not) guarantee tells you something concrete about whether your unpublished work is safe. Here is the demystified version, followed by where inscrive.io’s infrastructure actually sits.
What ISO 27001 is
ISO/IEC 27001 is an international standard for managing information security. The key word is managing. The certificate does not say “this company has perfect security.” It says the organisation has built and maintains an Information Security Management System (ISMS): a structured, documented way of identifying risks to information and putting controls in place to handle them.
Think of it less like a single locked door and more like a building code. A certified organisation has to:
- Identify what information it holds and what threatens it.
- Decide on controls to reduce those risks, drawn from a defined catalogue.
- Assign responsibility, write the procedures down, and actually follow them.
- Get audited by an independent, accredited certification body.
- Keep doing it, because certificates expire and surveillance audits recur.
That last point is what separates ISO 27001 from a self-declared “we take security seriously.” An outside auditor checks the work, on a schedule. You cannot quietly let it lapse and keep the badge.
What the certificate actually guarantees
Be precise here, because vendors blur it. ISO 27001 guarantees that an organisation has a working security management system that an independent auditor has verified. The standard’s control catalogue (Annex A) covers the things you would hope a host worries about:
| Control area | What it covers |
|---|---|
| Access control | Who can reach systems and data, and how that’s enforced. |
| Cryptography | Encryption of data in transit and at rest. |
| Physical security | Data centre access, locks, surveillance, environmental controls. |
| Operations security | Backups, logging, malware protection, change management. |
| Incident management | How breaches are detected, reported, and handled. |
| Supplier relationships | Security obligations passed down to third parties. |
For your documents specifically, that means the place storing your thesis chapters has audited answers to: who can physically walk up to the server, how the disks are encrypted, what happens when something goes wrong, and who is accountable.
What it does not guarantee
Equally important, so you read these badges with clear eyes.
ISO 27001 does not tell you where your data lives. A US company can be ISO 27001 certified and still host your data in Virginia, which means the certificate says nothing about Schrems II exposure or third-country transfers. Certification and data residency are separate questions, and a vendor that answers a “where is my data” question by pointing at an ISO badge is dodging.
It also does not, by itself, mean GDPR compliance. The two overlap heavily on the security side, and ISO 27001 is excellent evidence for the “technical and organisational measures” that GDPR Article 32 demands. But GDPR also covers lawful basis, data subject rights, and transfers, which the security standard does not address. You want both, and you want to know they are distinct.
So when you see the badge, the right mental translation is: “an independent auditor confirmed this organisation runs a real security programme.” That is genuinely valuable. It is just not the whole story.
Certification versus compliance, and why scope matters
One more trap. ISO 27001 certificates have a scope, and the scope is everything. A company can certify a narrow slice of its operations, say the corporate IT systems, while the product you actually use runs on infrastructure outside that boundary. The badge looks identical either way. So the honest question is not just “are they certified” but “is the thing storing my documents inside the certified scope.” Reputable hosts publish their scope statement and the name of the accredited certification body that issued the certificate. If a vendor cannot tell you which body certified them or what the scope covers, the badge is closer to decoration than evidence.
This is also why inheriting certification from your hosting provider is fine, as long as you are clear about it. A LaTeX editor that runs on Hetzner’s ISO 27001-certified data centres inherits the physical and operational controls of those facilities. That is a legitimate and common arrangement. The thing to verify is simply that the chain is real and that the host’s scope covers the servers your data actually lives on.
Where inscrive’s documents actually sit
inscrive hosts everything with Hetzner, a long-established German infrastructure provider, in data centres in Germany and Finland. Those data centres are ISO 27001-certified. So the physical and operational security under your projects is the audited kind, not the trust-me kind.
Two things make this footprint worth pointing at specifically.
First, it is EU-only. Germany and Finland are both inside the EU, which means inscrive combines audited ISO 27001 security with 100% EU data residency and no third-country transfers. You get the security-management guarantee and the answer to “where does my data live,” instead of one standing in for the other. That second question is the one Schrems II turns on, and we cover it in Schrems II and your academic software stack.
Second, inscrive backs the security claims with an independent inspection and audit report, not just the certification of the underlying data centres. For institutional buyers there is also a signed data processing agreement, which is the contractual layer that sits on top of the technical one. If you want the plain-English version of that document, see why your LaTeX tool needs a signed DPA.
A note on tiers, because it matters: inscrive is freemium. EU data residency and the ISO 27001-certified hosting are not paywalled. They apply on the Free plan (€0, up to 10 active projects, unlimited collaborators) exactly as they do on Pro and Organizations. The security floor is the same for everyone. Pro adds things like longer compile time and AI assistance, and the signed DPA is part of the Organizations plan, but where your data lives and how it is protected does not depend on what you pay.
How to read a hosting claim like a pro
Next time a writing tool waves an ISO 27001 badge, ask three follow-ups:
- Is the certification yours or your host’s? Plenty of tools inherit it from AWS or Hetzner. That is fine, but know which entity is certified and for what scope.
- Where, physically, is the data? The badge does not answer this. Make them say the country.
- Can I see an audit or inspection report? A certified organisation can produce evidence. A vendor that only has a logo cannot.
Honest vendors answer these without flinching. For inscrive the answers are: the data centres are Hetzner’s certified facilities, the data sits in Germany and Finland, and there is an independent inspection report you can request. The GDPR page and our broader compliance overview lay out the rest.
The takeaway
ISO 27001 hosting is a real signal. It means an outside auditor checked that the organisation guarding your documents runs an actual security programme, on a recurring basis, against a defined set of controls. Just do not let the badge stand in for the question it cannot answer: where your data physically lives. The strongest position is both, audited security and EU residency, which is the combination inscrive runs on by hosting in ISO 27001-certified data centres in Germany and Finland with no transfers out.
inscrive.io keeps your LaTeX projects in ISO 27001-certified EU data centres, on every plan including the free one, and never trains AI on your work. Start writing, it’s free, and check the GDPR page for the specifics.
