Protecting data is our ongoing commitment to European customers

Protect your data

Earning customer trust is the foundation of our business at AWS and we know you trust us to protect your most critical and sensitive assets: your data. We work closely with you to understand your data protection needs, and offer the most comprehensive set of services, tooling, and resources to help protect your data. To do this, we provide technical, operational, and contractual measures needed to protect your data. With AWS, you manage the privacy controls of your data, control how your data is used, determine who has access, and how it is encrypted. We underpin these capabilities with the most flexible and secure cloud computing environment available today.

Our commitments to protect European customer data

  • Data controls and residency
  • With AWS, you control your data by using powerful AWS services and tools that allow you to determine where your data is, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (AWS KMS) allow you to securely generate and manage encryption keys. AWS Control Tower provides governance and controls for data residency.

  • Data privacy
  • We continuously raise the bar on privacy safeguards with services and features that let you to implement your own privacy controls, including advanced access control, encryption, and logging features. We make it easy to encrypt data in transit and at rest using keys either managed by AWS or fully managed by you. You can bring your own keys that were generated and managed outside of AWS. We implement consistent and scalable processes to manage privacy, including how data is collected, used, accessed, stored, and deleted. We provide a wide variety of best practice documents, training, and guidance that you can leverage to protect your data, such as the Security Pillar of the AWS Well-Architected Framework. We only process customer data – that is any personal data you upload to your AWS account - under your documented instructions and do not access, use, or share your content without your agreement, as described in our AWS Customer Agreement and AWS GDPR Data Processing Addendum (AWS GDPR DPA). Thousands of customers who are subject to GDPR use AWS services for these types of workloads. We have achieved internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy. We do not use customer data or derive information from it for marketing or advertising purposes.
     
    Learn more at our Data Privacy Centre.
  • Data sovereignty
  • You can choose to store your customer data in any one or more of our European Regions, including EU Regions in France, Germany, Ireland, Italy, Spain, and Sweden. You can also choose to store your customer data in our Regions in Switzerland and in the United Kingdom. Both Switzerland and the United Kingdom have current adequacy decisions under GDPR for the transfer of personal data. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit -- and our systems are designed to prevent -- remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law. We are committed to important EU privacy, portability, and digital sovereignty programmes -- including Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct, the European Commission Standard Contractual Clauses (SCC), the SWIPO Infrastructure as a Service (IaaS) Code of Conduct, and GAIA-X.

  • Security
  • At AWS, security is our top priority and security in the cloud is a shared responsibility between AWS and our customer. You can improve your ability to meet core security, confidentiality, and compliance requirements with our comprehensive services, whether that's through Amazon GuardDuty or our AWS Nitro System, the underlying platform for our EC2 instances. We've designed the Nitro System to have workload confidentiality and no operator access. With the Nitro System, there’s no mechanism for any system or person to log in to EC2 servers, read the memory of EC2 instances, or access any data stored on instance storage and encrypted EBS volumes. In addition, services such as AWS CloudHSM and AWS Key Management Service allow you to securely generate and manage encryption keys, and AWS Config and AWS CloudTrail deliver monitoring and logging capabilities for compliance and audits.

    We comply with internationally recognized standards such as Cloud Computing Compliance Controls Catalog (C5) and Esquema Nacional de Seguridad (ENS). We also achieved certifications including PCI-DSS, Hébergement de Données de Santé (HDS, France), and TISAX (EU Automotive), helping satisfy compliance requirements for regulatory agencies across the EU. Financial services providers, healthcare providers, and governmental agencies are among the customers, who trust us with some of their most sensitive information.

    Learn more about AWS Security, Identity, and Compliance services.

Our commitments to protect European customer data

Data controls and residency

With AWS, you control your data by using powerful AWS services and tools that allow you to determine where your data is, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (AWS KMS) allow you to securely generate and manage encryption keys. AWS Control Tower provides governance and controls for data residency.

Data privacy

We continuously raise the bar on privacy safeguards with services and features that let you to implement your own privacy controls, including advanced access control, encryption, and logging features. We make it easy to encrypt data in transit and at rest using keys either managed by AWS or fully managed by you. You can bring your own keys that were generated and managed outside of AWS. We implement consistent and scalable processes to manage privacy, including how data is collected, used, accessed, stored, and deleted. We provide a wide variety of best practice documents, training, and guidance that you can leverage to protect your data, such as the Security Pillar of the AWS Well-Architected Framework. We only process customer data – that is any personal data you upload to your AWS account - under your documented instructions and do not access, use, or share your content without your agreement, as described in our AWS Customer Agreement and AWS GDPR Data Processing Addendum (AWS GDPR DPA). Thousands of customers who are subject to GDPR use AWS services for these types of workloads. We have achieved internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy. We do not use customer data or derive information from it for marketing or advertising purposes.
 
Learn more at our Data Privacy Centre.

Data sovereignty

You can choose to store your customer data in any one or more of our European Regions, including EU Regions in France, Germany, Ireland, Italy, Spain, and Sweden. You can also choose to store your customer data in our Regions in Switzerland and in the United Kingdom. Both Switzerland and the United Kingdom have current adequacy decisions under GDPR for the transfer of personal data. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit -- and our systems are designed to prevent -- remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law. We are committed to important EU privacy, portability, and digital sovereignty programmes -- including Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct, the European Commission Standard Contractual Clauses (SCC), the SWIPO Infrastructure as a Service (IaaS) Code of Conduct, and GAIA-X.

Our contracts are written in plain, straightforward language and include commitments that go beyond those available from other cloud providers to protect customer data. Our strengthened commitments to you build on our long track record of challenging law enforcement requests. If we receive a law enforcement request for customer data from government bodies, whether inside or outside the European Economic Area (EEA), we commit to challenge requests that are overbroad, or where we have any appropriate grounds to do so, including where the request conflicts with EU law, as described in our supplementary addendum to the AWS GDPR DPA. We also provide a bi-annual Information Request Report describing the types and number of information requests AWS receives from law enforcement.

We are transparent about our commitments to protect our EU customers’ data. Our AWS GDPR Data Processing Addendum (AWS GPDR DPA) including Standard Contractual Clauses, automatically applies for our customers who are subject to General Data Protection Regulation (GDPR). In addition, our UK GDPR Addendum to the AWS GDPR DPA applies when the UK GDPR applies to your use of the AWS Services to process UK Customer Data (as defined in the AWS UK GDPR Addendum). As part of our continued commitments, we offer Privacy Features of AWS Services resources to help you to determine whether the maintenance and provision of our services to you may involve customer data being transferred outside of the AWS Region in which you chose to store customer data. These resources make it easier for you to comply (and demonstrate compliance) with regulations, including GDPR. They also help you complete your data transfer assessments in accordance with recommendations from the European Data Protection Board (EDPB) on transferring personal data in compliance with “Schrems II”. You can select to use AWS services that only store and process customer data in the EU. Links are available on our GDPR Center.

Security

At AWS, security is our top priority and security in the cloud is a shared responsibility between AWS and our customer. You can improve your ability to meet core security, confidentiality, and compliance requirements with our comprehensive services, whether that's through Amazon GuardDuty or our AWS Nitro System, the underlying platform for our EC2 instances. We've designed the Nitro System to have workload confidentiality and no operator access. With the Nitro System, there’s no mechanism for any system or person to log in to EC2 servers, read the memory of EC2 instances, or access any data stored on instance storage and encrypted EBS volumes. In addition, services such as AWS CloudHSM and AWS Key Management Service allow you to securely generate and manage encryption keys, and AWS Config and AWS CloudTrail deliver monitoring and logging capabilities for compliance and audits.

We comply with internationally recognized standards such as Cloud Computing Compliance Controls Catalog (C5) and Esquema Nacional de Seguridad (ENS). We also achieved certifications including PCI-DSS, Hébergement de Données de Santé (HDS, France), and TISAX (EU Automotive), helping satisfy compliance requirements for regulatory agencies across the EU. Financial services providers, healthcare providers, and governmental agencies are among the customers, who trust us with some of their most sensitive information.

Learn more about AWS Security, Identity, and Compliance services.

Control without compromise

Meet your digital sovereignty requirements without compromising on the capabilities, performance, innovation, and scale of the AWS Cloud.

Powering customer innovation in Europe

Spotlight on EU data transfer requirements

Learn about services and resources that AWS offers to help you conduct data transfer assessments. We’ve created these resources in light of the “Schrems II” ruling about transfers of personal data subject to the GDPR, and subsequent recommendations from the European Data Protection Board, as well as key supplementary measures taken by AWS.

EU Data Transfer Requirements - Examples of Supplementary Measures

AWS Digital Sovereignty Pledge: Control without compromise

AWS Digital Sovereignty Pledge

IDC whitepaper - Trusted Cloud: Overcoming the Tension Between Data Sovereignty and Accelerated Digital Transformation

IDC whitepaper - Trusted Cloud: Overcoming the Tension Between Data Sovereignty and Accelerated Digital Transformation

Navigating Compliance with EU Data Transfer Requirements
Data Privacy Center

Data Privacy Center

GDPR Center

GDPR Center