Legislative development and self-regulation

General Data Protection Regulation (GDPR)

The rights and freedom of European citizens in relation to their personal data are increasingly coming under the spotlight of the European Commission. On 25 May 2018 the General Data Protection Regulation (GDPR), will come into force throughout the European Union. This regulation focuses on citizen’s rights’ to data portability, data erasure, data access and transparency in relation to the processing of their information as well as the right to be notified promptly of any data breaches.
The GDPR represents the most significant step in the development of EU legislation since the introduction of the European Union Data Protection Directive, Directive 95/46/EC.

CISPE code of conduct

Since 2016 Aruba has been part of CISPE (Cloud Infrastructure Services Providers in Europe), a coalition of more than 20 Cloud infrastructure providers working in Europe that has drawn up a code of conduct for data protection that allows customers of Cloud infrastructure providers to process and save data exclusively within the EU/EEA.

For more information, go to https://cispe.cloud.

How data is managed at Aruba

Data stored, backed up and saved in the EU

All of Aruba's servers are in clusters, and storage is backed up for maximum reliability. You can choose to activate the structure in more than one data center to guarantee Business Continuity and Disaster Recovery and ensure security, redundancy and efficiency.

Customers can choose from a European network that includes three data centers in Italy, one in the Czech Republic, one in France, one in Germany, one in the UK and one in Poland. This allows you to find the perfect location to develop your IT projects and satisfy any specific geographical requirements. Our customers in fact choose the region or regions in which their data is stored.

Customers can make a copy or a backup of the content in more than one region. The original content will not be transferred outside of the selected region, unless specifically requested or in accordance with applicable regulations.

Security in Aruba's Cloud environment

Certified standards

Aruba has been awarded a number of certificates confirming its compliance with solid security standards, including ISO 27001:2013, ISAE 3402:2011 Type II Report and ANSI/TIA 942-A-2014.

Shared liability

For the Cloud, Aruba has adopted a model of shared liability, according to which Aruba is responsible for the security of the Cloud infrastructure (Cloud security), and customers are responsible for the security of their data and applications (Security in the Cloud).

Reliable and efficient data centers

Aruba's Data Centers have been designed to guarantee maximum reliability: redundancy of all sources of energy and cooling systems, maximum security of the facilities, redundancy of network connections and a highly-experienced team of experts.

To find out more about Aruba's infrastructures, please visit our website https://www.datacenter.it/en/.

Cloud experts

Aruba has a number of different solutions architect teams, account managers, consultants, trainers and staff in the European Union who have been trained on Cloud compliance and security and are available to help Aruba customers with a series of best security practices for the Cloud.


Typical contractual clauses (also known as "model clauses") are a collection of standard provisions approved by the European Commission that can be used to allow the transfer of personal information according to specific compliance criteria from one control body to another body responsible for processing data outside the European Economic Area.

Article 29 establishes a Working Party in accordance with the directive on data protection drawn up by the European Parliament and Council. The Working Party is made up of representatives of the authorities that protect personal data from all the member states of the EU and the European Commission. The Working Party stipulated by article 29 works to standardize the application of data protection regulations throughout the European Union and advises the European Commission on the adequacy of data protection standards in countries outside the Union.

CISPE is a coalition of technology companies focusing on providing Cloud Computing infrastructure services throughout Europe. With offices in 11 European countries (Bulgaria, France, Germany, Spain Finland, Italy, the Netherlands, Norway, Poland, Switzerland and the United Kingdom) and operating in more than 15 countries, the following Cloud Computing infrastructure service providers have agreed to the CISPE code of conduct: Arsys, Art of Automation, Aruba, BIT, Daticum, Dominion, Fasthosts, FjordIT, Gigas, Hetzner Online, Home, Host Europe Group, IDS, Ikoula, LeaseWeb, Lomaco, Outscale, OVH, Seeweb, Solidhost, UpCloud, VTX, XXL Webhosting, 1&1 Internet.

“Cloud Infrastructure Services Providers in Europe (CISPE)”, a recently formed coalition of more than 20 Cloud infrastructure providers in Europe, including Aruba, has produced the first code of conduct for data protection, which allows customers of Cloud infrastructure providers to process and save data exclusively within the EU/EEA. According to the CISPE Code of Conduct, Cloud infrastructure providers cannot carry out ‘data mining’ or trace a customer data profile for the purposes of marketing, advertising or similar activities, for personal use or to sell to third parties. The CISPE Code precedes the application of the European Union's new General Data Protection Regulation (GDPR). It fits in with the requirements stipulated by the new regulation, with the main goal of giving citizens back control of their own personal data, and simplifying the legislative context for international commerce by unifying the regulations within the EU. CISPE brings together Cloud infrastructure providers of various kinds operating in more than 15 countries.

The CISPE Code of Conduct helps customers decide whether the Cloud infrastructure services are suitable for the processing of personal data that they wish to carry out, and those identified as suitable will be identified by a Trust Mark. This Mark can be used by Cloud infrastructure providers to show customers that they comply with the relevant requirements, and the approved organizations will also be listed on the CISPE website. According to the CISPE Code of Conduct, Cloud infrastructure customers will have the guarantee that Cloud infrastructure providers will not process their personal data for their own benefit or to sell to third parties, such as for example to extract personal data, profiling individuals, marketing or similar activities. As well as this, providers certified by the CISPE Code of Conduct must offer their customers the option to process and save data exclusively within the EU or EEA. This means that the customers of providers in this sector or software who obtain these Cloud infrastructure services can check where their own data is physically processed and saved, in the knowledge that their provider will not reuse or resell that data.

The CISPE Code precedes the entry into force of the new and more rigorous General European Data Protection Regulation and is based on internationally recognized security standards that will improve the security of data processing for all Cloud customers and their users. The new Code of Conduct has been put together in such a way as to fit in with the GDPR, when it comes into force.

Start using Aruba Cloud


(*) Aruba will give you a voucher worth € 2 to spend on any Cloud product