Compliance

# TOM

Technical and Organizational Measures: Please also understand that fortrabbit is a software company - a so called Platform as a Service. The actual hosting infrastructure is running on Amazon Web Services (AWS). Standard Technical and Organizational Measures for general hosting services therefore mostly don't apply here. We don't have physical access to data centers and therefore can not grant access to a third party. This aligns with other PaaS vendors on the market, also "only" providing pointers to the infrastructures TOM.

# W-8BEN-E

According to our understanding, we are not required to fill out this form. Note that our service headquarter is based in Europe, Berlin.

# COI

A Certificate of Insurance document is not common in Europe. However, fortrabbit is a registered GmbH in Germany. The best analogy in English is a Limited Liability Company (LLC). We — like any other hosting company — can not agree to be liable for your losses on downtime, except for cases of gross negligence covered by our Terms of Service. We do provide an Service Level Agreement which may be relevant to this question.

# NIC

NIC Directive (EU) 2016/1148: From our understanding the Directive on security of network and information systems does not apply to us. Please understand that fortrabbit is mostly a software service, we do not control any physical networks. Apart from that, our company is a small business.

# CPA

Nomenclature code That’s a EU standard: CPA 63.11.12 WEB HOSTING SERVICES 63.11.1: Data processing, hosting, application services and other IT infrastructure provisioning services is what we do.

# SO27001

We are not ISO/IEC 27001:2005 certified ourselves, but our infrastructure provider AWS is.

# HIPAA

Health Insurance Portability and Accountability Act is a US standard for storing health related data. We can not sign a BAA (Business Associate Agreement).

# W-9

Some clients ask us for a W9 (1099 form), Request for Taxpayer Identification Number and Certification or a W-8-BEN-E. These are US standards to avoid money laundry and some other illegal practices. Sorry no. The fortrabbit company is not in based in the US. As far as we understand, US tax regulations do not apply to us.

# SOC 1

A Service Organization Control 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which have been implemented to protect client data. Sorry, we are NOT doing that.

# SOC 2

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report. Sorry, we are NOT doing that.

# SSAE 18

Statements on Standards for Attestation Engagements 16 or 18 (type I ot type II) is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16. Sorry, we are NOT doing that.

# Custom terms

We do not practice custom terms negotiation with individual clients. The fortrabbit hosting platform service scope is a standardized self-service hosting software solution for professionals and small and medium-sized enterprises. We intend to keep our business relations "light-weight". We don't have a legal team on staff. There is no in house expertise to verify in which areas your custom contracts may contradict our standard rules. The fortrabbit platform is constantly evolving. New features will usually affect all clients and already need to be checked against our security standards, privacy rules and legal aspects.