Skip to content
Critical Cloud Critical Cloud
Speak to us
Security & Compliance

Certified, audited,
and operationally accountable.

Critical Cloud holds ISO 27001 and Cyber Essentials Plus. Our operations, incident management, change control, observability, and access governance, are designed to help customers meet their own regulatory obligations, including DORA and NIS2. EU and UK data residency is available.

Request documentation Partner credentials
ISO 27001
Certified, ISO/IEC 27001:2022
CE Plus
Cyber Essentials Plus certified
EU + UK
Data residency options
DORA & NIS2
Operational support for regulated customers
Our posture at a glance
  • ISO 27001:2022 certified, independent audit of our information security management system
  • Cyber Essentials Plus certified, UK government-backed scheme, technically tested
  • Least-privilege access, IAM controls, just-in-time access, no standing admin sessions
  • Structured incident management, SEV-based severity model, documented postmortems
  • Change control, CAB process, customer approval for material changes
  • Sub-processor transparency, documented, available on request
Certifications

Independently audited and certified

Both certifications are maintained and renewed, not a one-off assessment. Documentation is available on request for procurement and due diligence processes.

Information security management

ISO/IEC 27001:2022

ISO 27001 is the international standard for information security management systems (ISMS). Certification means our policies, controls, and processes for managing information security risk have been independently audited and verified against the standard's requirements.

  • Risk assessment and treatment across our operations
  • Access control, cryptography, and physical security controls
  • Incident management, business continuity, and supplier relations
  • Annual surveillance audits and three-year recertification cycle

Certificate and scope statement available on request.

UK government-backed cyber security

Cyber Essentials Plus

Cyber Essentials Plus is the UK government-backed certification scheme covering five core cyber security controls. The "Plus" level involves independent technical testing, not self-assessment, verifying that the controls are actually in place and functioning.

  • Firewalls and network boundary controls
  • Secure configuration of devices and services
  • User access control and privilege management
  • Malware protection and software patching, technically verified

Certificate available on request for supplier onboarding and due diligence.

Regulatory readiness

Supporting customers subject to DORA and NIS2

We don't provide legal advice, and regulations place obligations on you, not on us. What we do is run the operational infrastructure, observability, incident management, change control, postmortems, in a way that is designed to help you evidence and meet those obligations.

DORA, Digital Operational Resilience Act

DORA requires EU financial services firms to demonstrate operational resilience: ICT risk management, incident classification and reporting, digital operational resilience testing, and oversight of third-party ICT providers.

How our operations support this:

  • ICT incident management: SEV-based incident classification, documented response timelines, and blameless postmortems, the audit trail DORA reporting requires
  • ICT risk management: ISO 27001 ISMS provides the risk assessment and treatment framework; Datadog observability provides continuous visibility into the operational risk posture
  • Third-party ICT oversight: we operate as a regulated third-party ICT provider; sub-processor documentation, SLA evidence, and audit rights are available on request
  • Resilience testing support: our alliance with Tarian Labs can provide penetration testing and resilience assessments alongside your DORA testing programme

NIS2, Network and Information Security Directive

NIS2 extends security and incident-reporting obligations to a broader set of sectors, including digital infrastructure, managed service providers, and cloud services, across EU member states. It requires risk management measures, supply chain security, and timely incident notification.

How our operations support this:

  • Risk management measures: ISO 27001 ISMS, change control, access governance, and the improvement engineering programme address the technical and organisational measures NIS2 requires
  • Incident reporting: our SEV-1 incident management process documents timeline, impact, and root cause, the raw material for NIS2 72-hour notification obligations
  • Supply chain security: sub-processor list and contractual security requirements available; we apply security obligations to our own suppliers
  • MSP scope: as a managed service provider, we operate within NIS2's scope and maintain the security measures the directive requires of providers in our category
This is not legal advice. DORA and NIS2 impose obligations on your organisation as the regulated entity. How our operations map to your specific obligations depends on your sector, jurisdiction, and circumstances. We can provide operational documentation to support your compliance programme, talk to us or your legal advisers for guidance specific to your situation.
Data residency

EU, UK, and data sovereignty options

Where your observability and operational data is stored matters, for GDPR, for Swiss nDSG, and for customers in regulated sectors. Datadog offers both EU and US site options; we configure your environment to match your residency requirement.

Region / requirement Datadog site Relevance
EU data residency Datadog EU1 site (eu1.datadoghq.com), data stored in Frankfurt, Germany Meets GDPR cross-border transfer requirements for EU customers; supports DORA data-localisation preferences
UK data residency Datadog US1 or EU1 (UK adequacy decision applies); Azure UK regions for cloud workloads UK GDPR-compatible; UK adequacy decision maintains equivalence for EU→UK transfers post-Brexit
Switzerland (nDSG) Datadog EU1 (data stored in Germany / EU); Switzerland–EU SCCs where relevant Swiss nDSG aligns closely with GDPR; EU1 site and appropriate transfer mechanisms support Swiss data-residency expectations
Ireland Datadog EU1 GDPR-native; EU site ensures all observability data remains within the EEA
EMEA (other markets) EU1 or US1, configured per customer requirement We advise on the right Datadog site for each customer's jurisdiction and sector obligations

Datadog's own sub-processors and data processing addendum are published by Datadog at datadoghq.com/legal/sub-processors. Critical Cloud's sub-processor list is available on request.

Operating model

How security is built into how we operate

Security controls are operational, not documentary. They show up in how we manage access, run changes, and handle incidents, every day, for every customer.

ISO 27001 IMS

Our Information Management System defines how we assess and treat risk, manage policies, train staff, audit controls, and handle non-conformances. Annual surveillance audit; three-year recertification cycle.

Structured incident management

SEV-1 to SEV-4 severity classification, documented response timelines, and blameless postmortems for all SEV-1 events. Incident records include timeline, impact, root cause, and remediation actions.

Change control & CAB

All material changes to customer infrastructure go through our Change Advisory Board process. Customers approve changes that affect their environment. Emergency changes are documented post-event with full rationale.

Least-privilege access

Access to customer environments follows least-privilege principles. IAM controls and access governance reviews are part of the standard operating model. Customers retain admin and IAM control at all times.

Observability and audit trail

Datadog provides a continuous, tamper-evident audit trail of operational activity. Customers have full, real-time access to their own Datadog environment, visibility is not restricted to Critical Cloud engineers.

Sub-processor handling

We maintain a documented sub-processor list covering the tools and services used in delivering managed services. Available on request for procurement, DPA, and compliance purposes.

Need security documentation for procurement or compliance?

ISO 27001 certificate, Cyber Essentials Plus certificate, sub-processor list, and DPA terms, available on request.

About Critical Cloud Request documentation