Home
Guides
  1. Platform

Cloud-Based Deployment

Evrotrust’s solution is delivered as a secure, cloud-based service hosted within the European Union (AWS Ireland and/or Germany), fully compliant with GDPR, eIDAS, and applicable cybersecurity standards.

Personal Data Handling and GDPR Compliance:

Evrotrust collects and processes only the minimum necessary personal data, strictly for defined purposes related to qualified trust services. This is aligned with both GDPR and eIDAS requirements and is described in detail in our publicly available Privacy Policy for End Users.

As a QTSP established in the EU, and as a provider of electronic identification services within a EU-notified eID scheme, Evrotrust is subject to detailed legal and regulatory requirements pertaining to Regulation (EU) 910/2014, as amended by Regulation (EU) 2024/1183 (the eIDAS) framework. As per the eIDAS principles, the recipient of eID and qualified trust services is the final user, who in most cases is the natural person holding the electronic identification means and/or issued certificates, and the QTSP is required to have a contract with that final user. This means that, even though the final user might be a client of Evrotrust’s commercial partner (bank, insurance company, HR platform, etc.), the user is also a direct client of Evrotrust, and is bound by a contract with Evrotrust. Evrotrust processes personal data of that user on its own legal basis and for its own purposes, based on the contract, concluded with him/her.

With regards to the above, please kindly note that the requirements of Art. 28 GDPR do not apply to Evrotrust's activities and relations with its partners. In the majority of instances, Evrotrust and its partners have a controller-to-controller relationship which is described in details and settled through a DPA. Evrotrust has described the processing it carries out as regards its relations with its partners in its public document Clause Personal Data Protection, which serves as such a DPA. Alternatively, depending on the specifics of the processes to implement for the use of Evrotrust's services and upon request, Evrotrust can sign a personalized bilateral DPA settling the controller - controller relationship.

All personal data is:

  • Used solely for identity verification, QES issuance, and related services
  • Processed by Evrotrust as an independent data controller, as defined by GDPR
  • Subject to data subject rights (access, rectification, erasure, etc.) with clear mechanisms for exercisign those rights

Evrotrust’s data retention policies are aligned with eIDAS-mandated periods and audit/legal obligations, and secure deletion is performed once the legal or contractual retention period expires.

Technical and Organizational Measures:

Evrotrust applies industry-leading security measures.

Documentation such as our ISO 27001 certificate, conformity assessments, and attestation letters are available upon request or publicly at: https://evrotrust.com/resources/compliance/

Transparency and Sub-Processors:

Evrotrust selects its vendors and infrastructure providers (e.g., AWS, FaceTec) with extreme care and ensures they meet GDPR and eIDAS standards. These providers are not considered sub-processors in the processor sense, as Evrotrust operates as a data controller. Evrotrust offers transparency regarding its service chain and confirms that:

Updated 2 days ago