The self-hosted Nextcloud Enterprise platform simplifies dealing with the complex
requirements of privacy regulations, decreasing business risk and costs

  • GDPR
  • CCPA

Compliance on the
self-hosted Nextcloud solution

The GDPR (General Data Protection Regulation) makes organizations liable for any violations of user privacy and deviations from a high data security standard. Legislation like the CCPA (California Consumer Privacy Act of 2018), HIPAA, FERPA, COPPA bring privacy regulation to other countries. The self-hosted Nextcloud Enterprise platform simplifies compliance, decreasing business risk and costs

Nextcloud compliance

Compliance options

Nextcloud Enterprise is designed with privacy in mind. Supporting standards like GDPR, CCPA, HIPAA, FERPA, COPPA, several ISO certifications and many others is possible with Nextcloud Enterprise.

Compliance features include terms of service review tracking, data export/deletion requests, imprint and privacy links and auditing capabilities.

Compliance in practice

The actual compliance with these regulations depends on the hosting solution used for Nextcloud Enterprise. The hosting party is responsible for certification. To set up Nextcloud Enterprise for compliance with specific regulations, contact our team.

Nextcloud Enterprise Compliance Kit

Clear documentation

Compliance is a multi-step process and data can be in many locations. Our documentation helps administrators check if they have covered their bases and guides them through delivering on data access, modification and deletion requests.

We offer our customers both a high level 12-step compliance checklist overview as well as hands-on, concrete and extensive over-20-page administrator manual, plus direct consultation and a number of compliance tools and apps.

Nextcloud GDPR compliance

All bases covered:

  • How the GDPR data processing allowances apply to Nextcloud Enterprise and when, where and how to ask for permission
  • How to deal with public, in-house and B2B Nextcloud Enterprise servers
  • How to handle consent, subject access requests, data deletion and more
  • An overview of where personal data can be stored in Nextcloud, covering user accounts, monitoring and logs, apps, file storage, database, backups and more
  • An addendum covering popular apps and their GDPR compliance consequences
  • Personal rights and how to implement this in Nextcloud

Compliance apps

To make compliance easier, Nextcloud Enterprise comes with a number of Compliance apps and capabilities:

  • Configurable imprint and privacy links for your login page
  • Data Request app to allow users to request data deletion or modification from their user settings
  • Delete Account app to allow users to delete their account
  • Terms of Service app that only gives access to Nextcloud after users read and agreed to terms (handles updated terms as well)

Contact us now

Reduce risk, improve collaboration and auditability and cut operational expenses with the leading content collaboration platform.

Quote - Hans Erasmus

Hans Erasmus

Junior Infrastructure Architect at the North-West University in South Africa
The GDPR Compliance Kit dealt with all our concerns. The global nature of the research community with frequent collaboration with European researchers and students requires global compliance awareness and an on-premises solution backed by the expertise of Nextcloud GmbH gives us the assurances we need.

Nextcloud fits seamlessly in a HIPAA compliant infrastructure.

What are HIPAA and HITECH

The Health Insurance Portability and Accountability Act is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
HIPAA mandates industry-wide standards for protection and confidentiality of protected health information (PHI), both technical and in terms of processes.
the HITECH Act widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

Learn more:
HIPAA combined regulation text
HIPAA privacy rules
HIPAA security regulations
HIPAA security technical safeguards requirements

EU cybersecurity act

Explicitly designed to build on existing certifications like ISO 27001a or BSI C5, under the guidance of CSPCert a recommendation has been presented to the ENISA to define a European Cybersecurity Certification Scheme for Cloud Service Providers. The upcoming Cybersecurity Act defines three levels of assurance (Basic, Substantial and High) and provides a comprehensive set of rules, technical requirements, standards and procedures for assessment and certification.

Nextcloud follows the strictest security protocols in the industry and anticipates to be ready for easy and quick certification of customer deployments once the Cybersecurity Act goes into effect.

Nextcloud EU cybersecurity act
Nextcloud CFR – Code of Federal Regulations Title 21

CFR – Code of Federal Regulations Title 21

Nextcloud Enterprise is ready for use in a FDA Title 21 CFR Part 11 compliant environment, if set up and run properly on appropriate infrastructure. Nextcloud features the required retention, versioning and auditing features and can integrate with signature application and validation solutions.

As we do not operate Nextcloud Enterprise for our customers nor control how they use it, as a on-premises hosted solution, Nextcloud Enterprise can only be certified as a whole in combination with a deployment. Nextcloud helps its customers through this certification process where needed.

GDPR requirements

Security and encryption

The GDPR requires organizations to ensure adequate protection for private data, from encryption to clear and well implemented security practices.

Availability and access

Private users have a right to demand a full overview of what data is collected, including an export of what an organization has on them.

Transparency and auditability

Upon request, an organization has to be able to show what they do with user data, who has (had) access and they must be able to modify or delete any data they have on private individuals.

Nextcloud self-hosted file sync and share

Why self hosting?

Sending around data by email or using public SaaS file sharing solutions does not provide much security for sensitive data. Encryption is complicated and cumbersome to use, reducing the real benefits due to employees working around them or making mistakes.

Keeping data on your own infrastructure or at a trusted local private or public cloud provider means you stay in control. Only then can you show your customers exactly where their sensitive documents are. Regulators can be certain that non-compliance with proper process is minimized.

Most consumer-grade solutions like Dropbox or Office 365 were not designed with privacy regulations and security concerns in mind, mixing data from consumers and businesses, spread out in data centers across the globe. Enterprise IT workloads may be processed by Cloud Providers liable to the US CLOUD Act, meaning your business data can be leaked on orders of the US judicial system, often without disclosure to you.

Rather than trying to work around their limitations, Nextcloud provides a security-first solution which puts you in complete control over the location and access policies of data with a private cloud solution as well as a managed public cloud solution offered by local and trusted providers.

Assicuro private insurance

Assicuro chose Nextcloud to ensure confidential data exchange with its over 3000 customers and partners, enabling customers to securely share confidential information e.g. insurance policies. Compared to other evaluated solutions, Nextcloud offered an easier user interface, and a professional and more secure, extensible platform.

Get our whitepaper

Our GDPR Overview document offers a basic 12 step process to GDPR compliance, as part of our GDPR Compliance Kit. Customers can download the complementing GDPR Admin Manual in our customer portal.

Nextcloud privacy

Data protection

Secure your data

While data needs to be available for employees at all times, the IT department must be able to ensure policies around securing and sharing personal data are respected.
Many customers care deeply about their privacy and keeping their data secure while regulators give heavy penalties for data leaks. Nextcloud offers you the tools to keep data compliant and safe.

Legal compliance

Federal data protection and GDPR-compliant, protecting data sovereignty, keep the server location in your country.

Data security

Multiple levels of encryption (HTTPS/SSL/TLS, AES-256 or stronger, server-side and end-to-end encryption) ensure the highest level of data protection from hacking.

Fine-grained authorization

A dedicated user and group management as well as a rights system allows the assignment of access rights according to your requirements.

Some of the security features in Nextcloud

Nextcloud is a popular self-hosted solution in businesses dealing with private data for its ability to strictly control access to data and industry-leading security capabilities.

We provide trust

You are entrusted with the private data of your users. Breaking that trust is a costly, career-ending mistake. Nextcloud enables you to focus on your work, taking care that your data stays private and completely under your control!

Nextcloud efficient deployment and management

Easy integration

Efficient deployment and management

Complexity is the enemy of security and Nextcloud Enterprise is designed to offer quick and easy integration in existing infrastructure, leaving policies and procedures in place. Its powerful LDAP and storage integration seamlessly fits with existing user directories, Windows Network Drive, NFS and Sharepoint storage solutions.

The result: a quick implementation at low cost, and easy maintenance making a self-hosted Nextcloud Enterprise the cloud compliance solution with the lowest TCO.


Note: these compliance documents only cover Nextcloud Enterprise, not the community edition.
We do not offer any guarantees or certification for the community version and
strongly recommend against its use in compliance-critical environments.