Curated collection

German cloud providers

Q: Which German cloud provider is GDPR-compliant?

GDPR compliance depends not only on server location but on the whole processing chain: hosting region, ownership, sub-processors and a publicly available data processing agreement (DPA/AVV). Providers listed here such as Hetzner, IONOS and STACKIT host in German data centres, are EU-owned, and publish a DPA. We record each of these signals separately so you can assess compliance against your own data protection impact assessment rather than trust a blanket label.

Q: Are German cloud providers subject to the US CLOUD Act?

Not automatically — and that is the decisive point. The US CLOUD Act can reach data held by a company subject to US jurisdiction regardless of where the servers sit. A German-incorporated, German-controlled provider with no US sub-processors in the data path therefore has a structurally weaker exposure profile. The CLOUD Act exposure of Hetzner, IONOS and STACKIT is each recorded in the directory as 'None', whereas the German subsidiary of a US group can remain exposed even with a German data centre.

Q: What is the best German cloud for business?

It depends on your binding constraint. For raw infrastructure (IaaS), Hetzner from €4/month is the most-cited choice; IONOS offers a publicly listed German group with BSI C5 and IT-Grundschutz; and STACKIT (Schwarz Group) targets the public sector and regulated industries with BSI C5, EUCS and DORA readiness. For GDPR-compliant file storage, luckycloud, Nextcloud and STRATO HiDrive belong on the shortlist. Filter the table by certification, ownership or CLOUD Act exposure to narrow it down.

Q: What does BSI C5 certification mean?

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the cloud-security audit standard defined by Germany's Federal Office for Information Security (BSI). A C5 attestation documents that a provider meets an extensive set of security and transparency requirements — in the German market it is the reference cloud-security credential. Hetzner, IONOS, STACKIT and T Cloud Public (formerly Open Telekom Cloud) hold it; the comparison table lets you filter to it directly.

Q: What is the difference between a German cloud and an EU cloud?

A German cloud here means a provider headquartered and primarily hosted in Germany, under German and EU jurisdiction. An EU cloud is the broader term for any provider incorporated and hosted in the EU or EEA — for example OVHcloud (France) or UpCloud (Finland). The compliance logic is the same, but German buyers with BSI C5 or IT-Grundschutz requirements, or a preference for German jurisdiction, often narrow deliberately to Germany. For the EU-wide view, see our European cloud providers page.

Cloud, hosting and storage providers with infrastructure in Germany, compared on data-centre location, ownership, CLOUD Act exposure, sub-processors and certifications such as BSI C5.

In short

Leading German cloud providers hosted in Germany are Hetzner, IONOS and STACKIT for infrastructure, and Nextcloud, luckycloud and STRATO HiDrive for storage — all EU-owned, run in German data centres, and checked for GDPR alignment, BSI C5 and CLOUD Act exposure. Location alone is not decisive: ownership and sub-processors determine whether a provider is genuinely beyond the reach of the US CLOUD Act.

Last verified June 2026 DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.

A German cloud provider, as listed here, is an infrastructure, hosting or storage company whose operating entity is incorporated and headquartered in Germany and runs its primary infrastructure in German data centres. This page brings together two layers that German buyers evaluate together in practice: sovereign infrastructure (IaaS/PaaS such as Hetzner, IONOS and STACKIT) and GDPR-compliant cloud storage (luckycloud, Nextcloud, STRATO HiDrive). Every listing is benchmarked on the criteria that actually matter — hosting region, ownership signal, CLOUD Act exposure, sub-processor chain and recognised certifications — with each figure sourced to the provider's public documentation and re-verified quarterly.

Why it matters

The easy version of "German cloud" — a US hyperscaler's Frankfurt region — does not answer the question most procurement teams are actually asking. Under the US CLOUD Act, data held by a company subject to US jurisdiction can be reached regardless of where the servers physically sit. A "Germany region" changes the data's location; it does not change the operator's legal exposure.

A genuinely German provider — incorporated in Germany, German-controlled, with no US sub-processors in the data path — has a structurally weaker exposure profile. Hetzner, for instance, accepts authority requests for its Falkenstein and Nuremberg data centres only from German courts; its CLOUD Act exposure is recorded in the directory as "None", with hosting in Germany. But "genuinely German" is a chain of facts, not a logo: the operating entity, its owners and its sub-processors. We record each link separately — so you can also see when a cheap German host re-introduces exposure through a US CDN or managed-database layer in the data path.

Showing all 11 alternatives in this category updating

		Cert.	Pricing	Signals	Open
Nextcloud German open-source content-collaboration platform (Nextcloud GmbH, Stuttgart, 2016); fully self-hostable + managed Nextcloud One hosted in DE.	STUTTGART · DE Germany	—	Freemium €6 /mo	Public DPA Sub-processors Open source	→
luckycloud Berlin-based German zero-knowledge cloud (luckycloud GmbH, 2015), own DCs in Berlin/Nuremberg/Frankfurt, ISO 27001 BSI.	BERLIN · DE Germany	ISO/IEC 27001	Paid	Public DPA Sub-processors Open source	→
Filen German zero-knowledge E2E cloud (Filen Cloud Dienste UG, Recklinghausen, 2021), Tier IV ISO 27001 DCs, no US data, open source apps.	DE Germany	—	Freemium €2 /mo	Public DPA Sub-processors Open source	→
Koofr Slovenian cloud storage (Koofr d.o.o., est. 2013), German ISO 27001 data centres, optional client-side encryption via Koofr Vault, 10 GB free.	DE Germany	—	Freemium €1 /mo	Public DPA Sub-processors Open source	→
STRATO HiDrive German cloud storage (STRATO GmbH, United Internet/IONOS group), two German data centres, ISO 27001 + Trusted Cloud, optional zero-knowledge E2E.	DE Germany	ISO/IEC 27001	Paid €6 /mo	Public DPA Sub-processors Open source	→
leitzcloud German-operated (LC by vBoxx GmbH, Frankfurt) Leitz-branded business cloud on its own German data centres (Frankfurt + Mannheim), ISO 27001 (TÜV Nord), AVV available on request.	FRANKFURT · DE Germany	ISO/IEC 27001	Paid €8.8 /mo	Public DPA Sub-processors Open source	→
Contabo Munich-based budget VPS / dedicated hosting (Contabo GmbH); KKR + Oakley-owned since 2022; 11 global DCs; VPS from <€5/month.	MUNICH · DE Germany	—	Paid €5 /mo	Public DPA Sub-processors Open source	→
Hetzner Family-founded German hyperscaler alternative (1997), EU DCs in Falkenstein, Nuremberg, Helsinki; ISO 27001 + BSI C5 Type 2; from €4/month.	GUNZENHAUSEN · DE Germany	ISO/IEC 27001 C5	Paid €4 /mo	Public DPA Sub-processors Open source	→
IONOS German publicly-listed cloud (IONOS Group SE, Frankfurt + Berlin DCs), first DE provider with both BSI C5 + IT-Grundschutz, Gaia-X member.	FRANKFURT · DE Germany	ISO/IEC 27001 C5	Paid €2 /mo	Public DPA Sub-processors Open source	→
STACKIT German sovereign cloud built by Schwarz Digits (Lidl/Kaufland parent), 4 EU DCs, EU Cloud III €180M winner with SEAL-3 highest rating.	NECKARSULM · DE Germany	ISO/IEC 27001 C5 +1 more	Paid	Public DPA Sub-processors Open source	→
T Cloud Public (formerly Open Telekom Cloud) Deutsche Telekom's OpenStack public cloud (T-Systems), Biere + Magdeburg DCs, ISO 27001 + BSI C5 + TISAX; rebranded from Open Telekom Cloud.	BIERE · DE Germany	ISO/IEC 27001 ISO/IEC 27017 +2 more	Paid	Public DPA Sub-processors Open source	→

How to choose

Match the provider to your binding constraint. If you need raw infrastructure (IaaS), Hetzner from €4/month is the price-performance reference point; IONOS offers a publicly listed German group with BSI C5 and IT-Grundschutz; STACKIT brings a foundation-controlled sovereign-cloud approach for regulated workloads. If BSI C5 is written into your tender, filter to it directly — Hetzner, IONOS, STACKIT and T Cloud Public hold the attestation. If you need GDPR-compliant file storage, weigh luckycloud, STRATO HiDrive and the open-source-based Nextcloud; check each storage provider's sub-processor list closely, because that is where US services most often re-enter an otherwise German stack. Sort the table above by CLOUD Act exposure, hosting region or ownership to build your shortlist, then open each profile to confirm the chain against your own impact assessment. For the broader EU-wide shortlist, see European cloud providers.

FAQ

Frequently asked questions

Which German cloud provider is GDPR-compliant?

GDPR compliance depends not only on server location but on the whole processing chain: hosting region, ownership, sub-processors and a publicly available data processing agreement (DPA/AVV). Providers listed here such as Hetzner, IONOS and STACKIT host in German data centres, are EU-owned, and publish a DPA. We record each of these signals separately so you can assess compliance against your own data protection impact assessment rather than trust a blanket label.

Are German cloud providers subject to the US CLOUD Act?

Not automatically — and that is the decisive point. The US CLOUD Act can reach data held by a company subject to US jurisdiction regardless of where the servers sit. A German-incorporated, German-controlled provider with no US sub-processors in the data path therefore has a structurally weaker exposure profile. The CLOUD Act exposure of Hetzner, IONOS and STACKIT is each recorded in the directory as 'None', whereas the German subsidiary of a US group can remain exposed even with a German data centre.

What is the best German cloud for business?

It depends on your binding constraint. For raw infrastructure (IaaS), Hetzner from €4/month is the most-cited choice; IONOS offers a publicly listed German group with BSI C5 and IT-Grundschutz; and STACKIT (Schwarz Group) targets the public sector and regulated industries with BSI C5, EUCS and DORA readiness. For GDPR-compliant file storage, luckycloud, Nextcloud and STRATO HiDrive belong on the shortlist. Filter the table by certification, ownership or CLOUD Act exposure to narrow it down.

What does BSI C5 certification mean?

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the cloud-security audit standard defined by Germany's Federal Office for Information Security (BSI). A C5 attestation documents that a provider meets an extensive set of security and transparency requirements — in the German market it is the reference cloud-security credential. Hetzner, IONOS, STACKIT and T Cloud Public (formerly Open Telekom Cloud) hold it; the comparison table lets you filter to it directly.

What is the difference between a German cloud and an EU cloud?

A German cloud here means a provider headquartered and primarily hosted in Germany, under German and EU jurisdiction. An EU cloud is the broader term for any provider incorporated and hosted in the EU or EEA — for example OVHcloud (France) or UpCloud (Finland). The compliance logic is the same, but German buyers with BSI C5 or IT-Grundschutz requirements, or a preference for German jurisdiction, often narrow deliberately to Germany. For the EU-wide view, see our European cloud providers page.

Methodology

How we verified every listing here.

For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.

Read methodology →