Compliance is not just a legal checkbox. It is a direct requirement on how your website is hosted, where your data is stored, and what security measures are in place.
Get it wrong and the consequences range from regulatory fines to complete business disruption. Get it right and it becomes a trust signal that sets you apart from competitors who have not bothered.
This guide explains the major compliance frameworks that affect hosting decisions, what each one requires, and how to choose a host that actually supports your obligations.
Why Hosting Choices Affect Compliance
Your hosting provider controls the physical and virtual infrastructure your data lives on. That makes them a key part of your compliance posture, whether you think about them that way or not.
Compliance frameworks care about:
- Where data is stored geographically
- Who has access to it and under what conditions
- How it is encrypted in transit and at rest
- How quickly breaches are detected and reported
- Whether the infrastructure is isolated or shared with other organisations
None of those things are purely your responsibility. Your hosting provider either supports your compliance requirements or creates gaps in them.
The Major Compliance Frameworks and What They Require From Hosting
GDPR
The General Data Protection Regulation applies to any business that collects or processes personal data from people in the European Union, regardless of where the business itself is based.
What GDPR requires from a hosting perspective:
- Data must be stored within the EU or in countries with adequate data protection laws, unless specific safeguards are in place
- Data must be encrypted in transit and at rest
- Breaches must be reported to the relevant supervisory authority within 72 hours
- Your hosting provider is classified as a “data processor” and must sign a Data Processing Agreement (DPA) with you
- Access to personal data must be logged and restricted to authorised users
What to look for in a host:
- EU-based data centers or documented adequacy arrangements for non-EU storage
- Willingness to sign a DPA
- Encryption at rest and in transit as standard
- Access logging and audit trail capability
The penalty for non-compliance: Fines of up to 4% of global annual turnover or 20 million euros, whichever is higher.
HIPAA
The Health Insurance Portability and Accountability Act applies to healthcare providers, health insurers, and their business associates in the United States. If your business handles Protected Health Information (PHI), your hosting environment must meet HIPAA’s Security Rule requirements.
What HIPAA requires from a hosting perspective:
- Physical, administrative, and technical safeguards for PHI
- Encryption of PHI in transit and at rest
- Access controls limiting who can view or modify health data
- Audit controls that record activity involving PHI
- Your hosting provider must sign a Business Associate Agreement (BAA)
- Physical access to servers must be restricted and logged
What to look for in a host:
- Willingness to sign a BAA (this is non-negotiable under HIPAA)
- Dedicated or private cloud infrastructure to ensure physical isolation
- Documented security controls that align with HIPAA’s Technical Safeguards
- Incident response procedures specific to PHI breaches
Important: Shared hosting environments are generally not suitable for HIPAA-covered data. The physical isolation requirements almost always point to dedicated server hosting or private cloud infrastructure.
PCI DSS
The Payment Card Industry Data Security Standard applies to any organisation that stores, processes, or transmits credit or debit card data.
What PCI DSS requires from a hosting perspective:
- Network segmentation to isolate cardholder data environments
- Firewall and intrusion detection systems protecting payment infrastructure
- Encryption of cardholder data in transit using TLS 1.2 or higher
- Regular vulnerability scanning and penetration testing
- Restricted access to cardholder data with audit logging
- Physical security of servers that process payment data
What to look for in a host:
- Explicit statement of PCI DSS compliance scope
- Support for network segmentation
- Web application firewall and DDoS protection included
- SSL certificate on all environments as standard
Note: Using a third-party payment processor like Stripe or PayPal shifts most of the cardholder data handling responsibility to them. Your hosting still needs to support a PCI-compliant environment for the portions you control.
SOC 2
SOC 2 (Service Organisation Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants. It is not a legal requirement but is increasingly expected by enterprise customers and business partners, particularly in the technology sector.
SOC 2 covers five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.
What it means for hosting:
- Your provider should hold a SOC 2 Type II report if you need to demonstrate compliance to customers or partners
- SOC 2 Type II covers a period of time (typically 6 to 12 months), making it a stronger signal than Type I which is a point-in-time assessment
ISO 27001
ISO 27001 is an international standard for information security management systems. It is not legally mandated but is widely recognised as a mark of serious security practice. Many enterprise procurement processes require it.
What it means for hosting:
- A host with ISO 27001 certification has had their security management processes independently audited
- It covers risk management, physical security, access controls, incident management, and business continuity
- Relevant for businesses operating internationally or selling into regulated industries
Compliance Requirements by Framework at a Glance
| Framework | Who It Applies To | Data Location Requirement | Physical Isolation Needed | Agreement Required |
|---|---|---|---|---|
| GDPR | Any business with EU user data | EU or adequate country | No, but preferred | Data Processing Agreement |
| HIPAA | US healthcare and associates | US preferred, must be documented | Yes, strongly recommended | Business Associate Agreement |
| PCI DSS | Any business handling card data | No geographic requirement | Recommended for higher tiers | Contractual compliance scope |
| SOC 2 | Technology businesses, B2B | No requirement | No | Audit report from provider |
| ISO 27001 | International or enterprise | No requirement | No | Certification from provider |
Hosting Types and Their Compliance Suitability
Not every hosting type is appropriate for every compliance requirement.
| Hosting Type | GDPR | HIPAA | PCI DSS | SOC 2 / ISO 27001 |
|---|---|---|---|---|
| Shared Hosting | Limited | Not suitable | Not suitable | Not suitable |
| VPS Hosting | Suitable with right provider | Possible but limited | Suitable | Possible |
| Cloud Hosting | Strong, choose EU regions | Possible with BAA | Strong | Strong |
| Dedicated Server | Strong | Strong | Strong | Strong |
| Managed WordPress | Suitable for GDPR | Not typically suitable | Limited | Possible |
Shared hosting is unsuitable for almost any regulated data. The lack of physical isolation and limited security controls creates compliance gaps that are difficult or impossible to close. Our guide to web hosting types explains the step-up options and what each one includes.
For businesses with HIPAA requirements, the physical isolation of a dedicated server is almost always necessary. Read about dedicated server costs to understand what that commitment involves financially.
What to Look for in a Compliant Hosting Provider
Documentation and certifications
- ISO 27001 certification
- SOC 2 Type II report available on request
- Published security whitepaper covering physical and logical controls
- Willingness to sign DPAs and BAAs
Data center specifics
- Documented data center locations
- Option to restrict data storage to specific regions
- Physical security controls: biometric access, CCTV, locked cages
- Third-party audits of data center security
Technical security controls
- Encryption at rest and in transit as standard
- Web application firewall active by default
- DDoS protection always on
- Intrusion detection and automated alerting
- Access logging and audit trail capability
- Two-factor authentication on all admin access
Incident response
- Documented breach detection and notification process
- Response time SLA for security incidents
- Clear escalation path to senior security team
Read our complete secure hosting features guide for a full evaluation checklist.
Questions to Ask Any Hosting Provider About Compliance
Before signing a contract with a host for a regulated workload, get clear answers to these.
- Which compliance frameworks does your infrastructure formally support?
- Will you sign a Data Processing Agreement for GDPR purposes?
- Will you sign a Business Associate Agreement for HIPAA purposes?
- Do you hold ISO 27001 certification or a SOC 2 Type II report?
- Where exactly is our data stored, and can we restrict it to a specific region?
- What is your breach notification process and what are the defined timescales?
- How do you handle access to our data by your own staff?
- What physical security controls exist at your data centers?
Any provider serious about compliance will have documented answers to all of these. Vague responses or requests to “discuss further after signup” are red flags.
Common Mistakes Businesses Make With Compliance and Hosting
- Assuming the hosting provider handles compliance entirely. They manage the infrastructure. You are still responsible for how your applications handle and store data.
- Choosing a host based on price without checking compliance support. A cheap plan that cannot sign a DPA is not suitable for a business with EU users.
- Using shared hosting for regulated data. The lack of physical isolation creates compliance gaps that cannot be patched at the application level.
- Not requesting a DPA or BAA before going live. These agreements need to be in place before you process any regulated data, not after a breach prompts the question.
- Treating compliance as a one-time task. Compliance requires ongoing monitoring, regular audits, and updates as frameworks evolve. Your hosting environment needs to support that over time, not just at the point of signup.
Final Thoughts
Compliance is not a feature you add to a hosting plan. It is a requirement that shapes which hosting plans are suitable in the first place.
Start with your obligations. Identify which frameworks apply to your business. Then evaluate hosts against those specific requirements, not general marketing claims about security.
A hosting provider that supports your compliance needs is a business asset. One that creates gaps in your compliance posture is a liability.
Browse our hosting reviews to see how major providers compare on security infrastructure, data center transparency, and compliance support across different plan tiers.
