Compliance - SCANDIC GROUP

SCANDIC DATA compliance declaration

Introduction

SCANDIC DATA is part of the SCANDIC GROUP brand portfolio and operates a high-availability data center in Manama, Bahrain. The infrastructure supports the Group's global media, payment and commerce platforms and provides customers with colocation services, storage and computing power as well as AI-enabled hardware. As a mission-critical data center operator, we are aware of the extensive legal and regulatory requirements placed on hosting and cloud providers. This compliance statement documents how SCANDIC DATA has established internal policies, risk management processes and controls to ensure legal compliance, ethics and responsible behavior.

SCANDIC ASSETS FZCO
Dubai Silicon Oasis DDP
Building A1/A2, Dubai - 342001
United Arab Emirates
Phone +97 14 3465-949
Mail Info@ScandicAssets.dev
represents the brand SCANDIC DATA

represented by:
SCANDIC TRUST GROUP LLC
IQ Business Center
Bolsunovska Street 13-15
Kyiv - 01014, Ukraine
Phone +38 09 71 880-110
Mail Info@ScandicTrust.com

in cooperation with:
LEGIER Beteiligungs mbH
Kurfürstendamm 14
10719 Berlin
Federal Republic of Germany
HRB 57837
VAT ID DE 413445833
Phone +49 (0) 30 99211-3469
Mail Info@LegierGroup.com

SCANDIC ASSETS FZCO and LEGIER Beteiligungs mbH act as non-operational service providers. Operational activities of the data center, contracts and customer relationships are handled by SCANDIC TRUST GROUP LLC.

Overview library

– 1. compliance organization
– 2. legal and regulatory obligations
– 3. data processing and due diligence
– 4. marketing and communication
– 5. sanction check and prohibited content
– 6. whistleblower system
– 7. training and sensitization
– 8. monitoring and continuous improvement

1. compliance organization

SCANDIC DATA maintains an independent compliance management system that is seamlessly integrated into the structures of the SCANDIC GROUP. The management is supported by an internal compliance department, which is responsible for legal matters, data protection, information security, risk management and internal audits. A comprehensive policy stack combines guidelines on corporate governance, data protection, supply chain and human rights policy, modern slavery declaration, cookie guidelines and specific guidelines for data center operations. Responsibilities and escalation channels are clearly defined; risk management coordinates legal, operational, technological and reputational risks. Regular reports to the management ensure transparency and allow consistent implementation of compliance targets.

2. legal and regulatory obligations

As a data center operator, SCANDIC DATA is subject to numerous legal norms and standards:

Data protection lawWe comply with the European General Data Protection Regulation (GDPR), the Bahrain Personal Data Protection Law (PDPL) and corresponding data protection laws of other countries. Customer data is only processed for a specific purpose, protected and not transferred to third parties without a legal basis.
Telecommunications and IT lawData center operations require compliance with telecommunications, net neutrality and cloud service provision laws. We ensure that our infrastructure meets all regulatory requirements for access, interoperability and security.
Supply chain due diligence obligationsAs part of the SCANDIC GROUP, we fulfill the requirements of the German Supply Chain Duty of Care Act (LkSG) and the planned EU CSDD. Risk analyses, preventive and remedial measures and transparent reporting on environmental and human rights risks are part of our program.
Tax and commercial lawWe ensure proper invoicing and tax payment in all relevant jurisdictions. Our accounting systems comply with the requirements of the German Fiscal Code (AO), the German Commercial Code (HGB) and international standards such as IFRS.
IT security standardsSCANDIC DATA strives for certifications according to ISO/IEC 27001 (information security management), ISO/IEC 27017 (cloud security) and ISO/IEC 27701 (data protection management). We follow the requirements of the NIST Cybersecurity Framework and the CIS benchmarks.
Export and sanctions lawWe comply with national and international export control and sanctions regulations (e.g. EU Dual-Use Regulation, US-EAR). The provision of computing power or storage for customers in sanctioned countries is excluded.

3. data processing and due diligence

SCANDIC DATA carries out risk checks before entering into a business relationship. For corporate customers, we verify the company name, address and beneficial owners using extracts from the commercial register. Potential users must confirm that they do not store or distribute illegal content and that they comply with all relevant export and data protection laws. Technical and organizational measures (TOM) for data classification and encryption are agreed. Transactions and usage behavior can be checked for anomalies; if misuse is suspected (e.g. malware distribution, hosting of illegal content), access is restricted and, if necessary, reported to the authorities.

4. marketing and communication

Our marketing communication follows the principle of transparency and fairness. We make it clear that SCANDIC DATA offers infrastructure and hosting services and clearly name the contractual partner. Product descriptions regarding availability, performance and security features are based on verifiable data. We refrain from making misleading promises (such as „100 % Uptime“) and state the actual service level. Advertising is aimed exclusively at companies and institutions; no targeted advertising is shown to vulnerable groups. Complementary services from other Group brands (e.g. payment services from SCANDIC PAY or media services from LEGIER MEDIA) are clearly identified as separate offers.

5. sanction check and prohibited content

SCANDIC DATA checks all customers and data flows against national and international sanctions lists. We reject business requests if companies, owners or end users are on sanctions lists or if there is a risk of violating export control or embargo regulations through the provision of IT resources. It is expressly prohibited to store or disseminate illegal content (e.g. child pornography, terrorist propaganda, hate speech, malware, arms trafficking) via our infrastructure. We reserve the right to remove such content immediately and to involve law enforcement authorities.

6. whistleblower system

The SCANDIC GROUP operates a confidential whistleblower system that is also used by SCANDIC DATA. Employees, customers and business partners can use a secure platform to report violations of laws, internal guidelines or human rights without fear of retaliation. Reports are treated confidentially, investigated and documented. If necessary, external bodies or authorities are involved. Results and measures are published in anonymized form to create transparency.

7. training and sensitization

All SCANDIC DATA employees undergo regular training on data protection, information security, money laundering prevention, human rights and compliance. Specific training for data center operations raises awareness of risks such as physical access control, malware detection, data backup and emergency processes. Training courses are documented and updated at least once a year.

8. monitoring and continuous improvement

Our compliance program is subject to a continuous improvement process. Internal audits, risk assessments, external certifications and feedback from customersThe information we gather is incorporated into the further development of our guidelines. Technical measures such as zero-trust architectures, SIEM/SOAR systems, network segmentation and signed supply chain artifacts ensure high security and data protection standards. SCANDIC DATA publishes regular reports on progress, challenges and new regulatory developments. Our goal is to take a leading role as a responsible provider of data center and cloud services while maintaining the highest security and quality standards for our customers.inside the company.