VPS Compliance Guide: GDPR, HIPAA, and PCI DSS — What You’re Responsible For
Regulatory compliance is one of the most misunderstood aspects of self-managed VPS hosting. Many organizations assume that using a compliant cloud provider automatically satisfies their compliance obligations — it does not. When you rent a VPS and run your own software on it, you are responsible for the security and compliance of the application layer, the operating system configuration, and all data handling practices. The VPS provider is responsible for physical security, hardware, and network infrastructure. This guide clarifies exactly what you are responsible for under GDPR, HIPAA, and PCI DSS when self-hosting on a VPS.
The Shared Responsibility Model
Compliance on a VPS follows a shared responsibility model that differs meaningfully from managed cloud services:
| Layer | VPS Provider Responsibility | Your Responsibility |
|---|---|---|
| Physical security | Data center access controls, cameras, guards | None |
| Hardware | Physical servers, networking hardware | None |
| Hypervisor | Hypervisor security and isolation | None |
| Operating system | None (unmanaged VPS) | OS hardening, patching, updates |
| Application software | None | Installation, configuration, updates |
| Data encryption | None (typically) | Encryption at rest and in transit |
| Access controls | None | Authentication, authorization, SSH management |
| Audit logging | None | Application and system logging |
| Backup and recovery | Provider snapshots (optional) | Application-level backups and recovery testing |
In short: on an unmanaged VPS, everything above the hypervisor layer is your responsibility.
GDPR Compliance on a VPS
What GDPR Requires for Hosting
The General Data Protection Regulation applies if you process personal data of EU residents, regardless of where your business is incorporated. Key hosting-related requirements:
Data Residency and Transfer
GDPR does not require that data be stored in the EU — it requires that transfers outside the EU comply with specific mechanisms. Acceptable transfer mechanisms include:
- Standard Contractual Clauses (SCCs) with non-EU processors
- Adequacy decisions (the EU has deemed certain countries adequate, including UK post-Brexit with caveats, Japan, Canada, etc.)
- Binding Corporate Rules for multinational organizations
Practically: if you host EU resident data on a USA VPS, you need SCCs or another valid transfer mechanism in place between you (controller) and your VPS provider (processor). Most major VPS providers offer Data Processing Agreements (DPAs) that include SCCs — request one from your provider.
Technical Measures Required
GDPR Article 32 requires “appropriate technical and organisational measures” to ensure security. For a self-hosted VPS, this includes:
- Encryption in transit: All HTTP traffic served over HTTPS (TLS 1.2+). SSH connections using strong key algorithms. Database connections encrypted if remote.
- Encryption at rest: Sensitive personal data encrypted at the database level (column-level encryption for particularly sensitive fields) or full-disk encryption (requires provider support for key management).
- Access controls: Principle of least privilege for all system and database users. SSH key authentication only. No shared accounts.
- Pseudonymization: Where possible, process data using pseudonyms (user IDs) rather than directly identifying information in logs and analytics.
- Security patching: Timely application of OS and software security patches. Document your patching schedule.
Breach Notification
GDPR requires notification of data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, and notification to affected individuals without undue delay. Your VPS logging and monitoring configuration (see the VPS monitoring guide) is essential for timely breach detection.
Data Subject Rights
The right to erasure (“right to be forgotten”) requires that you can delete a specific user’s data from all systems — including backups. Design your backup strategy to support deletion: know which backups contain which users’ data, and have a process for compliant deletion.
GDPR VPS Checklist
- ☐ Data Processing Agreement signed with VPS provider
- ☐ All traffic served over HTTPS with TLS 1.2+
- ☐ Database connections encrypted
- ☐ Sensitive data fields encrypted at rest (or full-disk encryption)
- ☐ SSH key authentication only, no password logins
- ☐ Security patches applied within 30 days of release
- ☐ Access logs retained for minimum 90 days
- ☐ Breach detection and 72-hour notification process documented
- ☐ User data deletion process tested and documented
- ☐ Privacy policy accurately describes data storage location and processing
HIPAA Compliance on a VPS
What HIPAA Requires for Hosting
HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates handling Protected Health Information (PHI). If your VPS application handles any PHI, HIPAA’s Technical Safeguards apply.
Business Associate Agreement (BAA)
Your VPS provider must sign a Business Associate Agreement if they have access to PHI — which they do if PHI is stored unencrypted on your VPS. Some VPS providers offer BAAs; many do not. If your provider does not offer a BAA, you must encrypt PHI before it reaches the server’s storage layer (meaning the provider cannot access readable PHI even with physical access to the hardware).
HIPAA Technical Safeguards
Access Control (§164.312(a))
- Unique user identifiers — no shared system accounts
- Automatic logoff after inactivity (configure SSH
ClientAliveInterval) - Encryption and decryption of ePHI
Audit Controls (§164.312(b))
- Audit logs of all activity on systems containing ePHI
- Logs must be retained for minimum 6 years
- Centralized logging (ship logs off the VPS to a separate log storage system)
# Install auditd for system-level audit logging
sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd
# Configure audit rules for ePHI-related file access
sudo nano /etc/audit/rules.d/hipaa.rules-w /var/www/app/data/ -p rwxa -k phi_access
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-a always,exit -F arch=b64 -S open -F success=1 -k file_accessIntegrity (§164.312(c))
- Mechanisms to authenticate ePHI has not been altered or destroyed
- File integrity monitoring (AIDE, as covered in the security hardening guide)
- Database-level checksums or application-level integrity verification for PHI records
Transmission Security (§164.312(e))
- Encryption of ePHI in transit: TLS 1.2 minimum, TLS 1.3 preferred
- No PHI transmission over unencrypted channels (no HTTP, no FTP)
HIPAA Encryption Requirements
HIPAA does not mandate specific encryption algorithms but references NIST guidance. Current acceptable standards:
- Data in transit: TLS 1.2+ with strong cipher suites
- Data at rest: AES-256 for stored files and databases
- Backups: Encrypted before transmission to off-site storage
# MariaDB: Enable encryption for specific tables
ALTER TABLE patients ENCRYPTION='Y';
# Or encrypt the entire InnoDB tablespace
# (requires innodb_encrypt_tables = ON in my.cnf)HIPAA VPS Checklist
- ☐ BAA signed with VPS provider (or PHI encrypted before storage)
- ☐ Audit logging enabled for all systems containing ePHI (auditd)
- ☐ Logs shipped off-server to centralized log storage
- ☐ 6-year log retention policy implemented
- ☐ All ePHI encrypted at rest (database-level or disk-level)
- ☐ TLS 1.2+ enforced on all ePHI transmission paths
- ☐ No shared user accounts; unique identifiers for each user
- ☐ SSH session timeout configured (ClientAliveInterval)
- ☐ File integrity monitoring active (AIDE)
- ☐ Disaster recovery tested and documented
- ☐ Workforce training documentation maintained
PCI DSS Compliance on a VPS
What PCI DSS Requires
PCI DSS (Payment Card Industry Data Security Standard) applies if you store, process, or transmit cardholder data. The simplest path to PCI compliance for most VPS-hosted applications is to use a compliant payment gateway (Stripe, Braintree, PayPal) where card data never touches your server — this dramatically reduces your PCI scope. The requirements below apply if cardholder data does reach your server.
Key Technical Requirements for Self-Hosted Payment Processing
Requirement 1: Firewall
- Deny all traffic that is not explicitly required for business operations
- Document all firewall rules with business justification
- Review firewall rule sets at least every six months
Requirement 2: Secure Configuration
- Change all default passwords before deploying systems
- Disable all unnecessary services and protocols
- Enable only one primary function per server (no web server and database on same instance in high-security environments)
Requirement 3: Protect Stored Cardholder Data
- Never store the full magnetic stripe, CVV, or PIN — these must never be retained after authorization
- Truncate Primary Account Numbers (PANs) in logs
- Encrypt stored PANs with AES-256
- Manage encryption keys separately from encrypted data
Requirement 6: Secure Development and Patch Management
- Critical security patches applied within one month of release
- Web Application Firewall (WAF) protecting public-facing web applications
- Code review process for custom development
Requirement 10: Logging and Monitoring
- Audit logs for all access to system components and cardholder data
- Logs reviewed daily (automated log analysis tools are acceptable)
- Log retention: minimum one year, with three months immediately available
PCI DSS VPS Checklist (SAQ A-EP / SAQ D)
- ☐ Firewall rules documented and reviewed every 6 months
- ☐ All default passwords changed
- ☐ Unnecessary services disabled
- ☐ No storage of CVV, magnetic stripe data, or PINs
- ☐ PANs encrypted with AES-256 if stored
- ☐ Security patches applied within 30 days (critical within 1 month)
- ☐ WAF active on public-facing applications
- ☐ Comprehensive audit logging enabled
- ☐ Logs reviewed daily (automated alerts configured)
- ☐ Log retention: 1 year total, 3 months immediately accessible
- ☐ Penetration test conducted annually
- ☐ Vulnerability scan conducted quarterly
Practical Recommendation: Minimize Compliance Scope
The most pragmatic compliance strategy is to minimize the scope of regulated data on your VPS:
- PCI scope reduction: Use Stripe Elements, Stripe Checkout, or PayPal Hosted Pages. Card data never touches your server, reducing your PCI scope to SAQ A (the simplest questionnaire).
- HIPAA scope reduction: Use HIPAA-compliant third-party services for specific ePHI functions (e.g., a HIPAA-compliant messaging API) rather than building all functionality yourself.
- GDPR scope reduction: Collect minimum necessary personal data. Implement data minimization by design.
Getting Started
Compliance requirements begin at the server level — the hardening, logging, and encryption practices discussed throughout this guide’s blog series are the technical foundation for GDPR, HIPAA, and PCI compliance on a VPS. USA VPS plans and Hong Kong VPS plans at VPS.DO provide KVM virtualization with hardware-level tenant isolation — an important baseline for compliance environments. Contact VPS.DO support to discuss Data Processing Agreement availability for GDPR compliance.
Conclusion
Self-hosting on a VPS does not exempt you from compliance obligations — in many ways it increases your responsibility compared to using managed SaaS platforms. The good news is that the technical controls required for GDPR, HIPAA, and PCI DSS overlap significantly with general security best practices: encryption in transit and at rest, strong access controls, comprehensive audit logging, timely patching, and tested backup and recovery. Implementing these practices serves both compliance and general security goals simultaneously.
