ISO 27018 — Public-Cloud PII Controls for VDRs
ISO/IEC 27018:2019 is a code of practice for protecting personal data (PII) in public cloud services where the provider acts as a PII processor. It extends ISO 27001's Annex A with additional cloud-PII-specific controls drawn from ISO 29100 privacy principles.
For European VDR procurement, ISO 27018 is a useful complement to ISO 27001, particularly where the VDR uses public cloud infrastructure and processes large volumes of personal data — the typical pattern in M&A and due diligence.
Last updated: May 2026.
What ISO 27018 Adds
- Limits on use of PII for marketing without explicit consent.
- Customer right to know which sub-processors are involved.
- Notification of any government access requests where lawful.
- Restrictions on data transfer for PII without controller authorization.
- Documented return / deletion of PII at contract end.
- Encryption and integrity controls for cloud-stored PII.
Relationship with GDPR
ISO 27018 is not a GDPR certification but operationalizes many of the same controls. A provider that holds both ISO 27001 and ISO 27018 has documented evidence of cloud-PII controls; this is a strong baseline for European processors.
Providers Holding ISO 27018
- [Drooms](/providers/drooms) — ISO 27018:2020.
- [Brainloop](/providers/brainloop) — ISO 27018.
- [Virtual Vaults](/providers/virtual-vaults) — ISO 27018.
Frequently Asked Questions
Is ISO 27018 required for VDRs?
Not required, but recommended where the VDR runs on public cloud and processes significant volumes of PII. Combine with ISO 27001 and ISO 27701.
Does ISO 27018 prove GDPR compliance?
It provides strong evidence but is not a substitute for a GDPR DPA, sub-processor flow-down, breach SLA, and the other Article 28 contractual elements.