Security, roles, control

Data Security

Trust needs clear roles: for commercial matters and under privacy law, your end customers chiefly rely on you. We supply the technical platform, European infrastructure, and open interfaces so you keep control and can export or integrate your data.

GDPR & DPAEUSC platform operationsOpen APIsISMS mapped to ISO/IEC 27001
Security layers
Region

AWS European Sovereign Cloud

EU residency for platform and backend services.

Data

API & export

Operational, customer, and billing data stays usable for you.

Access

RBAC & encryption

Roles, TLS, and AES-256 as technical guardrails.

Contracts

DPA & TOMs

Processing arrangements and documented safeguards.

Controls over guesswork
This reflects our charging and mobility platform. For corporate website processing, see the privacy policy.

More than hosting

Data security at OB7 ties together infrastructure, contracts, product capabilities, and portability.

For EMPs / CPOs, storing data in the EU is only part of it. Equally important is who does what with end-customer data, whether exports and integrations are workable in practice, and whether you can answer audit and supervisory questions with verifiable evidence.

EU

Data residency

Platform operations on AWS European Sovereign Cloud with EU data residency.

DPA

Clear roles

CPO as controller towards end customers, OB7 as processor where contractually agreed.

API

Portability

Data access through documented interfaces and established standards instead of a closed black box.

Sovereign operating model

EU tenancy, branded EMP/CPO coverage, open exports – headline view before the grids below.

A tight lead-in before infrastructure, EMP/CPO admin flows, cryptography, ISO/NIS2, and self-service deep dives underneath. Contracts plus ISMS and incident dossiers remain the factual record beyond any marketing narration.

Platform

EU tenancy on EUSC

Operational processing on AWS European Sovereign Cloud with EU residency — technical depth lives in diligence artefacts, not catch-all claims.

Brand

EMP or CPO fronts end users

Access, rectification, and erasure requests stay with whichever branded operator stewarded the relationship — OB7 only supplies enabling workflows underneath.

Interfaces

No undocumented black-box trap

REST-, OCPI-, and DATEX-II-friendly flows give you reporting, portability, swaps, or third-party integrations without an opaque silo.

Security dimensions

The important questions don't belong in a footnote.

From infrastructure to self-service – ordered the way these topics actually come up in due diligence, privacy reviews, and operator operations.

Infrastructure

EUSC for platform services

Operator workloads run with EU residency; specifics sit in your DPA and TOMs.

Compliance

ISO/IEC 27001 & NIS2

We run an ISMS aligned with ISO/IEC 27001 and prepare the organisation for the EU NIS2 requirements. We do not claim completed certification here; contractual packets and auditor sessions capture the latest status.

Data sovereignty

Export and open APIs

Operational data, sessions, customer records, and billing data should remain available to operators for reporting, BI, and later migrations.

End customers

Self-service under your brand

EV drivers see charging history, invoices, and account features in the white-label experience; rights and privacy notices remain anchored with the CPO.

Technology

Encryption & access

TLS 1.3 in transit, AES-256 at rest, role-based rights, and least-privilege access form the technical basis.

Traceability

Monitoring & audit trails

Logging, monitoring, and incident processes create traceability for operations, support, and privacy work.

Starting together

You name what you need – we configure safeguards and permissions so privacy teams aren't left guessing later.

When we onboard with you, we assemble what your organisation requires to operate the stack in line with GDPR and regulator expectations: you outline scenarios, stakeholder roles, and what your privacy or compliance colleagues must evidence; jointly we tune the OB7 admin setup and expose documents plus technical hooks so reviewers can revisit them reliably.

01

Capture requirements

You explain markets, end-customer context, and compliance constraints – optionally we loop in legal and privacy early so decisions are nailed down before switches are flipped.

02

Configure the admin stack

Together we tune OB7 administration: role models, segmentation, integrations, export paths—so operational access matches how you intend to process personal data.

03

Handoffs for privacy reviewers

We package controller/processor materials, processor-side technical explainers grounded in agreed TOM schedules, and process notes your DPO or procurement can forward without rewriting.

04

Stays reachable

After go-live APIs, downloads, and living documentation remain available whenever oversight, internal audit, or a regulator asks questions again.

Related reading

Open Blueprint

How open APIs, data access, and switching options support operator sovereignty.

Privacy policy

Review website processing and legal notices for ob7.com.

FAQs

Frequently Asked Questions

Infrastructure, compliance, and data-subject access.

What is your ISO/IEC 27001 status?

We operate an ISMS mapped to ISO/IEC 27001 expectations. Formal certification milestones are confirmed in diligence and contracts; this overview is not a binding commitment.

Where is platform data stored?

The OB7 charging and mobility platform runs on AWS European Sovereign Cloud with EU data residency. Legal bases, subprocessors, and technical measures are covered in your DPA and supporting schedules. For the public marketing site, see the privacy policy.

How do you support GDPR compliance?

We offer data processing agreements, work with a Data Protection Officer, and implement technical and organisational measures. Your organisation is typically the controller towards end customers; we support you as processor following your instructions.

Can we export or integrate our data?

Yes. Documented APIs and standards let you use charging, customer, and billing data for analytics and migrations – without lock-in to an undocumented silo.

What encryption is used?

Data is encrypted at rest (e.g. AES-256) and protected in transit with TLS 1.3.

How are access rights managed in the product?

Role-based access control in the admin system lets you define which roles can see which data and functions.

How do end customers exercise GDPR rights?

Drivers usually contact whoever operates their mobility relationship—in practice the EMP or CPO acting as GDPR controller toward them in your deployment. OB7 backs both EMP and CPO footprints; notices and escalation paths always come from your branded operator organisation. OB7 ships self-service tooling, and your EMP/CPO admins decide which experiences stay enabled.

What happens in case of a security incident?

We maintain documented incident-response procedures and notify customers and authorities where legally and contractually required. Specific timelines follow from your DPA and applicable law.