EU data residency
Merula is operated by Adspace Nordic AB, a Swedish company based in Stockholm, under Swedish and EU law. The service runs on Amazon Web Services in EU regions.
This page states where customer data is stored and processed, region by region, and names the places where something touches infrastructure outside the EU — plainly, so you can assess it rather than take our word for it. Every claim here is checked against our infrastructure code before it is published.
Where customer data is stored and processed
The primary region is AWS eu-north-1 (Stockholm). One workload runs in AWS eu-west-1 (Dublin) — still inside the EU — where our inbound-mail pipeline for DMARC and TLS-RPT aggregate reports is currently operated.
- Application database Stockholm (eu-north-1)
- Accounts, domains, check history, change events, alerts and parsed report data, on a dedicated database instance in a private network. Automated backups stay in the same region.
- Dashboard and API Stockholm (eu-north-1)
- The API that serves your monitoring data runs in Stockholm; the dashboard fetches from it directly over TLS.
- Sign-in (Amazon Cognito) Stockholm (eu-north-1)
- User identities and credentials are held in the Stockholm region.
- Data exports Stockholm (eu-north-1)
- Generated exports are stored in Stockholm and removed automatically after seven days.
- Operational logs Stockholm (eu-north-1)
- Service logs are retained for thirty days, in region.
- Outbound email — alerts, invitations, reports Stockholm (eu-north-1)
- Sent through Amazon SES from the Stockholm region.
- Inbound report mail — DMARC and TLS-RPT aggregate reports Dublin (eu-west-1)
- Mailbox providers' aggregate reports are received and stored encrypted in Dublin. Raw report messages are deleted after thirty days; the parsed results live in the Stockholm database.
What crosses the EU boundary — stated plainly
Three things involve infrastructure outside EU regions. None of them stores your monitoring data at rest. As with any global edge service, technical request metadata such as IP address, TLS connection metadata and User-Agent may be processed at the edge to deliver the requested asset or sign-in flow.
- The marketing site and the dashboard's static assets (page code, styles, fonts — not your data) are delivered through Amazon CloudFront, a global edge network, so cached copies of those public files exist at edge locations worldwide. Your monitoring data is not served through it: the dashboard fetches that from the Stockholm API directly.
- The hosted sign-in endpoint is fronted by the same global edge network. Authentication traffic may transit the edge, but user identity records and credential verification are handled by Amazon Cognito in the Stockholm region; no customer monitoring data is stored at the edge.
- The TLS certificates for those edge-delivered hostnames are managed in AWS's certificate service in the United States (us-east-1), as the edge network requires. That service holds certificate records — never customer data.
AWS is a US-headquartered provider. What that means legally for data held in EU regions — and what we will and won't claim about it — is discussed openly on the compliance page. Where Merula's data lives — the compliance view.
Data protection
Merula operates under the GDPR. You can export your account's data yourself from the dashboard, on every plan, at any time.
Account closure permanently deletes your data after a thirty-day grace period in which you can change your mind or take a final export. The audit log — the record of who did what in the account — is retained beyond closure as a legal record, under GDPR Article 17(3)(e).
A Data Processing Addendum covering Merula's role as processor is available to every customer.
Read the Data Processing Addendum · Privacy & data retention
Retention by plan
Check history, change events and parsed report data are retained per your plan, then removed by a daily cycle:
| Plan | History retained |
|---|---|
| Free | 7 days |
| Pro | 24 months |
| MSP | 24 months |
- Raw inbound report messages are kept for thirty days regardless of plan; only the parsed results follow the plan window.
- Accepted baselines — your recorded expected configuration — are kept as long as the domain is monitored.
Service providers
Core customer monitoring data is processed by AWS, and billing data by Stripe. Website analytics and support or communications providers do not process customer monitoring results or domain-check history; they are described in the Privacy notice.
- Amazon Web Services
- Infrastructure hosting — compute, database, storage, email. The regions are listed above.
EU regions (Stockholm, Dublin), with the edge-delivery and certificate exceptions stated above - Stripe
- Subscription billing and VAT handling. Card details go to Stripe directly; Merula never stores them.
Per Stripe's own data-processing terms
The full sub-processor list, with each provider's role, is maintained here and in the privacy notice.
This page covers data you entrust to Merula as a customer. Website-visitor analytics on the marketing site are a separate matter, covered in the privacy notice.
If your assessment needs something this page doesn't answer, write to hello@merula.io — questions about data handling are answered by the people who run the infrastructure.