Merula
trust centre · where customer data lives

EU data residency

Merula is operated by Adspace Nordic AB, a Swedish company based in Stockholm, under Swedish and EU law. The service runs on Amazon Web Services in EU regions.

This page states where customer data is stored and processed, region by region, and names the places where something touches infrastructure outside the EU — plainly, so you can assess it rather than take our word for it. Every claim here is checked against our infrastructure code before it is published.

Where customer data is stored and processed

The primary region is AWS eu-north-1 (Stockholm). One workload runs in AWS eu-west-1 (Dublin) — still inside the EU — where our inbound-mail pipeline for DMARC and TLS-RPT aggregate reports is currently operated.

Application databaseStockholm (eu-north-1)
Accounts, domains, check history, change events, alerts and parsed report data, on a dedicated database instance in a private network. Automated backups stay in the same region.
Dashboard and APIStockholm (eu-north-1)
The API that serves your monitoring data runs in Stockholm; the dashboard fetches from it directly over TLS.
Sign-in (Amazon Cognito)Stockholm (eu-north-1)
User identities and credentials are held in the Stockholm region.
Data exportsStockholm (eu-north-1)
Generated exports are stored in Stockholm and removed automatically after seven days.
Operational logsStockholm (eu-north-1)
Service logs are retained for thirty days, in region.
Outbound email — alerts, invitations, reportsStockholm (eu-north-1)
Sent through Amazon SES from the Stockholm region.
Inbound report mail — DMARC and TLS-RPT aggregate reportsDublin (eu-west-1)
Mailbox providers' aggregate reports are received and stored encrypted in Dublin. Raw report messages are deleted after thirty days; the parsed results live in the Stockholm database.

What crosses the EU boundary — stated plainly

Three things involve infrastructure outside EU regions. None of them stores your monitoring data at rest. As with any global edge service, technical request metadata such as IP address, TLS connection metadata and User-Agent may be processed at the edge to deliver the requested asset or sign-in flow.

AWS is a US-headquartered provider. What that means legally for data held in EU regions — and what we will and won't claim about it — is discussed openly on the compliance page. Where Merula's data lives — the compliance view.

Data protection

Merula operates under the GDPR. You can export your account's data yourself from the dashboard, on every plan, at any time.

Account closure permanently deletes your data after a thirty-day grace period in which you can change your mind or take a final export. The audit log — the record of who did what in the account — is retained beyond closure as a legal record, under GDPR Article 17(3)(e).

A Data Processing Addendum covering Merula's role as processor is available to every customer.

Read the Data Processing Addendum · Privacy & data retention

Retention by plan

Check history, change events and parsed report data are retained per your plan, then removed by a daily cycle:

PlanHistory retained
Free7 days
Pro24 months
MSP24 months

Service providers

Core customer monitoring data is processed by AWS, and billing data by Stripe. Website analytics and support or communications providers do not process customer monitoring results or domain-check history; they are described in the Privacy notice.

Amazon Web Services
Infrastructure hosting — compute, database, storage, email. The regions are listed above.
EU regions (Stockholm, Dublin), with the edge-delivery and certificate exceptions stated above
Stripe
Subscription billing and VAT handling. Card details go to Stripe directly; Merula never stores them.
Per Stripe's own data-processing terms

The full sub-processor list, with each provider's role, is maintained here and in the privacy notice.

This page covers data you entrust to Merula as a customer. Website-visitor analytics on the marketing site are a separate matter, covered in the privacy notice.

If your assessment needs something this page doesn't answer, write to hello@merula.io — questions about data handling are answered by the people who run the infrastructure.