Data Residency
Last updated: 13 June 2026
This page provides a detailed breakdown of where each category of data is stored and processed. Customer backup data is stored exclusively in the EU. Some account management services use providers outside the EEA, as detailed below.
Data location by category
| Data category | What it includes | Location | Provider | Encryption |
|---|---|---|---|---|
| Customer backup data | Files and objects uploaded via S3 API, restic, or rclone | Germany (EU) | Hetzner Online GmbH | AES-256 at rest, TLS 1.3 in transit. Client-side encryption supported. |
| Storage metadata | Object names, sizes, timestamps, bucket configuration | Germany (EU) | Hetzner Online GmbH | Encrypted at rest |
| Application database | Accounts, organisations, machines, credentials, usage snapshots, audit logs | Germany (EU) | UpCloud Oy (managed PostgreSQL) | Encrypted at rest and in transit |
| Authentication | Email, login events, session tokens, SSO/SAML configuration | United States | WorkOS Inc. | Encrypted in transit. SCCs in place. |
| Transactional email | Email addresses and notification content for account alerts and invitations | United States | Resend Inc. | Encrypted in transit. SCCs in place. |
| Payment and billing | Payment method, billing address, invoices, subscription status | United States | Stripe Inc. (independent controller) | PCI DSS Level 1 compliant |
| Frontend hosting | IP address, request metadata, static assets | Global CDN (edge nodes) | Vercel Inc. | Encrypted in transit. SCCs in place. No customer data. |
Customer backup data guarantee
Customer backup data (the files and objects you store on NordenVault) is stored exclusively in EU data centres operated by Hetzner Online GmbH in Germany. This data is never transferred outside the EU unless you explicitly initiate a download or restore to a location of your choosing.
When using client-side encryption (e.g., restic), your data is encrypted before it leaves your machine. NordenVault and its infrastructure provider have no ability to read the contents.
Account management services
Authentication, email delivery, and payment processing are provided by third-party services, some of which are based in the United States. These services process account metadata only (email addresses, login events, billing information) and never have access to the contents of your backup data.
For US-based providers, we maintain EU Standard Contractual Clauses (SCCs) as the legal mechanism for data transfers. Stripe operates as an independent data controller under its own privacy policy.
For the full list of third-party providers, see our subprocessor list.
Questions
If you have questions about data residency or need documentation for a compliance review, contact us at contact@nordenvault.com.