NordenVault
Security & Trust

Built for trust, designed for compliance

NordenVault is designed from the ground up to protect your data. From physical data centre location to credential scoping, every decision prioritises security and your right to control your own data.

Data residency in Europe

All customer backup data is stored exclusively in data centres located in the European Union.

  • European jurisdiction

    Your data is stored within the EU and is subject to GDPR. You benefit from robust European data protection law.

  • Physical security

    Our data centre partners maintain on-site security, access controls, redundant power systems, and environmental monitoring.

  • No data leaves Europe

    Backup data is never transferred outside of the EU unless you explicitly initiate a download or restore to a location of your choosing.

🇪🇺

European Union

All data stored here

EEA / GDPR compliant

Encryption at every layer

Your data is protected at rest and in transit. For maximum security, we fully support client-side encryption.

In Transit

All connections use TLS encryption. S3 endpoints enforce HTTPS and reject unencrypted connections.

At Rest

All objects stored on our platform are encrypted at rest using AES-256 by our storage infrastructure provider.

Client-Side (Zero Knowledge)

Tools like restic encrypt data before it leaves your machine. When using client-side encryption, NordenVault never sees your plaintext data or your encryption keys.

Access control & credential scoping

Every backup source gets its own set of credentials with least-privilege access. This limits the blast radius of a compromised key and makes it easy to revoke access to individual sources without affecting the rest of your account.

  • Per-source credentials

    Each backup source receives its own access key and secret key, scoped to a single bucket. One key cannot access another source's data.

  • Credential rotation

    Rotate credentials at any time from the dashboard. New keys are issued immediately and old keys are revoked.

  • Instant revocation

    If a key is compromised, revoke it immediately from the dashboard.

# Each source gets scoped credentials
source: web-server-01
access_key: OC_SRC_a1b2c3...
bucket: org-backups
prefix: /web-server-01/
permissions: [PUT, GET, LIST, DELETE]
scope: prefix-only
# This key cannot access any other source's data

Compliance & regulatory

NordenVault is built to support your compliance requirements, not create new ones.

GDPR

Data stored in the EU (EEA). We act as a data processor under GDPR. We support data subject access requests and the right to erasure. Our Data Processing Agreement applies to all customers.

Data Sovereignty

For organisations that must keep data within a specific jurisdiction, NordenVault provides guaranteed EU data residency. No data replication to other regions occurs without your explicit configuration.

Not subject to the US CLOUD Act

NordenVault is a European company with no US parent entity and no US subsidiary. Customer backup data is stored exclusively in the EU and is not subject to US jurisdiction.

What is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law passed in 2018. It gives US law enforcement the power to compel any US-based company to hand over data in its possession, custody, or control, regardless of where that data is physically stored. If a company is headquartered in the US or controlled by a US parent, the CLOUD Act applies to all data it manages, including data stored in EU data centres.

Why is it a risk for European businesses?

The CLOUD Act directly conflicts with GDPR Article 48, which states that foreign court orders are not a valid legal basis for transferring personal data out of the EU. This creates an impossible situation: a US provider may be legally compelled to hand over your data to US authorities while simultaneously being prohibited from doing so under GDPR. Worse, CLOUD Act demands frequently include non-disclosure orders, meaning the US provider may be legally forbidden from telling you that your data has been accessed.

Storing data in an EU region of a US cloud provider does not solve this. In June 2025, Microsoft confirmed under oath at a French Senate hearing that it cannot guarantee data sovereignty against US authorities, even for data stored in France under a French-marketed offering. The same applies to AWS, Google Cloud, Dropbox, and any other US-headquartered provider. Jurisdiction follows the company, not the server location.

How NordenVault is different

NordenVault is incorporated in Norway (EEA) with no US corporate ownership and no US subsidiary. Customer backup data is stored exclusively in EU data centres (Hetzner Online GmbH, Germany). Because we are not a US company and do not operate under US jurisdiction, the CLOUD Act does not apply to us or to the backup data we store for our customers.

Some account management services (authentication, email delivery, payments) use third-party providers that may be based in the US. These services handle account metadata only and never have access to customer backup data. For full transparency, see our subprocessor list and data residency page.

Summary

  • NordenVault is a European company, not subject to the US CLOUD Act
  • All data stored in EU/EEA data centres under European jurisdiction only
  • No US parent company or subsidiary
  • No foreign government can compel access to your backup data
  • Client-side encryption available for zero-knowledge storage

Questions about security?

If you have specific security questions or want to discuss your organisation's compliance requirements, our team is here to help.

Contact Uscontact@nordenvault.com