Data Residency & Privacy

Maintained by: Aether365 Team Audience: Data protection officers and compliance teams Scope: Where Aether365 stores data and data flow across regions

Where Your Data Is Stored

Aether365 runs in two independent data planes: EU (Ireland, Ireland) and US (N. Virginia, USA). Each tenant lives entirely in one region - data is never replicated across them.

You pick your data region the first time you sign in:

1. After completing sign-up you are taken to a Choose your data region screen.
2. Select 🇪🇺 Europe (EU) or 🇺🇸 United States (US).
3. Confirm. The choice is permanent - it cannot be changed later.

The chosen region is recorded as a region claim on your sign-in token and on the tenant row. Every API call your app makes is routed to the matching region's API endpoint, and admin actions on your tenant are scoped to that region's database.

Data type	Storage service	Region
Scan results and test findings	Database (PostgreSQL)	Your chosen region
Tenant and account metadata	Database (PostgreSQL)	Your chosen region
Scan result files	Object storage	Your chosen region
Application secrets (credentials)	Encrypted secrets vault	Your chosen region
Access logs	Platform logging service	Your chosen region
Identity ( user pool)	Identity service	EU (single global pool, claim-only)

What Data We Store

Data we collect and why

Category	Data	Purpose
Account data	Email address, Microsoft tenant ID, plan tier	Identity, billing, and access control
Configuration snapshots	Values read from Microsoft Graph during scans	Evaluating security checks
Scan results	Pass/fail/skip status per check, detected values, scores	Providing the compliance report
Connection metadata	Microsoft tenant ID, connection timestamp	Managing tenant connections
Notification settings	Email addresses, Teams webhook URLs	Delivering scan notifications
Audit log entries	Action, user, timestamp, IP	Enterprise audit trail feature

Data we do not collect

• Email content, calendar data, or any user-generated content from Microsoft 365
• Microsoft user passwords or credentials
• Microsoft Graph access tokens (used ephemerally during scans, never stored)
• Any data from Microsoft 365 services not required to evaluate security checks
• Any data sent to AI or machine-learning services - your configuration and scan data are never used to train AI models or processed by third-party AI tools

Data Retention

Scan data is retained for a defined retention period after which it is permanently deleted from the database and object storage. Deletion is irreversible. You can configure a shorter retention period in Settings > Retention. Contact support@aether365.io to discuss custom retention periods.

Data Deletion

Deleting a scan

You can delete individual scans from the Scans page. This permanently removes the scan record and all associated test results from the database and object storage.

Deleting your account

To request account deletion, contact hello@aether365.io. We will:

1. Confirm your identity
2. Delete all scan data, account metadata, and notification settings within 30 days
3. Send a deletion confirmation email

Account deletion is irreversible.

Data subject requests

To exercise your rights under GDPR (access, rectification, erasure, portability), contact privacy@aether365.io. We respond to data subject requests within 30 days.

Sub-Processors

Aether365 uses the following sub-processors to deliver the service:

Sub-processor	Purpose	Location
Cloud infrastructure	Hosting, storage, compute, email delivery	EU (Ireland, Ireland)
Microsoft Azure / Entra ID	Authentication (OpenID Connect)	EU
Stripe	Payment processing	US / EU

We do not sell or share your data with any third parties for advertising or marketing purposes.

Data Processing Agreement

A Data Processing Agreement (DPA) is available to customers on Pro and Enterprise plans. Request the DPA by emailing privacy@aether365.io.