Data Residency & Privacy
Maintained by: Aether365 Team Audience: Data protection officers and compliance teams Scope: Where Aether365 stores data and data flow across regions
Where Your Data Is Stored
Aether365 runs in two independent data planes: EU (Ireland) and US (N. Virginia, USA). Each tenant lives entirely in one region - data is never replicated across them.
You pick your data region the first time you sign in:
- After completing sign-up you are taken to a Choose your data region screen.
- Select 🇪🇺 Europe (EU) or 🇺🇸 United States (US).
- Confirm. The choice is permanent - it cannot be changed later.
The chosen region is recorded on your sign-in token and on the tenant row. Every API call your app makes is routed to the matching region's API endpoint, and admin actions on your tenant are scoped to that region's database.
| Data type | Storage | Region |
|---|---|---|
| Scan results and test findings | Database (PostgreSQL) | Your chosen region |
| Tenant and account metadata | Database (PostgreSQL) | Your chosen region |
| Scan result files | Object storage | Your chosen region |
| Application secrets (credentials) | Encrypted secrets vault | Your chosen region |
| Access logs | Platform logging service | Your chosen region |
| Identity (user pool) | Identity service | EU (single global pool, claim-only) |
What Data We Store
Data we collect and why
| Category | Data | Purpose |
|---|---|---|
| Account data | Email address, Microsoft tenant ID, plan tier | Identity, billing, and access control |
| Configuration snapshots | Values read from Microsoft Graph during scans | Evaluating security checks |
| Scan results | Pass/fail/skip status per check, detected values, scores | Providing the compliance report |
| Connection metadata | Microsoft tenant ID, connection timestamp | Managing tenant connections |
| Notification settings | Email addresses, Teams webhook URLs | Delivering scan notifications |
| Audit log entries | Action, user, timestamp, IP | Enterprise audit trail feature |
Data we do not collect
- Email content, calendar data, or any user-generated content from Microsoft 365
- Microsoft user passwords or credentials
- Microsoft Graph access tokens (used ephemerally during scans, never stored)
- Any data from Microsoft 365 services not required to evaluate security checks
- Any data sent to AI or machine-learning services - your configuration and scan data are never used to train AI models or processed by third-party AI tools
Data Retention
Scan data is retained for a defined retention period after which it is permanently deleted from the database and object storage. Deletion is irreversible. You can configure a shorter retention period in Settings > Retention. Contact support@aether365.io to discuss custom retention periods.
Data Deletion
Deleting a scan
You can delete individual scans from the Scans page. This permanently removes the scan record and all associated test results from the database and object storage.
Deleting your account
To request account deletion, contact hello@aether365.io. We will:
- Confirm your identity
- Delete all scan data, account metadata, and notification settings within 30 days
- Send a deletion confirmation email
Account deletion is irreversible.
Data subject requests
To exercise your rights under GDPR (access, rectification, erasure, portability), contact privacy@aether365.io. We respond to data subject requests within 30 days.
Sub-Processors
Aether365 uses the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting, storage, compute, email delivery | EU (Ireland) |
| Microsoft Azure / Entra ID | Authentication (OpenID Connect) | EU |
| Stripe | Payment processing | US / EU |
We do not sell or share your data with any third parties for advertising or marketing purposes.
Data Processing Agreement
A Data Processing Agreement (DPA) is available to customers on Pro and Enterprise plans. Request the DPA by emailing privacy@aether365.io.