Data Residency
Last updated: 1 May 2026
Overview
CRAReady is committed to keeping your data in the European Union. This page describes exactly where each category of data is stored or processed, and how we handle any cross-border transfers in compliance with GDPR.
Where Your Data Is Stored
| Data category | Provider | Location |
|---|---|---|
| Application database | Neon PostgreSQL | EU (Frankfurt, Germany) |
| File storage (SBOMs, PDFs, logos) | Cloudflare R2 | EU bucket (auto-region EU) |
| Transactional email delivery | Resend | US (processed in transit; no PII stored at rest) |
| Session & cache data | Redis (Upstash) | EU (Frankfurt, Germany) |
| Analytics (optional) | PostHog Cloud | EU region |
Primary Database
All customer data — including organisation records, products, assessments, incidents, vulnerabilities, audit logs, and user accounts — is stored in Neon PostgreSQL in the EU (Frankfurt, Germany) region. Data at rest is encrypted using AES-256. Data in transit is encrypted with TLS 1.3.
File Storage
Binary files — including uploaded SBOMs, generated PDF reports, and company logos — are stored in Cloudflare R2 using the EU storage bucket. Cloudflare R2 does not egress data to non-EU infrastructure by default. Files are encrypted at rest and served via signed URLs with short expiry times.
Email Delivery
Transactional emails (account verification, deadline alerts, notifications) are sent via Resend. Email content is transmitted to Resend servers for delivery; Resend does not store email content after delivery. Minimal metadata (recipient address, send timestamp, delivery status) may be retained by Resend in the US for up to 30 days.
This transfer is covered by GDPR Article 46 Standard Contractual Clauses (SCCs) under our Data Processing Agreement with Resend.
Cross-Border Transfers
CRAReady does not transfer customer data outside the European Economic Area (EEA) without appropriate safeguards. Where transfers to third countries are necessary (e.g. email delivery via Resend), they are governed by GDPR Article 46 Standard Contractual Clauses (SCCs) as published by the European Commission.
Data Processing Agreement
A Data Processing Agreement (DPA) is available to all paid-plan customers on request. The DPA sets out the specific obligations of CRAReady as a data processor, the technical and organisational measures in place, and the SCCs applicable to any cross-border transfers.
GDPR Compliance
CRAReady acts as a data processor for customer data entered into the platform, and as a data controller for account and billing data. We maintain records of processing activities (Article 30 GDPR) and carry out data protection impact assessments for high-risk processing activities.
For privacy-related questions, see our Privacy Policy or contact privacy@craready.co.uk.