trust centre · what we publish about ourselves
Trust centre
These pages document how Merula handles domain posture monitoring, data protection, security references and public legal terms.
They are written for customers, agencies and service providers who want clear answers before using a self-service monitoring product.
Security & frameworks
- Standards & framework mappings
- Structured mapping of Merula's twenty-six checks to selected European regulation (NIS2), security guidance (OWASP, ENISA), and information security frameworks (ISO/IEC 27001 Annex A, CIS Controls v8, NIST CSF 2.0, NIST SP 800-177, NIST SP 800-53).
- Compliance support
- Editorial discussion of regulatory scope and boundaries — OWASP Top 10:2025 and NIS2 Article 21. Includes the Standards & RFCs reference list and the EU residency vs sovereignty discussion.
- Platform status
- Operational status and platform-incident communication for Merula.
Data protection & legal
- EU data residency
- Where customer data is stored and processed, region by region — Stockholm as the primary region, Dublin for inbound report mail — and a plain account of what crosses the EU boundary.
- Privacy & data retention
- What data Merula collects, how long it is retained, which service providers are involved, the SBOM policy, and the GDPR rights you can exercise.
- Terms of service
- The public terms that govern use of Merula.
- Data Processing Addendum
- How personal data is processed when Merula acts as processor for customer-controlled data.