Merula
trust centre · what we publish about ourselves

Trust centre

These pages document how Merula handles domain posture monitoring, data protection, security references and public legal terms.

They are written for customers, agencies and service providers who want clear answers before using a self-service monitoring product.

Security & frameworks

Standards & framework mappings
Structured mapping of Merula's twenty-six checks to selected European regulation (NIS2), security guidance (OWASP, ENISA), and information security frameworks (ISO/IEC 27001 Annex A, CIS Controls v8, NIST CSF 2.0, NIST SP 800-177, NIST SP 800-53).
Compliance support
Editorial discussion of regulatory scope and boundaries — OWASP Top 10:2025 and NIS2 Article 21. Includes the Standards & RFCs reference list and the EU residency vs sovereignty discussion.
Platform status
Operational status and platform-incident communication for Merula.

Data protection & legal

EU data residency
Where customer data is stored and processed, region by region — Stockholm as the primary region, Dublin for inbound report mail — and a plain account of what crosses the EU boundary.
Privacy & data retention
What data Merula collects, how long it is retained, which service providers are involved, the SBOM policy, and the GDPR rights you can exercise.
Terms of service
The public terms that govern use of Merula.
Data Processing Addendum
How personal data is processed when Merula acts as processor for customer-controlled data.