Security Architecture Document

All end-user data is being processed only by EU companies, and only use those that have EU data residency.


Stormly encrypts all data using TLS where possible, making sure encryption is applied to data:

  1. in use (frequently updated information, usually accessed by multiple users within a network).
  2. in flight (data being transferred outside the network).
  3. at rest (static data stored locally on hard drives that are not often accessed or modified and can be thought of as archived). Examples: Client database backups, Clients’ End-User Data backups stored in Client projects.

Data in use, in flight, and rest are encrypted according to what is deemed sufficient according the data protection legislation requirements.

Backup Retention

Backups (of Clients’ End-User Data) are kept for a retention period of a maximum of 6 months, after which they are permanently removed.

Code Quality

Any code changes to Stormly are tested with automatic processes, as well as manual peer reviews of code, to minimize the potential for security issues in the code.


Stormly infrastructure is continuously monitored for irregularities to detect any potential abuse.


The Stormly infrastructure treats any user and its actions on the Service as a privileged user with full access. Because of this, we built Stormly applications and services around the concept of logical separation, making sure that all resources that belong to that organization (such as plugins, analysis or data being run, but also analytics data in rest) and/or project within an organization, cannot be accessed by other users that are not authorized to do so.


Data of Stormy's Clients is processed and/or stored by third-party providers. See “Data Processing Agreement”, "Article 7. Subprocessing" for more details. The following lists all third-party providers that process and/or store Client data:

  1. Hetzner (EU based company):
    1. DPA: Download DPA
  2. Amazon AWS (US based company):
    1. Only EU regions used. Amazon AWS is only used for storage of analytics data backups. All analytics data is encrypted locally first, before being transfered to AWS as backup storage.
    2. GDPR:
      Security Program:
  3. Vultr (US based company):
    1. GDPR:
  4. Microsoft Azure ChatGPT (US based company):
    1. GDPR:

Disclosing Vulnerabilities

We’re happy to receive any potential security issues from our users. Send an email to detailing the steps to reproduce the security issue or a proof-of-concept. We handle all security disclosures as good as we can, by working together with you where possible.