Where your data lives, who touches it, how it's protected
MOJAQ is built EU-first. Here is the honest, specific version: our infrastructure, subprocessors, retention, security measures and how to reach us. No hand-waving.
Where your data is stored
All MOJAQ services and all stored customer data run on dedicated infrastructure in Helsinki, Finland (Hetzner). Stored customer data does not leave the European Union. Backups are encrypted and kept within the EU.
Subprocessors
| Provider | Purpose | Location | Customer data at rest? |
|---|---|---|---|
| Hetzner Online GmbH | Dedicated server hosting (all products + storage) | Germany / Finland (EU) | Yes, encrypted, EU-only |
| Cloudflare, Inc. | TLS termination, CDN, DDoS protection, bot challenge | Global edge (US entity) | No, in transit only |
| Resend | Transactional / account email delivery | US entity | Account email address only |
We do not sell data, and there are no advertising or analytics trackers in the data path. A signed Data Processing Agreement is available, and you can generate an organization-specific data-residency report from your dashboard.
Data retention
- Analytics: aggregate, cookieless, no per-visitor profiles; retained per plan.
- Logs: 7-day retention during the beta.
- Errors, uptime, deploys: retained per plan; incident history kept for context.
- Render: documents processed transiently; temporary files removed after conversion.
- Realtime: messages are delivered, not persisted after delivery.
- On account deletion: data is deleted, cascading across all products (they share one isolated store).
Security measures
- TLS 1.2+ on every endpoint; the origin is firewalled to the Cloudflare edge (no direct origin access).
- Per-tenant data isolation enforced at the database layer.
- API keys stored hashed; passwords hashed with a modern KDF; secrets encrypted at rest.
- Email verification, IP-velocity and disposable-email abuse prevention, and a bot challenge on signup.
- Role-based team access.
- Encrypted, off-site backups with a tested restore path.
- MOJAQ is monitored from outside its own infrastructure, so an outage is caught independently.
Reliability, honestly
During the open beta MOJAQ runs in a single EU region (Helsinki). We keep encrypted off-site backups, run external self-monitoring, and test restores, but we do not offer a formal uptime SLA yet, and we say so plainly. If you need contractual guarantees or multi-region redundancy today, tell us and we will be straight with you about where we are.
Reporting a vulnerability
Found a security issue? We want to hear about it. Email [email protected] (see /.well-known/security.txt). Please give us reasonable time to fix before disclosure, and we will keep you updated.
