Skip to content
IRIS
EU data residency GDPR Art. 15 / 17

Compliance is where your data lives

For regulated buyers, trust is the product. IRIS keeps critical-alert data in the EU by architecture, supports GDPR export and erasure, and records every step in an audit-grade event log — so an inspection is a query, not a scramble.

Request our DPA Start free
tenant · data residency
Jurisdiction
eu
Compute
Cloudflare edge · EU
State store
Durable Object · EU
Retention
configurable
data stays in the EU

EU data residency

By architecture, not by addendum

IRIS runs on Cloudflare’s EU edge. Each alert’s state is held in a Durable Object created with jurisdiction: "eu" — so the data that matters lives and runs inside the EU by default.

US-headquartered clouds can add an EU region, but the control plane, support model and legal exposure remain US-anchored. Residency you can point to at the infrastructure level is a structural property — not something an incumbent retrofits with a contract clause.

Why this is hard to retrofit

  • Residency at the data layer
    State is pinned to EU jurisdiction at creation, not routed to an EU region after the fact.
  • One EU-native platform
    Edge compute, state and the marketing surface share Cloudflare — no US control plane in the path.
  • Built in, not bolted on
    Opt-out, retention and audit logging are part of the alert lifecycle, not add-on services.

What’s built in

The trust controls, implemented

Each of these is part of the platform today. We label only what ships — nothing here is aspirational.

EU data residency by architecture

Alert state lives in Cloudflare Durable Objects pinned to EU jurisdiction (jurisdiction: "eu"). Residency is where your data physically runs — not a contractual promise layered on a US region.

GDPR Art. 15 — data export

Export the personal data held for a recipient or tenant on request, in a portable format, to satisfy subject-access requests.

GDPR Art. 17 — erasure

Erase or pseudonymise personal data when a recipient exercises the right to be forgotten, while preserving the audit record’s integrity.

DPA available on request

A Data Processing Agreement is available on request. Lawyer sign-off is in progress; we will share the current draft and execute on finalisation.

STOP/START opt-out · 6 languages

Recipients can opt out and back in with STOP/START keywords recognised across all 6 supported languages, tenant-wide and enforced automatically.

Configurable retention & purge

Set how long alert and message data is kept per tenant. Data is purged on schedule when its retention window closes.

Audit-grade event log

Every step — notify, reply, escalate, resolve — is recorded with who, what and when. Audit-ready and exportable for GxP, HACCP and ISO inspections.

Log scrubbing & phone masking

Operational logs scrub sensitive content and mask phone numbers, so diagnostics never become a data-leak surface.

Multi-tenant isolation

Each customer is a separate tenant with isolated data and configuration — no cross-tenant access by design.

Subprocessor-change notices

A notice mechanism informs tenants when the subprocessor list changes, so you stay in control of your processing chain.

Audit-ready

An event log built for inspectors

Every notification, reply, escalation and resolution is recorded with its actor, timestamp and language. The log is designed to be audit-ready for GxP, HACCP and ISO processes — evidence that an alert was reached, acknowledged and resolved.

We frame this honestly: IRIS produces audit-ready records. It does not, by itself, make you certified, and we do not hold ISO 27001 or SOC 2 today — formal certification is on our roadmap.

Request our DPA See the lifecycle
event log · alert #A-2291
  • 02:00:04 notify · Anna · sms · fi
  • 02:05:04 escalate · round 2
  • 02:05:06 notify · Mikael · sms · en
  • 02:06:11 reply · Mikael · “1” ack
  • 02:06:11 resolved · audit record written

Regulatory tailwinds

The rules are moving our way

EU regulation increasingly rewards keeping personal and operational data inside the EU. That is exactly where IRIS already runs.

GDPR

EU residency, export, erasure and opt-out built into the platform.

EU AI Act

EU-resident infrastructure positions agentic features for AI-Act expectations.

EU Data Act

Data portability and access align with the Data Act’s direction of travel.

EHDS

Health-data residency in the EU supports European Health Data Space readiness.

Schrems II

Keeping personal data in the EU avoids the transfer risk Schrems II created.

This page describes the controls IRIS implements and the regulatory context we operate in. It is not legal advice, and IRIS does not claim to hold ISO 27001 or SOC 2 certification today. MeshWorks Wireless Oy is based in Finland.

Bring your auditors the proof

Request our DPA and subprocessor details, or spin up a trial workspace and see the audit log for yourself.

Request our DPA Start free — 1,000 credits