This guide will try and answer some of the most common questions we receive regarding GDPR and our responsibilities.

Where is Morbit data processed and stored?

Morbit Studio is a 100% cloud-based platform, and all data is processed and stored in AWS Ireland. This ensures compliance with GDPR and other European data protection regulations.

Key Details:

• Cloud Hosting: AWS Ireland (eu-west-1 region)
• Security Compliance: GDPR, industry-standard encryption
• Data Storage: Private network, inaccessible from the public internet
• Encryption: All sensitive data is encrypted at rest and in transit

How secure is your data storage and demarcation between customer data?

Morbit Studio is built with a multi-tenant architecture that ensures strict data segmentation between customers. No customer can ever access another customer’s data due to the following isolation mechanisms:

Logical Separation of Customer Data

• Tenant-Based Access Control: Each customer has a unique tenant ID, ensuring that data is logically separated at the application and database level.
• Scoped Queries: All database queries are designed to only fetch data belonging to the authenticated customer, preventing cross-tenant access.
• Strict UI Access: The only way customers interact with their data is through the Morbit Studio web interface, with no direct database access.

Multi-Tenant Security Controls

• Role-Based Access Control (RBAC): Ensures users only see data relevant to their organisation.
• Encryption at Rest & Transit: All data is encrypted using AES-256 at rest and TLS 1.2/1.3 in transit.

AWS Infrastructure and Network Isolation

• Hosted in AWS Ireland: All data is processed and stored in a private network, inaccessible from the public internet.
• No Shared Access: Each customer's data is logically segregated at the database level, ensuring no overlap in stored records.
• Regular Security Audits: Intrusion scanning and vulnerability assessments are performed using OWASP ZAP, Snyk, Tenable and Mozilla Observatory.

What's your GDPR Compliance level?

Morbit is fully GDPR compliant, ensuring data protection and privacy in accordance with EU regulations.

GDPR Compliance Overview

• Data Residency: All data is processed and stored in AWS Ireland (eu-west-1), ensuring compliance with EEA data sovereignty laws.
• Data Protection by Design: Security-first approach, including encryption (AES-256 at rest, TLS 1.2/1.3 in transit), access controls, and data minimisation.
• User Rights Compliance: We fully support GDPR rights such as:
  • Right of Access (Article 15): Users can request access to their stored data.
  • Right to Erasure (Article 17): Data can be deleted upon request.
  • Right to Data Portability (Article 20): Users can obtain their data in a structured, machine-readable format.

GDPR Documentation Available

• Privacy Policy: Morbit’s GDPR-compliant Privacy Policy is publicly available via our website.
• Data Processing Agreement (DPA): Available upon request for customers and partners, outlining roles, responsibilities, and data handling measures.
• GDPR Compliance Statement: Can be provided on request, detailing how Morbit meets GDPR obligations.

Handling GDPR Requests

• We support Subject Access Requests (SARs) in compliance with GDPR Article 15.
• Data deletion requests are processed in line with Article 17 (Right to be Forgotten).
• Morbit does not share customer data with third parties beyond the intended purpose (GDPR Article 5).