Medway Catchment
Apply for an account Launch app

All your data stays in the EU.

All data stored in the EU. All key services hosted in the EU. Your data sits under EU data-protection regulations and is protected from the US Cloud Act.

Where the data lives

  • Database hosting — Hetzner, Helsinki, Finland. EU member state, full GDPR jurisdiction
  • Off-site backups — Cloudflare R2 with EU-jurisdiction-bound buckets. Even when storage scales to a global provider, the data location and legal jurisdiction stay EU-bound
  • Authentication — Keycloak, self-hosted alongside the application, EU-jurisdiction
  • Observability — logging and error tracking are self-hosted alongside the platform, EU-jurisdiction
  • Email — transactional email via Brevo, a French SMTP provider (EU-jurisdiction)

Cloud Act protection

The US Cloud Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to compel US-headquartered companies to produce data, regardless of where that data is physically stored. Ecology App's primary compute, database, and authentication chain sit with Hetzner (German-headquartered, Finland-located) — entirely outside US Cloud Act reach.

Backup storage uses Cloudflare R2, which is operated by Cloudflare — a US-incorporated company with UK operations. The R2 buckets we use are contractually constrained to EU storage locations, but more importantly, every backup snapshot is age-encrypted on our own infrastructure before it is uploaded. Cloudflare only ever holds ciphertext; the decryption keys never leave our EU-jurisdiction infrastructure. Cloud Act exposure on the backup leg is therefore mitigated at the cryptographic layer, not just the jurisdictional layer.

For customers in the UK government, regulated charities, and the conservation sector — where the extra-territorial reach of the Cloud Act is a real procurement constraint — Ecology App's compute-side architecture is structurally sovereign, and the backup-side exposure is closed off by client-side encryption.

What this means in practice

If you handle data that should not be accessible to US authorities under any circumstances, Ecology App is built so that question has a clear answer: the compute, database, and authentication all sit in the EU under operators with no US footprint; the only US-incorporated link in the chain is the backup storage provider, and that provider only ever sees ciphertext. The platform operator sits in the UK.

The lawful basis for this

Beyond the practical Cloud Act consideration, all data hosted in the EU sits under the EU's data protection framework — including the EU GDPR, the EU AI Act, and the relevant national implementations. The customer data you contribute, and the personal data Ecology App processes on your behalf, all sit in jurisdictions where the legal protections are clear and well-tested.

Apply for an account
Medway Catchment

Restoring the River Medway — landscape-scale, partnership-led

Privacy Notice Data Promise Your data rights

A Medway Catchment Partnership branded tenancy on the Ecology platform · Hosted by Owletts Farm Partnership · Convenor: South East Rivers Trust