...
The app is deployed in the AWS Region eu-west-1 (Ireland) for the default Data Residency, and in USA (North Virginia) for the US Data Residency,
The data is stored in AWS RDS, with encryption enabled, in the same AWS Region.
AWS RDS is configured with automatic backups and 30-day retention period. The backups are encrypted. There is no granularity: Restoring the data for all customers to a point in time would be easy, while restoring a subset or a single customer would be time-consuming.
Data in transit is encrypted in HTTPS over the worldwide internet, and TLS between the application servers and the database. The database is on a private subnet with no direct route from the worldwide internet to the database itself.
The logs are stored in AWS CloudWatch using encryption enabled,
The change events are stored in AWS CloudTrail in Europe,
Employees under confidentiality agreement can access the live data in the database, the live servers, and the backups.
...