Data locality and residency
This page answers the questions compliance officers and legal teams ask before signing a vendor agreement: where data lives, what TryMellon stores on your behalf, and how to remove it.
What TryMellon stores
| Category | What is stored | Where |
|---|---|---|
| Passkey credentials | Public key, AAGUID, counter | TryMellon cloud (no private key ever leaves the device) |
| Session tokens | JWT (stateless, 24h TTL) | Validated on demand — not persisted after expiry |
| User records | user_id + your external_user_id | TryMellon cloud |
| Identifiers (optional) | Email or wallet address if you link them (F1) | TryMellon cloud, opt-in per user |
| Audit logs | Auth events: registered, authenticated, locked, credential revoked | TryMellon cloud, 90-day retention default |
| Webhook deliveries | Envelope + payload per delivery attempt | TryMellon cloud, 30-day retention |
What TryMellon does NOT store: passwords, biometric data, private keys, payment information.
Infrastructure and region
TryMellon’s production infrastructure runs on Railway (US-East by default). Regional deployments (EU, LATAM) are on the enterprise roadmap — contact us if your compliance requirement mandates in-region processing before that ships.
Data export
Export users (NDJSON)
GET /v1/users?format=ndjson
Authorization: Bearer $CLIENT_SECRETReturns one JSON object per line. Each line contains user_id, external_user_id, created_at, and (if opted in) identifiers[].
Export audit logs (CSV/NDJSON)
GET /v1/audit-logs?format=ndjson&from=2026-01-01T00:00:00Z
Authorization: Bearer $CLIENT_SECRETSupports from/to ISO 8601 timestamps. Cursor-paginated. Feed directly into your SIEM.
Data deletion
Delete a single user
DELETE /v1/users/:external_user_id
Authorization: Bearer $CLIENT_SECRETRemoves the user record, all passkey credentials, all linked identifiers, and all active sessions. Audit log entries are anonymized (user identifiers replaced with [deleted]) and retained per the retention period — required for SOC 2 / GDPR record-keeping.
Bulk deletion
For GDPR Article 17 “right to erasure” at scale, use the admin API with your own orchestration:
# Delete users from a list of external IDs
while IFS= read -r uid; do
curl -s -X DELETE "https://api.trymellonauth.com/v1/users/$uid" \
-H "Authorization: Bearer $CLIENT_SECRET"
done < user_ids.txtRate limit: 100 deletions per minute per tenant.
Retention periods
| Data type | Default retention | Configurable? |
|---|---|---|
| Passkey credentials | Until user is deleted | — |
| Audit logs | 90 days | Enterprise: up to 7 years |
| Webhook delivery history | 30 days | — |
| Expired session tokens | Not stored after expiry | — |
Compliance references
- GDPR (EU 2016/679): TryMellon acts as a data processor. You are the data controller. A DPA (Data Processing Agreement) is available on request.
- LGPD (Brazil Lei 13.709/2018): User deletion and export APIs satisfy Articles 18(4) (portability) and 18(6) (anonymization / deletion).
- PSD2 SCA: Passkeys satisfy Strong Customer Authentication requirements as an inherence factor (biometric) + possession factor (device-bound key). No separate MFA token required.
- NIST 800-63B AAL2: Passkeys meet Authenticator Assurance Level 2 (multi-factor cryptographic hardware).