Attached is the RBS Security Hosting Controls document that details steps taken to protect data.
For customers outside of the USA who are impacted by the EU regulation for General Data Protection Regulation (GDPR), for the most part the conversation continues to be focus on what data is actually stored in VulnDB. For Portal users, there are email address and depending on the usage they are able to setup Alerts for Vendors and Products. There is, however, no confidential data about Assets or other information about the organization. For API customers, they only have an account (email address) in order to configure the API. All of our VulnDB data that we send via email alerts or the API hosted in AWS is currently in the USA.