Skip to main content

    Privacy Policy

    Last updated: January 2026

    1. Introduction

    Basenorm ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered compliance management platform.

    As a European-first platform, we prioritize data sovereignty and compliance with GDPR, NIS2, and DORA.

    2. Information We Collect and Legal Basis

    Under the General Data Protection Regulation (GDPR), we must have a legal basis to process your personal data.

    Data CategoryPurposeLegal Basis (GDPR)
    Account Information (Name, email, company)To manage your account and provide access to the platform.Performance of a Contract
    Compliance Data (Policies, risks, evidence)To perform automated compliance audits and risk analysis.Performance of a Contract
    Usage Data (IP address, logs, behavior)To maintain security, detect fraud, and optimize the platform.Legitimate Interest
    Marketing Data (Newsletter signups)To send updates and industry insights.Consent
    Regulatory DataTo comply with legal reporting and record-keeping.Legal Obligation

    3. AI Processing and Data Privacy

    Basenorm uses advanced AI to automate compliance workflows. We apply a "Privacy-by-Design" approach to our AI engine:

    No External Training

    We strictly do not use your proprietary or personal data to train external third-party foundation models (such as those from OpenAI or Anthropic).

    Basenorm Community Intelligence

    To provide industry benchmarks and improve our platform's intelligence, we may use anonymized and aggregated data within the Basenorm ecosystem. This data is stripped of all identifiers so it cannot be traced back to your organization or individuals.

    Data Isolation

    Your specific compliance data remains isolated and accessible only to authorized users within your organization.

    4. Data Sharing and Disclosure

    We do not sell your personal information.

    We may share information with:

    • Service Providers: Third-party vendors (e.g., payment processors, email delivery) who act as sub-processors.
    • Legal Requirements: When required by law or to protect our rights.
    • Business Transfers: In the event of a merger or acquisition.

    5. Data Security & Incident Response

    We implement industry-leading technical and organizational measures:

    • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
    • Resilience: Regular penetration testing and vulnerability scans.
    • Reporting (NIS2/DORA): In line with NIS2 and DORA requirements, we maintain strict incident response protocols. In the event of a significant security incident, we commit to notifying relevant authorities and affected users within the mandatory legal timeframes (e.g., 24-hour early warning/72-hour notification where applicable).

    6. Data Residency (European Sovereignty)

    Hosted on Microsoft Azure — Amsterdam, NL

    Unlike many GRC providers, Basenorm is built for European data sovereignty:

    Primary Hosting: All platform data and backups are stored on Microsoft Azure servers in Amsterdam, The Netherlands (EU West region).

    Data Transfers: While we strive to keep all processing within the EEA, any necessary international transfers are protected by Standard Contractual Clauses (SCCs) and rigorous Transfer Impact Assessments (TIAs).

    7. Data Retention

    We retain your information only as long as:

    • Your account is active or needed to provide services.
    • Required to comply with legal, tax, or regulatory obligations (e.g., financial record-keeping).
    • Necessary for the resolution of disputes.

    8. Your Privacy Rights

    As a data subject, you have the right to access, correct, delete (right to be forgotten), or port your data. You may also object to or restrict certain processing activities.

    To exercise these rights, contact us at privacy@basenorm.com.

    9. Cookies and Tracking

    We use essential cookies for platform functionality and analytical cookies (with your consent) to improve our service. You can manage your preferences via our cookie banner or browser settings.

    10. Contact Information

    Basenorm

    Data Protection Officer: dpo@basenorm.com

    Amsterdam, The Netherlands

    11. Regulatory Compliance

    We continuously monitor and update our platform to ensure compliance with:

    GDPR
    NIS2
    DORA
    AI Act

    GDPR (General Data Protection Regulation) • NIS2 (Network and Information Security Directive) • DORA (Digital Operational Resilience Act) • AI Act (EU Artificial Intelligence Act)