1. Introduction
Basenorm ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered compliance management platform.
As a European-first platform, we prioritize data sovereignty and compliance with GDPR, NIS2, and DORA.
2. Information We Collect and Legal Basis
Under the General Data Protection Regulation (GDPR), we must have a legal basis to process your personal data.
| Data Category | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Account Information (Name, email, company) | To manage your account and provide access to the platform. | Performance of a Contract |
| Compliance Data (Policies, risks, evidence) | To perform automated compliance audits and risk analysis. | Performance of a Contract |
| Usage Data (IP address, logs, behavior) | To maintain security, detect fraud, and optimize the platform. | Legitimate Interest |
| Marketing Data (Newsletter signups) | To send updates and industry insights. | Consent |
| Regulatory Data | To comply with legal reporting and record-keeping. | Legal Obligation |
3. AI Processing and Data Privacy
Basenorm uses advanced AI to automate compliance workflows. We apply a "Privacy-by-Design" approach to our AI engine:
No External Training
We strictly do not use your proprietary or personal data to train external third-party foundation models (such as those from OpenAI or Anthropic).
Basenorm Community Intelligence
To provide industry benchmarks and improve our platform's intelligence, we may use anonymized and aggregated data within the Basenorm ecosystem. This data is stripped of all identifiers so it cannot be traced back to your organization or individuals.
Data Isolation
Your specific compliance data remains isolated and accessible only to authorized users within your organization.
4. Data Sharing and Disclosure
We do not sell your personal information.
We may share information with:
- Service Providers: Third-party vendors (e.g., payment processors, email delivery) who act as sub-processors.
- Legal Requirements: When required by law or to protect our rights.
- Business Transfers: In the event of a merger or acquisition.
5. Data Security & Incident Response
We implement industry-leading technical and organizational measures:
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- Resilience: Regular penetration testing and vulnerability scans.
- Reporting (NIS2/DORA): In line with NIS2 and DORA requirements, we maintain strict incident response protocols. In the event of a significant security incident, we commit to notifying relevant authorities and affected users within the mandatory legal timeframes (e.g., 24-hour early warning/72-hour notification where applicable).
6. Data Residency (European Sovereignty)
Unlike many GRC providers, Basenorm is built for European data sovereignty:
Primary Hosting: All platform data and backups are stored on Microsoft Azure servers in Amsterdam, The Netherlands (EU West region).
Data Transfers: While we strive to keep all processing within the EEA, any necessary international transfers are protected by Standard Contractual Clauses (SCCs) and rigorous Transfer Impact Assessments (TIAs).
7. Data Retention
We retain your information only as long as:
- Your account is active or needed to provide services.
- Required to comply with legal, tax, or regulatory obligations (e.g., financial record-keeping).
- Necessary for the resolution of disputes.
8. Your Privacy Rights
As a data subject, you have the right to access, correct, delete (right to be forgotten), or port your data. You may also object to or restrict certain processing activities.
To exercise these rights, contact us at privacy@basenorm.com.
10. Contact Information
Basenorm
Amsterdam, The Netherlands
11. Regulatory Compliance
We continuously monitor and update our platform to ensure compliance with:
GDPR (General Data Protection Regulation) • NIS2 (Network and Information Security Directive) • DORA (Digital Operational Resilience Act) • AI Act (EU Artificial Intelligence Act)