Trust Center
Every document your procurement team needs.
Most of our legal, security, and compliance documents are open for review. DPA and SOC 2 compliance status are available on request. Contact us directly.
Trust Center
Every document your procurement team needs.
Most of our legal, security, and compliance documents are open for review. Our DPA and SOC 2 compliance status are available on request — contact us directly.
Sub-processors
Every third-party vendor with access to your data — their purpose, what data they see, and where.
Service Level Agreement
Our uptime posture, support response targets, and contractual commitments at the enterprise tier.
Data Processing Agreement
How BasePro handles data on your behalf as a processor — security measures, sub-processor chain, and breach notification.
Acceptable Use Policy
What the platform is for, what it is not for, and how violations are handled.
Accessibility Statement
Our WCAG 2.1 AA posture — keyboard navigation, colour contrast, reduced-motion, and how to report gaps.
Compliance Posture
CFDI, ARCO / LFPDPPP, and GDPR-aligned practices — honest about what is live and what is rolling out.
Terms of Service
The legal terms governing your use of the BasePro platform and related services.
Privacy Policy
What personal data we collect, why, how long we keep it, and your rights under applicable law.
Cookie Settings
Which cookies the site sets, why, and how to manage or opt out of non-essential cookies.
Get notified when our sub-processor list changes.
We provide 30 days advance notice of material changes. One email per change — never marketing.
Certifications & standards
Where we stand today.
Infrastructure is GDPR-aligned, with an EU data-residency option. Describe as alignment, not certification — verified against our DPA and sub-processor chain.
CFDI 4.0 emission and reconciliation — available on the Enterprise tier. Not a payment rail: BasePro records the transaction event and queues the fiscal document.
- Target
- Q1 2027
SOC 2 Type II — in progress. Talk to us about our compliance posture and what controls are already in place.
Data access
Three vendors touch your data. Here's why.
Where your data lives
EU data-residency option available.
Our infrastructure is GDPR-aligned. Customers on the Enterprise tier can request EU data residency — your operational data stays within EU boundaries. We describe this as alignment, not certification: what that means in practice is spelled out in our DPA.
Get what you need
Everything your procurement team is waiting for.
Data Processing Agreement
Available on request.
SOC 2 compliance status
Type II in progress — target Q1 2027.
Report a vulnerability
We acknowledge within 48 hours.
System status
Live, real-time status.
Security Q&A
The questions every evaluator asks.
How is my data kept separate from other organisations?
Every organisation's data is isolated at the database layer — not just behind a login. Records cannot be accessed, queried, or leaked across accounts. This is enforced by the underlying architecture, not just application logic.
Is BasePro SOC 2 certified?
Not yet. SOC 2 Type II is in progress — target Q1 2027. Our controls are designed to SOC 2 standards now; the formal audit is underway. If you need details for your security review, reach out to compliance@basepro.io.
How does BasePro handle GDPR compliance?
Our infrastructure is GDPR-aligned, with an EU data-residency option for Enterprise customers. We act as a data processor on your behalf. Our DPA covers sub-processor chain, breach notification, and data-subject rights. Request it at privacy@basepro.io.
Who can see what inside my account?
Access is controlled by a four-role permission matrix: Super Admin, Admin, Manager, and Ops. Each role has a scoped set of actions across every operational domain. You configure who has each role — and the audit log records every access event.
Can financial records be altered or deleted after the fact?
No. Every financial edit and workflow action is appended to an audit trail that cannot be modified. Not by your team. Not by ours. Entries are timestamped and the history is complete. Your auditor can read it directly.
What happens if something is approved that shouldn't be?
High-stakes actions — vendor payments, lease changes, financial approvals — require a named authorised user to sign off. The proposal/approval chain is recorded in the audit log with the approver's identity and timestamp.
Where does BasePro store data, and can I choose the region?
Data is hosted on AWS infrastructure in the US by default. Enterprise customers can request EU data residency. Our sub-processor list is public and shows the full vendor chain, purpose, and data region.
How do I report a security concern?
Email security@basepro.io. We acknowledge every report within 48 hours and follow a coordinated disclosure process. We do not have a public bug-bounty programme at this time.
AI data use
Nothing enters your ledger until you confirm it.
Our document intelligence feature extracts line items from vendor quotes and invoices — each extraction is confidence-flagged, and nothing is written to your records without your explicit review and approval. Your data is never used to train models. Offered on the Enterprise tier.
Read how we handle your data in our DPASecurity contact
Security Team
For vulnerability reports, security concerns, or questions about our security posture, reach the Security Team directly. We respond to every report.
security@basepro.ioWe acknowledge security reports within 48 hours.
Help Center
How-to guides and answers for operators.
Readiness Center
Migration guides and operational readiness resources.
Security Architecture
The three-tier product story — data isolation, audit log, and role-based access controls.