Trust Center

Every document your procurement team needs.

Most of our legal, security, and compliance documents are open for review. DPA and SOC 2 compliance status are available on request. Contact us directly.

Trust Center

Every document your procurement team needs.

Most of our legal, security, and compliance documents are open for review. Our DPA and SOC 2 compliance status are available on request — contact us directly.

Certifications & standards

Where we stand today.

GDPRAligned

Infrastructure is GDPR-aligned, with an EU data-residency option. Describe as alignment, not certification — verified against our DPA and sub-processor chain.

CFDI 4.0Available — Enterprise

CFDI 4.0 emission and reconciliation — available on the Enterprise tier. Not a payment rail: BasePro records the transaction event and queues the fiscal document.

SOC 2 Type IIIn Progress
Target
Q1 2027

SOC 2 Type II — in progress. Talk to us about our compliance posture and what controls are already in place.

Data access

Three vendors touch your data. Here's why.

CategoryPurposeData region
Cloud infrastructure & CDNHosts the application and serves assets at the edgeUS + global
Backend, forms & CRMProcesses form submissions and stores lead contact dataUS
Anonymised analyticsCounts page views with no personally identifiable dataUS

Where your data lives

EU data-residency option available.

Our infrastructure is GDPR-aligned. Customers on the Enterprise tier can request EU data residency — your operational data stays within EU boundaries. We describe this as alignment, not certification: what that means in practice is spelled out in our DPA.

Get what you need

Everything your procurement team is waiting for.

Data Processing Agreement

Available on request.

Request our DPA

SOC 2 compliance status

Type II in progress — target Q1 2027.

Talk to us

Report a vulnerability

We acknowledge within 48 hours.

Email our security team

System status

Live, real-time status.

View status

Security Q&A

The questions every evaluator asks.

How is my data kept separate from other organisations?

Every organisation's data is isolated at the database layer — not just behind a login. Records cannot be accessed, queried, or leaked across accounts. This is enforced by the underlying architecture, not just application logic.

Is BasePro SOC 2 certified?

Not yet. SOC 2 Type II is in progress — target Q1 2027. Our controls are designed to SOC 2 standards now; the formal audit is underway. If you need details for your security review, reach out to compliance@basepro.io.

How does BasePro handle GDPR compliance?

Our infrastructure is GDPR-aligned, with an EU data-residency option for Enterprise customers. We act as a data processor on your behalf. Our DPA covers sub-processor chain, breach notification, and data-subject rights. Request it at privacy@basepro.io.

Who can see what inside my account?

Access is controlled by a four-role permission matrix: Super Admin, Admin, Manager, and Ops. Each role has a scoped set of actions across every operational domain. You configure who has each role — and the audit log records every access event.

Can financial records be altered or deleted after the fact?

No. Every financial edit and workflow action is appended to an audit trail that cannot be modified. Not by your team. Not by ours. Entries are timestamped and the history is complete. Your auditor can read it directly.

What happens if something is approved that shouldn't be?

High-stakes actions — vendor payments, lease changes, financial approvals — require a named authorised user to sign off. The proposal/approval chain is recorded in the audit log with the approver's identity and timestamp.

Where does BasePro store data, and can I choose the region?

Data is hosted on AWS infrastructure in the US by default. Enterprise customers can request EU data residency. Our sub-processor list is public and shows the full vendor chain, purpose, and data region.

How do I report a security concern?

Email security@basepro.io. We acknowledge every report within 48 hours and follow a coordinated disclosure process. We do not have a public bug-bounty programme at this time.

AI data use

Nothing enters your ledger until you confirm it.

Document IntelligenceBuilding

Our document intelligence feature extracts line items from vendor quotes and invoices — each extraction is confidence-flagged, and nothing is written to your records without your explicit review and approval. Your data is never used to train models. Offered on the Enterprise tier.

Read how we handle your data in our DPA

Security contact

Security Team

For vulnerability reports, security concerns, or questions about our security posture, reach the Security Team directly. We respond to every report.

security@basepro.io

We acknowledge security reports within 48 hours.

Help Center

How-to guides and answers for operators.

Browse the Help Center →

Readiness Center

Migration guides and operational readiness resources.

Explore Readiness →

Security Architecture

The three-tier product story — data isolation, audit log, and role-based access controls.

See the security story →