GDPR Compliance Statement by Basegrove

Last Updated: 25 July 2025

1. Our Commitment to Data Protection

At Basegrove Corporation ("Basegrove," "we," "us," or "our"), we are fully committed to achieving and upholding compliance with the EU General Data Protection Regulation (GDPR). The protection of our customers' data is a top priority, and we have integrated GDPR's principles into our core business operations, product development, and service delivery.

This statement outlines our approach to GDPR compliance and serves as a guide to our customers and their users regarding our data protection practices.

2. What is GDPR?

The GDPR is a comprehensive data protection law enacted by the European Union that governs the processing of personal data of individuals within the EU and European Economic Area (EEA). It aims to strengthen and unify data protection, giving individuals greater control over their personal data. The principles of the GDPR include lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, and ensuring the integrity and confidentiality of data.

3. Basegrove's Roles Under GDPR

In the context of our B2B SaaS platform, Basegrove acts in two distinct roles:

  • As a Data Controller: When we process personal data for our own purposes, we are the Data Controller. This applies to the data we collect from visitors to our website and the account and billing information of our direct Customers (e.g., Full Name, Email, Organization Name, Payment Information). For all this data, we are responsible for ensuring it is processed in line with GDPR principles.
  • As a Data Processor: When our Customers and their Authorized Users upload data into our Services (referred to as "Customer Data" in our policies), we act as the Data Processor. In this role, the Customer is the Data Controller. Our responsibility is to process this data only in accordance with the Customer's lawful instructions and the terms of our Data Processing Agreement (DPA).

4. How We Uphold GDPR Principles

Basegrove has implemented robust technical and organizational measures to ensure compliance with GDPR's core principles:

  1. Lawfulness, Fairness, and Transparency: Our Privacy Policy and Terms of Service are written in clear language to be transparent about what data we collect, why we collect it, and how we process it. We only process data on a lawful basis, such as the performance of a contract, legitimate interest, or explicit consent.
  2. Purpose Limitation: We only collect and process personal data for the specific, legitimate purposes outlined in our Privacy Policy and never process it in a manner incompatible with those purposes.
  3. Data Minimisation: We are committed to collecting only the personal data that is strictly necessary to provide and improve our Services, manage customer accounts, and fulfill our legal obligations
  4. Data Security (Integrity and Confidentiality): We protect data from unauthorized access, alteration, or destruction. Our security measures include encryption of data in transit and at rest, strict access controls, regular security assessments, and a formal incident response plan.
  5. Data Subject Rights: The GDPR grants individuals rights over their personal data. We are committed to facilitating the exercise of these rights.
    • For data where we are the Controller: Individuals can contact us directly at legal@basegrove.com to exercise their rights (e.g., access, rectification, erasure).
    • For data where we are the Processor: We will assist our Customers (the Data Controllers) in responding to data subject requests they receive from their Authorized Users or individuals whose data is part of the Customer Data. Such requests should be directed to the relevant Customer.
  6. Accountability: We maintain comprehensive internal records of our data processing activities, have appointed a dedicated team to handle privacy matters, and make our policies and procedures readily available.

5. Data Processing Agreements (DPA)

To meet the requirements of Article 28 of the GDPR, Basegrove offers a comprehensive Data Processing Agreement (DPA) to all Customers who are Data Controllers under the GDPR. Our DPA outlines the terms, subject matter, and duration of the processing of Customer Data, and sets forth the obligations of both parties to ensure that data processing is performed in a compliant manner. Our DPA is available to all customers upon request.

6. International Data Transfers

As a company based in Germany with a global customer base and infrastructure, we may transfer personal data outside of the EU/EEA. We ensure that all such transfers are lawful and that the data remains protected to the standards of the GDPR. Our primary legal mechanism for transferring data from the EU/EEA to countries like India and the United States (where some of our sub-processors are located) is the use of Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Our Sub-processors

We partner with a limited number of trusted third-party services (sub-processors) to provide our Services, such as cloud hosting and CRM functionalities. All our sub-processors are vetted for their security and data protection standards. We maintain contracts with them that require them to uphold the same level of data protection that we promise to our customers. A list of our key sub-processors is available in our DPA.

8. Contact Us

If you have any questions about our GDPR compliance or our data protection practices, please do not hesitate to contact our privacy team.