BASE
Log in Join early access
Home
SECURITY · TRANSPARENCY

Security by design,
not by claim.

BASE is early, but security is not an afterthought. Account isolation, protected communication, signed integrations, and a roadmap toward enterprise-grade controls as usage grows.

Data protection

Your data is yours. BASE never sells it, never trains external AI models on your private content, and never shares it with third parties except where strictly needed to operate the service — with full disclosure of who, what, and why (see sub-processors).

Every user can export their data and delete their account from Profile. Deletion removes active content promptly; encrypted backups roll off within 30 days.

Permission-first architecture

Each agent operates as a separate permission surface. The six core agents — Document, Finance, Wellness, Organizer, Mentor, Action — handle distinct categories of sensitive data.

Every request is bound to the authenticated user; the application checks ownership before returning any document, task, message or record. Cross-agent hand-offs (for example: "Finance found a recurring payment, should it become an Organizer reminder?") happen only after explicit user confirmation — enforced in product UI and in backend routing, not just described in marketing copy.

This is one of the few hard architectural commitments we make. If we ever needed to change it, we would notify users explicitly and give them the choice to export and leave.

What's protected today

Concrete safeguards already in the product:

  • Password hashing with bcrypt. Passwords are never stored in plaintext.
  • JWT-based session tokens for authentication. Each request is verified before access.
  • HTTPS / TLS for all communication between the app and our servers.
  • Per-user data scoping. Every database query is bound to the authenticated account; data belonging to one user is architecturally isolated from another.
  • Rate limits on sensitive endpoints (authentication, AI calls) to deter brute-force and abuse.
  • Signed webhook handlers for payment and communication integrations.
  • Security headers on frontend and backend: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy.
  • AI processing via Anthropic Claude. Anthropic does not use BASE customers' data to train its models.
  • EU-based cloud hosting on Digital Ocean infrastructure.
  • PostgreSQL on Neon with SSL-encrypted database connections.
  • SSH key-only server access. No password authentication to infrastructure.

In progress

Active work expanding current safeguards:

  • More granular per-file access controls.
  • Stronger user-facing data export and deletion tools.
  • Unified upload limits and clearer file-retention rules.
  • Expanded audit events covering uploads, exports, agent actions and account changes.

Security roadmap

Planned enhancements as BASE moves toward business and enterprise customers:

  • Passkeys (WebAuthn) and two-factor authentication.
  • Enterprise DPA (Data Processing Agreement) template for B2B customers.
  • External penetration testing engagement.
  • SOC 2 readiness — part of our long-term security roadmap as usage and customer profile grow.
  • Advanced role-based permissions for family and team workspaces.
  • Managed encrypted object storage for uploaded files, with per-user access controls and short-lived file access links.
We don't claim more than we ship. As each roadmap item lands, it moves up to "What's protected today".

Sub-processors

BASE relies on a small set of third-party providers. Each is contractually bound to handle your data only on our instructions and to maintain appropriate security and confidentiality.

  • AI model processing — Anthropic (Claude).
  • Cloud hosting — Digital Ocean (EU region).
  • Database — Neon PostgreSQL (EU region, SSL).
  • Email delivery — for transactional and notification messages.
  • Voice and transcription — only invoked when you use the Action agent's call features.
  • Payment processing — only after subscriptions launch; payments handled by PCI-compliant providers. BASE never stores full card numbers.
  • Application monitoring — error tracking and reliability.

The complete sub-processor list (with provider names and locations) will be published publicly before general availability launch. B2B and partner customers can request the current list from privacy@base-ai.app.

Compliance & legal basis

  • GDPR. Full user rights: access, rectification, erasure, portability, restriction, objection. Lawful basis declared per processing purpose. See Privacy Policy.
  • EU DSA. Single point of contact for users and competent authorities: legal@base-ai.app.
  • EU AI Act. BASE is designed as a productivity assistant, not a high-risk AI system. We monitor regulatory guidance and adjust where needed.
  • Data residency. Primary processing in the European Union. Where cross-border transfers occur via sub-processors, we rely on Standard Contractual Clauses and adequacy decisions where applicable.

Professional boundaries

BASE helps you organize information and prepare for action. It does not replace a doctor, lawyer, accountant or financial advisor.

For decisions that require professional judgment — medical diagnosis, legal advice, tax filing, financial planning — consult a qualified professional in your jurisdiction.

In an emergency, call your local emergency number. BASE is not an emergency service.

Responsible disclosure

We welcome reports of potential security vulnerabilities from the security research community.

How to report

  • Email: security@base-ai.app
  • Subject: [security] + short summary
  • Include: reproduction steps, affected URL, severity assessment, and your contact for follow-up.
  • PGP key available on request for sensitive reports.

What we ask

  • Give us reasonable time to investigate and fix before public disclosure.
  • Don't access, modify or delete data belonging to other users.
  • Don't run high-volume traffic or denial-of-service testing without coordination.
  • Don't social-engineer our team or third parties.

Safe harbor

Good-faith security research conducted in accordance with this policy will not result in legal action from BASE. We commit to working with researchers to verify, fix and credit findings where appropriate.

Bug bounty

A formal bug bounty program is part of the security roadmap and will launch alongside broader public release. In the meantime, qualifying reports may receive acknowledgement in our security hall-of-fame.

Incident response

If a security incident occurs that may have affected your data, we will:

  • Investigate the scope and impact promptly.
  • Contain the incident and remediate the underlying cause.
  • Notify affected users without undue delay, and in any case within 72 hours where required under GDPR Article 33–34.
  • Provide a clear, plain-language summary of what happened, what data was affected, what we did, and what you can do.
  • Publish a post-mortem with technical details once the incident is resolved.
© 2026 TRADE ESTATE SE · Privacy · Terms · Imprint