Skip to content

Privacy Regulations Reference

Last updated: August 6, 2020

The data privacy regulatory landscape is undergoing a lot of change. You probably have heard about the EU General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. There are also other regulations in effect or in the works around the world. We’ve written up this reference document to put helpful information regarding our products and privacy regulations in one place. Please also view our full Privacy policy.

If you have any questions, comments, or concerns about our Privacy policy, your data, or your rights with respect to your information, please email us at

European Union General Data Protection Regulation (GDPR)

Basecamp is an American company and our data infrastructure are currently based in the US. That means if you are based in another country in the world and you use our products, your data are transferred to the US. The EU has stronger privacy laws than the US and a core tenant of the GDPR is that any EU personal data transferred out of the EU must be protected to the same level as guaranteed under EU law. With that aim, since GDPR went into effect Basecamp has offered a data processing addendum and voluntarily participated in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.

Data processing addendum

For customers in the EU, we provide a standard Data Processing Addendum (DPA) that include the European Commission’s Standard Contractual Clauses to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed.

✍️ Sign the DPA online.

On July 16, 2020, the Court of Justice of the European Union made a ruling, colloquially called “Schrems II”, that declared that when personal data is transferred from the EU to a country with mass-surveillance laws, such as the US, China, or Russia, the Standard Contractual Clauses are not necessarily adequate. This ruling has opened up a lot of questions and it applies to virtually every American software service, which are subject to the US Foreign Intelligence Surveillance Act (FISA). Data Protection Authorities across the EU are beginning to issue follow-up guidance. This crowdsourced webpage lists statements made by different Data Protection Authorities to date. We are investigating other measures we could take and are looking out for practical guidance from a variety of Data Protection Authorities in the EU.

A note about Privacy Shield

Since its establishment, Basecamp has also voluntarily participated in the EU-US and Swiss-US Privacy Shield Framework. The same Schrems II ruling from the Court of Justice of the European Union invalidated the EU-US Privacy Shield program as a mechanism for data transfer from the EU to the US. This ruling does not apply to the Swiss-US Privacy Shield. We are still certified under, and follow, both Privacy Shield Frameworks.

California Consumer Privacy Act (CCPA)

In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website:

Under the CCPA, Basecamp is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.

The CCPA also grants residents of California with additional rights related to their information. We grant those rights to all of our customers and detail them in our Privacy policy. Our Privacy policy also explains the information we collect in order to provide our services and clearly lists the only times we access or share your data.

US Health Insurance Portability and Accountability Act (HIPAA)

Our products are currently not HIPAA-compliant and we do not have immediate plans to become so.


Basecamp uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into data processing agreements including GDPR Standard Contractual Clauses with each subprocessor, and require the same of them.

You can see which subprocessors we use by application by viewing the following linked lists:

We also use other software as a company that are not part of providing our services but may collect your personal information for other purposes. You can view this list of processors in the following page: Company processors

Sorry, this website uses features that your browser doesn’t support. Upgrade to a newer version of Firefox, Chrome, Safari, or Edge and you’ll be all set.