Privacy Regulation Reference
The data privacy regulatory landscape is undergoing a lot of change. You probably have heard about the EU General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. There are also other regulations in the works around the world. We’ve written up this reference document to put information about our compliance with privacy regulations in one place.
Are Basecamp products in compliance?
- We are in compliance with the General Data Protection Regulation (“GDPR”). We participate in the EU-US and Swiss-US Privacy Shield Framework to safeguard the transfer of personal data to the US.
- We are also watching and preparing for other legislation in the US and in other countries.
We will update this document as we ensure compliance with other regulations.
We are not HIPAA-compliant and currently do not have plans to become so.
GDPR: data processing addendum
Increasingly, privacy regulations require processing of personal data be governed by a data processing addendum (DPA) that is compliant with those regulations.
We provide a standard Data Processing Addendum (DPA) that is GDPR-compliant to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. If you use our products to process any EU personal data, you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including Basecamp, LLC.
✍️ Sign the DPA online.
Basecamp participates in the EU-US and Swiss-US Privacy Shield Framework to safeguard the transfer of personal data to the US, meeting the GDPR requirement for adequate data protection laws.
Basecamp uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them.
You can see which subprocessors we use by application by viewing the following linked lists:
- Basecamp subprocessors
- HEY subprocessors
- Highrise subprocessors
- Campfire subprocessors
- Backpack subprocessors
We also use other software as a company that are not part of providing our services but may collect your personal information for other purposes. You can view this list of processors in the following page: Company processors
CCPA: our role as a service provider
In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website: https://www.oag.ca.gov/privacy/ccpa.
Under the CCPA, Basecamp is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.