At BasaltHQ, we operate on the premise that Privacy is the fundamental primitive of trust in the Cognitive Era. Our platform is engineered to function as a vault for your organization's intellectual assets. This policy codifies our commitment to global compliance (GDPR, CCPA, etc.) and our internal "Zero-Leak" data philosophy.
DATA_GOVERNANCE_PROTOCOL_V4.0_FINAL
Privacy Policy
The definitive framework for cognitive data stewardship, cryptographic integrity, and organizational transparency.
LAST_REVISION: 2026-01-01ISO_27001_ALIGNED
1. Information Taxonomy
We maintain a rigorous classification system for all data ingested or generated through our neural business architecture:
Institutional Identifiers
Full names, enterprise email domains, organizational hierarchies, and cryptographically hashed authentication tokens.
Operational Telemetry
API invocation patterns, latency metrics, system error logs, and transactional throughput data.
Digital Fingerprinting
Network metadata, IP addresses, browser runtime environments, and unique device identifiers (UUIDs).
Inference Artifacts
Structural patterns derived from AI processing (anonymized at the source) to optimize global model performance.
2. Cookies & Tracking Technology
We deploy a minimalist tracking stack designed to balance performance optimization with absolute user anonymity. We do not engage in behavioral cross-site retargeting.
| Type | Function | Persistence |
|---|---|---|
| Essential | Session state & security validation | Session |
| Preferences | Theme & localization settings | 12 Months |
| Intelligence | Load balancing & error detection | Persistent |
3. Legal Bases for Processing
Under the General Data Protection Regulation (GDPR) and similar frameworks, we process data based on the following specific legal grounds:
1
Contractual Mandate
Processing is essential to initialize your organization's environment and provide the requested business intelligence services.
2
Legitimate Organizational Interest
Securing the perimeter against unauthorized access, detecting network-level anomalies, and improving platform stability.
3
Compliance Protocols
Processing necessary for financial reporting, tax calculation, and responding to legally binding government mandates.
4. Disclosure and Sub-processors
We never sell organizational or personal data. Disclosure is restricted to audited sub-processors who assist in platform delivery under strict Data Processing Agreements (DPAs).
Platform Infrastructure
AWS / Azure / Vercel: Computational nodes and secure storage.
Payment Transmission
Stripe: End-to-end encrypted financial transactions.
5. Global Data Transfers & Residency
As a globally distributed cognitive architecture, BasaltHQ may process data in jurisdictions outside your primary residency. We utilize **Standard Contractual Clauses (SCCs)** and the **EU-U.S. Data Privacy Framework** to ensure peak-level protection regardless of geographic location.
Primary Storage_
Defaulting to US-East (Virginia) or EU-West (Dublin) based on organizational origin.
Transit Protocols_
All cross-border transmissions are shielded by TLS 1.3+ and Perfect Forward Secrecy.
6. Data Retention & Destruction
Data is retained only for the duration required to fulfill original processing objectives or as required by statutory retention periods (typically 7 years for financial data).
Rapid Deletion Protocol
Upon account decommissioning, all institutional data is cryptographically wiped from active production databases within 30 days.
7. Armor Security Protocols
Our "Armor" defense suite is built on a Zero-Trust architecture, ensuring that every data packet is authenticated, authorized, and encrypted.
- AES-256-GCM encryption for all data at rest.
- Hardware Security Modules (HSM) for root key management.
- Continuous AI-driven anomaly detection and threat hunting.
- Strict Role-Based Access Control (RBAC) with mandatory MFA.
8. Regional Compliance Modules
EEA & United Kingdom (GDPR)
_Access_Right_Erasure_Right_Portability_Rectification
Residents of the EEA have the right to object to processing or withdraw consent at any time. We serve as the "Data Controller" for infrastructure metadata and the "Data Processor" for your organizational content.
California (CCPA/CPRA)
California residents have the right to "Knowledge," "Deletion," and "Non-Discrimination." We do not sell personal data as defined by the CCPA. To exercise your "Do Not Sell or Share My Personal Information" rights (though we do not engage in such sharing), contact our privacy office.
Governance Office
For formal inquiries regarding data protection, DPA execution, or jurisdictional compliance requirements, please contact our lead data privacy officer.