Privacy Regulations Reference
Last updated: August 6, 2020
European Union General Data Protection Regulation (GDPR)
Basecamp is an American company and our data infrastructure are currently based in the US. That means if you are based in another country in the world and you use our products, your data are transferred to the US. The EU has stronger privacy laws than the US and a core tenant of the GDPR is that any EU personal data transferred out of the EU must be protected to the same level as guaranteed under EU law. With that aim, since GDPR went into effect Basecamp has offered a data processing addendum and voluntarily participated in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
Data processing addendum
For customers in the EU, we provide a standard Data Processing Addendum (DPA) that include the European Commission’s Standard Contractual Clauses to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed.
On July 16, 2020, the Court of Justice of the European Union made a ruling, colloquially called “Schrems II”, that declared that when personal data is transferred from the EU to a country with mass-surveillance laws, such as the US, China, or Russia, the Standard Contractual Clauses are not necessarily adequate. This ruling has opened up a lot of questions and it applies to virtually every American software service, which are subject to the US Foreign Intelligence Surveillance Act (FISA). Data Protection Authorities across the EU are beginning to issue follow-up guidance. This crowdsourced webpage lists statements made by different Data Protection Authorities to date. We are investigating other measures we could take and are looking out for practical guidance from a variety of Data Protection Authorities in the EU.
A note about Privacy Shield
Since its establishment, Basecamp has also voluntarily participated in the EU-US and Swiss-US Privacy Shield Framework. The same Schrems II ruling from the Court of Justice of the European Union invalidated the EU-US Privacy Shield program as a mechanism for data transfer from the EU to the US. This ruling does not apply to the Swiss-US Privacy Shield. We are still certified under, and follow, both Privacy Shield Frameworks.
California Consumer Privacy Act (CCPA)
In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website: https://www.oag.ca.gov/privacy/ccpa.
Under the CCPA, Basecamp is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.
US Health Insurance Portability and Accountability Act (HIPAA)
Our products are currently not HIPAA-compliant and we do not have immediate plans to become so.
Basecamp uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into data processing agreements including GDPR Standard Contractual Clauses with each subprocessor, and require the same of them.
You can see which subprocessors we use by application by viewing the following linked lists:
- Basecamp subprocessors
- HEY subprocessors
- Highrise subprocessors
- Campfire subprocessors
- Backpack subprocessors
We also use other software as a company that are not part of providing our services but may collect your personal information for other purposes. You can view this list of processors in the following page: Company processors