Security

AI Safety

To provide its features, Basteon sends AI requests for tasks such as answering questions, evaluating outputs, and understanding user requests. This data is processed within our AWS  infrastructure and then securely forwarded to the appropriate language model inference provider hosted on Azure - all within the European Data Zone. In some cases, AI requests are sent in the background to help build your knowledge base.
All AI requests are processed within the European Data Zone.
Your data is used exclusively to provide service features and is never used for AI model training.

Compliance & Legal

Overview of compliance and legal.
Certifications & Third-Party Assessments
While we are actively working toward ISO 27001 certification, our applications currently run on ISO 27001-certified servers. We also perform annual penetration tests via reputable third parties to proactively identify and fix vulnerabilities.
GDPR Compliance
We strictly adhere to the EU’s General Data Protection Regulation, ensuring practices such as data minimization, transparency, and respect for user rights.
Privacy Policy
Our Privacy Policy outlines how we collect, use, and protect your data. You can review it in detail here: https://www.basteon.com/privacy-policy 
Terms of Service
Our Terms of Service govern the use of our platform and services. You can find the full terms here: https://www.basteon.com/terms

Third Party Providers

Third-party vendors and services we rely on.
AWS Cloud Service Provider (USA)
Basteon runs on AWS, leveraging services like AWS Cognito for secure authentication and S3 private buckets for encrypted storage. We operate within an isolated VPC in EU Central-1 (Frankfurt), following the AWS Well-Architected Framework. We do not offer a self-hosted server deployment option.
Azure Cloud Service Provider (USA)
AI services are hosted on Azure, and we ensure all data remains within the European Data Zone to meet GDPR requirements.
Webflow (USA)
We use Webflow to host our website. Webflow has no access to any application data, ensuring a clear separation between our public site and internal systems.
Brevo (France)
We use Brevo to send regular email newsletters, keeping users informed about product updates.
Qdrant (Germany)
Embeddings are stored in Qdrant’s vector database, hosted in Germany.
Stripe (USA)
We use Stripe to handle payments and subscriptions. Stripe securely stores payment-related data, such as names, credit card details, and addresses.
Google Workspace (USA)
We use Google Workspace for business email and documentation.

Infrastructure & System Security

Details on system security and infrastructure setup.
Web Application Firewall (WAF)
WAFs protect our load balancers from application-level attacks, and Auto Scaling Groups maintain system stability during traffic surges.
Separate Production Environment
We maintain distinct and fully isolated environments for development, testing, and production, ensuring that experiments and changes do not impact the live system.
Data Backups
Regular, encrypted backups are performed using AWS Backup to support disaster recovery.
Encryption-at-Rest
All data stored on our systems is encrypted using strong standards (e.g., AES-256) to secure it while at rest.
Encryption-in-Transit

We safeguard data in transit with HTTPS to protect against interception.
Multi-Factor Authentication (MFA)
We provide free MFA for all user accounts, adding an essential layer of security.
Role-Based Access Control (RBAC)
User permissions are assigned based on job responsibilities, ensuring that employees have only the access necessary for their roles.
Password Security
Our policy requires passwords to have at least 8 characters, including numbers, special characters, and a mix of uppercase and lowercase letters.
Credential Management
Secrets are stored securely using AWS Parameter Store, underpinned by Amazon-managed encryption keys.
CSRF Attack Mitigation
Basteon has a sophisticated double-submit CSRF token system with secure session binding. Tokens are automatically refreshed every 24 hours. CSRF protection is enforced on all state-changing operations.

Data Protection & Privacy

How we protect and manage user data.
Employee Data Access Controls
We limit data access strictly to those employees whose roles require it, adhering to a least-privilege model.
Non-Disclosure Agreement
We have a ready-to-sign NDA available to ensure the confidentiality of shared information.
Account Deletion
To delete your account, please contact us at info@basteon.com. Data removal is initiated immediately, although backups may fully expire within 30 days.
Vulnerability Disclosures
If you believe you’ve found a vulnerability, please contact us directly at info@basteon.com. We are committed to addressing and resolving security flaws promptly to ensure the safety and integrity of our platform.

Still have security related question?

Can’t find the answer you’re looking for? Please contact us.