StellarBase
Docs Security & Compliance GDPR & Compliance
Security & Compliance

GDPR & Compliance

How StellarBase meets regulatory frameworks — what ships built-in, what you configure, and what documentation is available for your auditors.

GDPR alignment

Legal basis

StellarBase is a data processor. You — the customer — are the data controller. Our DPA (Data Processing Agreement) documents this relationship and is included in every contract.

Principles mapped

PrincipleHow StellarBase supports it
Lawfulness, fairness, transparencyDPA, documented processing purposes
Purpose limitationPer-Base data scopes; no cross-Base processing without explicit configuration
Data minimizationKnowledge base is a semantic layer, not a copy — minimizes data duplication
AccuracyContinuous sync from sources means stale copies don’t accumulate
Storage limitationConfigurable retention per Base; auto-deletion of data past retention
Integrity & confidentialitySee Encryption
AccountabilityImmutable audit log of every action

Subject rights

Tools to honour data-subject requests:

  • Access (Art. 15) — search across the knowledge base by subject identifier; export the results
  • Rectification (Art. 16) — correct source documents; changes propagate via connector sync
  • Erasure (Art. 17) — remove from knowledge base, indexes, and vectors; audit log of the removal retained for compliance
  • Restriction (Art. 18) — tag-based access control temporarily blocks processing
  • Portability (Art. 20) — standard-format export of all data about a subject
  • Objection (Art. 21) — per-agent, per-workflow processing bans

DPO & ROPA

Admin UI generates a Record of Processing Activities (ROPA) draft for your Base. You’ll tailor it to your legal counsel’s format, but the data flows are captured.

DPIAs

We provide DPIA templates for common workflows (customer-support bot, document review, research corpus). They’re starting points — your DPO still runs the assessment.

EU Data Act

Key obligations and how we meet them:

  • Data portability — every Base exportable in standard formats. See Deployment for “zero lock-in” details.
  • Switching providers — 30-day transition period built in, technical migration support included
  • Non-discriminatory access — no vendor-lock contract clauses

DORA (for financial customers)

Digital Operational Resilience Act applies to EU financial entities. StellarBase supports:

  • Documented ICT risk-management framework (we provide ours)
  • Testing & resilience (pen-test reports, DR test results available)
  • Third-party risk management (we’re the “ICT third-party provider”; DORA-compliant agreement templates included)
  • Incident reporting (breach notification within DORA’s required windows)
  • Concentration risk (self-hosted option available if you need to de-risk cloud concentration)

NIS2 (for essential / important entities)

Operational security requirements aligned. Air-gapped deployments meet the strictest NIS2 categories.

ISO 27001

🛠 Ready in Q2 2026. Certification is in progress.

The certification scope covers:

  • StellarCloud managed inference platform
  • StellarBase managed cloud
  • StellarGate managed privacy proxy
  • Supporting infrastructure (deployments, monitoring, incident response)

Statement of Applicability available on request (under NDA); the certificate will follow on completion.

SOC 2 Type II

In progress. Target completion Q2 2026. Interim reports (Type I + “readiness”) available now.

Data residency

OptionWhere data lives
Managed EU cloudFrankfurt, Amsterdam, or Prague (EU; we assign the region)
Private managedYour AWS / Azure / GCP tenant, region of your choice
Self-hostedYour data centre, wherever that is
Air-gappedSame, with zero egress

No transatlantic data transfer unless you opt in explicitly.

Resources

For your CISO / DPO / auditor, available on request under NDA:

  • Security architecture document
  • Penetration test reports (latest + historical)
  • DPA template
  • Standard Contractual Clauses (for non-EU transfers)
  • ISO 27001 Statement of Applicability (certificate on completion)
  • SOC 2 interim reports (Type I, readiness)
  • DPIA templates
  • ROPA examples
  • Incident response playbooks

Related