GDPR & Compliance
How StellarBase meets regulatory frameworks — what ships built-in, what you configure, and what documentation is available for your auditors.
GDPR alignment
Legal basis
StellarBase is a data processor. You — the customer — are the data controller. Our DPA (Data Processing Agreement) documents this relationship and is included in every contract.
Principles mapped
| Principle | How StellarBase supports it |
|---|---|
| Lawfulness, fairness, transparency | DPA, transparent subprocessor list, documented processing purposes |
| Purpose limitation | Per-Base data scopes; no cross-Base processing without explicit configuration |
| Data minimization | Knowledge base is a semantic layer, not a copy — minimizes data duplication |
| Accuracy | Continuous sync from sources means stale copies don’t accumulate |
| Storage limitation | Configurable retention per Base; auto-deletion of data past retention |
| Integrity & confidentiality | See Encryption |
| Accountability | Immutable audit log of every action |
Subject rights
Tools to honour data-subject requests:
- Access (Art. 15) — search across the knowledge base by subject identifier; export the results
- Rectification (Art. 16) — correct source documents; changes propagate via connector sync
- Erasure (Art. 17) — remove from knowledge base, indexes, and vectors; audit log of the removal retained for compliance
- Restriction (Art. 18) — tag-based access control temporarily blocks processing
- Portability (Art. 20) — standard-format export of all data about a subject
- Objection (Art. 21) — per-agent, per-workflow processing bans
DPO & ROPA
Admin UI generates a Record of Processing Activities (ROPA) draft for your Base. You’ll tailor it to your legal counsel’s format, but the data flows are captured.
DPIAs
We provide DPIA templates for common workflows (customer-support bot, document review, research corpus). They’re starting points — your DPO still runs the assessment.
EU Data Act
Key obligations and how we meet them:
- Data portability — every Base exportable in standard formats. See Deployment for “zero lock-in” details.
- Switching providers — 30-day transition period built in, technical migration support included
- Non-discriminatory access — no vendor-lock contract clauses
DORA (for financial customers)
Digital Operational Resilience Act applies to EU financial entities. StellarBase supports:
- Documented ICT risk-management framework (we provide ours)
- Testing & resilience (pen-test reports, DR test results available)
- Third-party risk management (we’re the “ICT third-party provider”; DORA-compliant agreement templates included)
- Incident reporting (breach notification within DORA’s required windows)
- Concentration risk (self-hosted option available if you need to de-risk cloud concentration)
NIS2 (for essential / important entities)
Operational security requirements aligned. Air-gapped deployments meet the strictest NIS2 categories.
ISO 27001
We’re certified. Audit scope includes:
- StellarCloud managed inference platform
- StellarBase managed cloud
- StellarGate managed privacy proxy
- Supporting infrastructure (deployments, monitoring, incident response)
Statement of Applicability and certificate available on request (under NDA).
SOC 2 Type II
In progress. Target completion Q3 2026. Interim reports (Type I + “readiness”) available now.
Sector-specific
IEC 62443 (industrial control systems)
Our architecture maps to IEC 62443 security levels. For air-gapped manufacturing deployments we align to SL-3+; standard deployments target SL-2.
HIPAA (US healthcare)
Not a native EU obligation, but available via BAA for US healthcare partners on the Enterprise tier. Safe Harbor de-identification supported.
Czech NBÚ (classified information systems)
Air-gapped deployments designed for NBÚ certification. We support you through the certification process; your authority issues the final certification.
German BSI IT-Grundschutz
Baseline and advanced protection levels supported.
Subprocessors
Full list maintained at stellarbase.ai/subprocessors. Updates notified 30 days in advance. Self-hosted deployments have zero subprocessors — you run everything.
Data residency
| Option | Where data lives |
|---|---|
| Managed EU cloud | Frankfurt, Amsterdam, or Prague (customer-chosen) |
| Private managed | Your AWS / Azure / GCP tenant, region of your choice |
| Self-hosted | Your data centre, wherever that is |
| Air-gapped | Same, with zero egress |
No transatlantic data transfer unless you opt in explicitly.
Resources
For your CISO / DPO / auditor, available on request under NDA:
- Security architecture document
- Penetration test reports (latest + historical)
- DPA template
- Standard Contractual Clauses (for non-EU transfers)
- ISO 27001 SoA + certificate
- SOC 2 interim reports (Type I, readiness)
- DPIA templates
- ROPA examples
- Subprocessor list (public)
- Incident response playbooks