Summary
In plain English
Baslic runs on EU infrastructure (Hetzner Helsinki and Falkenstein), with TLS 1.2+ in transit, encryption at rest on managed volumes, and authentication delegated to Clerk (a SOC 2 Type II audited provider). We log every administrative action with an immutable audit trail, and we publish a sub-processor list so you always know who touches your data. We are a small team; we believe small teams should be honest about what they have and have not done.
Hosting and data residency
All customer data is stored in the European Union, on Hetzner cloud infrastructure in Helsinki (Finland) and Falkenstein (Germany). No primary copy of customer data leaves the EU. Specific data flows outside the EU (e.g. AI parsing via Anthropic) only via the sub-processors listed on our Sub-Processors page, each under the EU-US Data Privacy Framework or equivalent transfer mechanism.
Encryption
In transit
All HTTP traffic to www.baslic.com, app.baslic.com, and our API uses TLS 1.2 or higher. HTTP requests are redirected to HTTPS. We use modern certificates and rotate them automatically.
At rest
Database storage and object storage (receipt files) reside on managed volumes with encryption at rest enabled at the storage layer. Backups (both on-cluster and off-site) are encrypted before leaving the primary host.
Authentication and access
- End-user authentication is provided by Clerk, which is SOC 2 Type II audited and supports multi-factor authentication, magic links, and social sign-in.
- Passwords are never stored by Baslic in plaintext or recoverable form; Clerk uses industry-standard bcrypt hashing.
- Administrative impersonation (used for support) is gated by a dedicated role, is fully audit-logged, and is blocked from performing destructive or financial actions on a customer's behalf.
- Server access (SSH) uses key-based authentication only; passwords are disabled.
Backups and disaster recovery
Customer data is backed up daily via Hetzner managed snapshots, with an additional encrypted off-site backup planned for activation within the next 7 days (Backblaze B2, Amsterdam region). Backup encryption keys are held by Baslic only; the off-site provider cannot decrypt the data.
We perform periodic restore tests so that the backup tape is verified recoverable, not just present.
Monitoring and audit logs
- Every administrative action (role changes, configuration changes, impersonation sessions) is recorded in an immutable audit log with actor identity, target entity, timestamp, and reason.
- Application errors and exceptions are captured by an error-tracking service with personally identifiable information scrubbed before transmission.
- We do not log request bodies, file contents, or other customer payload data into our monitoring system.
Vendor security
We use only a small number of sub-processors, each chosen for a specific function and contractually bound to GDPR-compliant data processing terms. Our full list is on the Sub-Processors page. We do not add a sub-processor without giving you 30 days' notice.
Incident response
If we discover or are notified of a security incident that may have affected your data:
- We will notify affected customers within 24 hours of confirmation, via the email address on file.
- We will notify the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) within 72 hours, as required by GDPR Article 33.
- The notification will describe the nature of the incident, the data potentially affected, mitigations already taken, and what we recommend you do.
- A post-incident report will be made available to affected customers on request.
On certifications
Reporting a security issue
If you believe you have found a security vulnerability in Baslic, please email us directly:
We will acknowledge receipt within 2 business days. Please give us reasonable time to investigate and remediate before public disclosure. We do not currently run a paid bug bounty program, but we will gratefully credit reporters in our security changelog (with your permission).
Related documents: