How does the free plan work?

Sign up and start using PrivaBase immediately. No credit card required. The Starter plan includes 1 compliance framework, 5 checks per month, policy generator, website scanner, and access to the compliance feed.

What compliance frameworks do you support?

We support 132 frameworks including GDPR, CCPA/CPRA, HIPAA, SOC 2 Type II, SOC 1, ISO 27001, PCI DSS, NIST, DORA, NIS2, 18 US state privacy laws, and international frameworks. You can also build custom frameworks.

How many integrations do you support?

Over 214 integrations across 12 categories including cloud infrastructure (AWS, GCP, Azure), identity (Okta, Google Workspace), DevOps (GitHub, GitLab), MDM (Jamf, Intune, Kandji), HR (Gusto, Rippling, BambooHR), and more.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Evidence is stored in Supabase Storage with framework-level access controls. We never share your data with third parties.

Do you offer annual billing?

Yes, save 20% with annual billing on all paid plans.

Data Processing Agreement

Version 1.0 · Effective February 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PrivaBase (operated by Spoon Seller LLC, "Processor") and the customer ("Controller") and reflects the parties' agreement regarding the processing of personal data in accordance with GDPR Article 28.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in the GDPR (Regulation (EU) 2016/679).

2. Scope and Purpose

The Processor will process Personal Data solely for the purpose of providing the PrivaBase compliance platform services as described in the Terms of Service, including:

Compliance assessments and monitoring
Document generation and management
Data subject request processing
Vendor risk assessments
Cloud security scanning
Audit preparation and evidence collection

3. Categories of Data

Data subjects: Controller's employees, customers, vendors, and end users as determined by the Controller.

Types of personal data: Names, email addresses, job titles, IP addresses, compliance records, system configuration data, and any personal data uploaded by the Controller to the platform.

4. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller
Ensure that persons authorized to process have committed to confidentiality
Implement appropriate technical and organizational security measures (see Security page)
Assist the Controller in fulfilling data subject requests
Delete or return all Personal Data upon termination of services
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits and inspections

5. Sub-processing

The Controller authorizes the Processor to engage the subprocessors listed on our Subprocessors page. The Processor shall notify the Controller at least 30 days before adding or replacing a subprocessor. The Processor shall ensure each subprocessor is bound by data protection obligations no less protective than this DPA.

6. International Transfers

Personal Data is processed in the United States. For transfers from the EEA/UK, the parties rely on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. The SCCs are incorporated by reference into this DPA.

7. Security Measures

The Processor implements the technical and organizational measures described on our Security page, including:

AES-256-GCM encryption for sensitive data at rest
TLS 1.3 for data in transit
Access controls and authentication
Regular security assessments
Audit logging and monitoring

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Retention and Deletion

Upon termination of services or upon the Controller's request, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Processor shall provide written confirmation of deletion upon request.

10. Term

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller and shall automatically terminate when the Processor no longer processes Personal Data on behalf of the Controller.

Request a Signed Copy

Enterprise customers can request a countersigned copy of this DPA. Email us with your company details and we'll return a signed copy within 5 business days.

Request Signed DPA