How does the free plan work?

Sign up and start using PrivaBase immediately. No credit card required. The Starter plan includes 1 compliance framework, 5 checks per month, policy generator, website scanner, and access to the compliance feed.

What compliance frameworks do you support?

PrivaBase includes a broad beta framework catalog including GDPR, CCPA/CPRA, HIPAA, SOC 2, ISO 27001, PCI DSS, NIST, DORA, NIS2, US state privacy laws, and international frameworks. Public claims are limited to verified framework evidence.

How many integrations do you support?

The integration catalog includes provider implementations across cloud, identity, DevOps, MDM, HR, monitoring, and other categories. Live-verified integrations are limited to the dated beta evidence bundle.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Evidence is stored in Supabase Storage with framework-level access controls. We never share your data with third parties.

Do you offer annual billing?

Yes, save 20% with annual billing on all paid plans.

Security at PrivaBase

We build privacy compliance tools — so security isn't just a feature, it's our foundation. Here's how we protect your data.

Encryption

TLS 1.3 for all data in transit (HTTPS everywhere)
AES-256-GCM encryption for sensitive fields at rest
SHA-256 hashed tokens (password reset, API keys, sessions)
Database-level encryption via Supabase (AWS encryption at rest)

Infrastructure

Hosted on Vercel; vendor SOC 2 documentation is reviewed through our subprocessor program
Database on Supabase; HIPAA support depends on eligible customer configuration and executed agreements
US-East region (Virginia) for primary infrastructure
Automatic failover and redundancy
No customer data stored on local machines or development environments

Authentication & Access

JWT-based authentication with 30-minute access tokens
Refresh token rotation with 30-day expiry
Email verification required on signup
Rate limiting on all endpoints (100/min general, 10/min auth)
API key authentication with scoped permissions
CORS restricted to privabase.com subdomains only

Application Security

Input validation and sanitization on all endpoints
UUID parameter validation middleware
SQL injection prevention via parameterized queries
XSS protection through React's built-in escaping
CSRF protection on all state-changing operations
Security headers (Strict-Transport-Security, X-Content-Type-Options, etc.)

Compliance

GDPR support — cookie consent, DSAR workflows, and data minimization tools
CCPA support — opt-out workflows and data access/deletion request tooling
HIPAA support tools — BAA review available for eligible plans and use cases
SOC 2 mapped control workflows; PrivaBase is self-assessed and not currently SOC 2 certified
ISO 27001 mapped readiness workflows in the beta framework catalog
Security reviews and vulnerability assessments are tracked internally; third-party audit report is not yet available

Monitoring & Incident Response

Continuous monitoring of all API endpoints
Automated alerting on anomalous activity
Audit logging for all data access and administrative actions
Incident response plan with 24-hour notification commitment
Regular backup testing and disaster recovery procedures

Data Handling

Data minimization — we only collect what's necessary
No selling of customer data to third parties, ever
Customer data isolation — each account's data is logically separated
Data retention policies aligned with applicable regulations
Right to deletion supported — data is permanently purged on request

Email authentication

SPF configured for authorized sending providers where PrivaBase sends email
DKIM signing enabled for transactional email domains where supported
DMARC policy monitored during beta with enforcement to be tightened as sending stabilizes
Signup and onboarding emails include a clear support reply path

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure. Please email us with details and we'll respond within 24 hours.

security@privabase.com

Last reviewed: May 12, 2026 · Internal security review cadence: quarterly · Third-party audit report: not yet available

Questions? Contact us ·Submit a data request

Infrastructure

Hosted on Vercel; vendor SOC 2 documentation is reviewed through our subprocessor program

Database on Supabase; HIPAA support depends on eligible customer configuration and executed agreements

US-East region (Virginia) for primary infrastructure

Automatic failover and redundancy

No customer data stored on local machines or development environments

Application Security

Input validation and sanitization on all endpoints

UUID parameter validation middleware

SQL injection prevention via parameterized queries

XSS protection through React's built-in escaping

CSRF protection on all state-changing operations

Security headers (Strict-Transport-Security, X-Content-Type-Options, etc.)

Compliance

GDPR support — cookie consent, DSAR workflows, and data minimization tools

CCPA support — opt-out workflows and data access/deletion request tooling

HIPAA support tools — BAA review available for eligible plans and use cases

SOC 2 mapped control workflows; PrivaBase is self-assessed and not currently SOC 2 certified

ISO 27001 mapped readiness workflows in the beta framework catalog

Security reviews and vulnerability assessments are tracked internally; third-party audit report is not yet available

Data Handling

Data minimization — we only collect what's necessary

No selling of customer data to third parties, ever

Customer data isolation — each account's data is logically separated

Data retention policies aligned with applicable regulations

Right to deletion supported — data is permanently purged on request