Last Revised: June 2, 2023


Instabase welcomes the General Data Protection Regulation (“GDPR”) as an important and necessary evolution in the data protection laws across the EU. Instabase’s privacy and security program meets and exceeds the highest standards in the industry, including compliance with the GDPR.

At Instabase, ensuring that Customer Data is handled securely and responsibly is our number one priority and we are fully committed to complying with the GDPR. This page provides an overview of how the GDPR applies to Instabase and the steps we have taken to address GDPR requirements.

What is the GDPR?

The GDPR is an EU privacy law that went into effect on May 25, 2018. It governs the processing of personal data of EU individuals and regulates how organizations can collect, process and share personal data. 

Who does the GDPR apply to?

The GDPR applies to any organization established within the EU, as well as organizations that offer goods or services in the EU or that monitor the behavior of EU individuals. This broad scope means that the GDPR applies to practically any organization that processes personal data of EU individuals, regardless of where they are established or where their processing activities take place.

How does the GDPR apply to Instabase?

Instabase provides an application platform that can be used to understand unstructured data and automate business processes. Our Customers provide us with text, image files and other data or content (“Customer Data”) that may contain personal data of EU individuals. As a result, the GDPR may apply to Instabase and our customers.

Is Instabase a controller or processor under the GDPR?

The GDPR distinguishes between “controllers” and “processors”. A “controller” is an organization that decides how and why personal data is processed, whereas a “processor” is only permitted to use personal data under the instructions of the controller. When providing our Services, Instabase is predominantly a processor. Our Customers control the data that they provide to us in connection with the Services and how we use that data. We only process Customer Data for the purpose of providing our Services and as specified in our agreement with the Customer. There are a few circumstances where Instabase acts as a controller under the GDPR, for example when we are responding to support requests or processing personal data in connection with our marketing activities. Full details of these uses are explained in our Services Privacy Policy.

What steps has Instabase taken to be GDPR compliant?

Our existing certifications and long-standing commitment to privacy frameworks have prepared us for the GDPR in many ways. Instabase has also taken a number of steps to address GDPR compliance, including:

  • Ensuring our Services Privacy Policy is transparent about how we use personal data as a controller and how individuals can exercise their rights under the GDPR.
  • Providing customers with GDPR-ready terms in our Data Protection Agreement (“DPA”).
  • Incorporating the EU’s Standard Contractual Clauses (SCCs) and UK International Data Transfer Addendum (UK Addendum) within customer agreements to address data transfer requirements.
  • Reviewing our security practices to ensure that Customer Data is adequately protected through appropriate technical and organizational measures in accordance with GDPR requirements.
  • Embedding privacy by design principles within the organization. 
  • Conducting appropriate due diligence on Subprocessors and updating our contracts with Subprocessors to ensure they are GDPR-compliant.
  • Ensuring that we can help Customers respond to data subject requests they receive through formal processes. 
  • Maintaining accurate records of our data processing activities, both as a processor and controller of personal data.  
  • Staying informed about the latest developments and updates around GDPR compliance, and making changes to our Services as needed. 

Does Instabase transfer Customer Data outside Europe?

Instabase is a US company and our servers are located in the US. In addition, we make use of third-party Subprocessors and their servers may also be located outside Europe. You can find a full list of our Subprocessors here. This means that, if you are using any of our hosted Services, Customer Data will be transferred to and stored in the US and other countries outside Europe for processing. 

How does Instabase protect Customer Data outside Europe?

If you are using any of our hosted Services and are located in the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland, or you use our hosted Services to process personal data about European individuals, our Data Processing Addendum (“DPA”) has been drafted to enable you to lawfully transfer personal data to Instabase in the US for processing. Our DPA automatically incorporates the European Commission’s Standard Contractual Clauses issued in June 2021 (“SCCs”) for transfers of Customer Data from the EEA and Switzerland, and automatically incorporates the SCCs and UK International Data Transfer Addendum for transfers of Customer Data from the UK. 

In addition to the SCCs and UK Addendum, we have also implemented a number of technical, organizational and contractual measures to ensure that Customer Data remains protected outside Europe. In particular:

  • We have implemented a comprehensive security program designed to protect Customer Data, which is outlined in Instabase’s Security Measures.
  • Our DPA includes rigorous contractual commitments to security, confidentiality of processing, international data transfers, cooperation with data subject rights, and more.
  • We have robust internal policies and procedures to address government access requests and ensure that Customer Data remains protected wherever it is processed. 

For more information, please see our dedicated page on European Data Transfers.

Where can I get more information about GDPR?

You can learn more about Instabase’s privacy practices as a controller by reviewing our Services Privacy Policy. If you have questions or need more information, please email

Data Protection Agreement (DPA)

Instabase offers a Data Protection Agreement (“DPA”) that supplements the Agreement or main online subscription agreement. Our DPA has been drafted to address privacy requirements and reflect our obligations as a processor of Customer Data. If you wish to enter a DPA with Instabase, submit a request to


Instabase and its Affiliates (as listed below) use Subprocessors to process Customer Data in order to provide the Instabase Service (“Subprocessors”). The Subprocessors page includes information about the identity and location of Subprocessors authorized to process or access Customer Data. 

When engaging Subprocessors, Instabase employs a selection process by which it evaluates, among other aspects, the security and privacy policies of the proposed Subprocessor. Instabase also requires Subprocessors to satisfy certain requirements and enter appropriate data processing terms.