top of page

Data Processing and Security

At BasicAI, we prioritize the security and privacy of our customers' data above all else. We have established a comprehensive and rigorous information security management system that employs effective security measures across multiple areas, including organizational structure, policies and procedures, and technical safeguards, to fully ensure the protection of customer data. The following content provides an overview of our key policies and practices related to data security.

Organizational Security

The multi-layered information security organizational system we have put in place, spanning personnel, processes, and technology, provides comprehensive protection of customer data.

Information Security Program

BasicAI has developed and implemented a robust information security program aligned with industry best practices. The program adheres to the requirements of the SOC 2 information security audit framework established by the American Institute of Certified Public Accountants (AICPA). It covers various aspects of the organization's security management, communication, risk assessment, and monitoring. The information security program is widely communicated throughout the company, and strict compliance is mandatory for all employees.


Roles and Responsibilities


We have clearly defined and documented information security and data protection roles within the company, along with their associated responsibilities. This includes senior management, security officers, IT, human resources, and other relevant departments. All personnel in these roles are required to review and provide written confirmation of their commitment to adhere to the company's security policies.


Security Awareness Training


BasicAI provides ongoing security awareness education for all employees. New hires must complete rigorous information security training covering industry standard practices and topics such as password management and phishing prevention. We also conduct regular refresher training to ensure employees' security knowledge and skills remain up-to-date.


Confidentiality Agreements


As a condition of employment, every BasicAI employee must sign a strict confidentiality agreement. This confidentiality obligation persists even after an employee's tenure with the company ends.


Background Checks


In compliance with applicable laws and regulations, BasicAI conducts background checks on all new members to identify potential risks that could impact information security. Candidates with concerning investigation results are not hired.


Third-Party Audits


Our organization undergoes independent third-party assessments to test and validate the effectiveness of our security and compliance controls.


Penetration Testing


To ensure our services maintain a robust security posture, we engage independent third parties to conduct thorough penetration testing at least annually.

Cloud Security

Cloud Infrastructure Security

All of BasicAI's services are hosted on Amazon Web Services (AWS), a cloud platform with industry-leading security and multiple authoritative security certifications, providing robust protection for customer data. For detailed information on AWS's security processes, please visit the AWS Security Center.

Data Hosting Security


All of BasicAI's data, including proprietary databases and object storage, is stored on AWS servers located in the United States. These servers employ strict physical security and access control measures, as well as multiple data protection mechanisms such as encryption, backup, and disaster recovery to ensure data security.


Transmission Encryption


All data transmitted to or from BasicAI's applications is protected using TLS/SSL encryption protocols.


Vulnerability Scanning and Monitoring


We employ proactive vulnerability scanning and threat monitoring.


Logging and Monitoring


We implement comprehensive logging and monitoring across our cloud services.


Business Continuity and Disaster Recovery


We utilize both proprietary data backup mechanisms and backup services provided by our cloud service provider to perform cross-region, redundant backups of critical data. This minimizes the risk of data loss due to hardware failures or other unforeseen events. We have also deployed comprehensive monitoring and alerting services. In the event of any fault that impacts the business, the response team is immediately notified for prompt resolution.


Security Incident Response


We establish a robust information security incident response process and develop detailed incident handling procedures that clearly define responsibilities and action plans for each stage, including incident classification, reporting, handling, recovery, and review. In the event of a security incident, we will swiftly implement measures to contain the impact, remediate vulnerabilities, and promptly communicate with affected customers.


Access Control Security 

Permission Management and Authentication

Access to cloud infrastructure and other sensitive systems is restricted to authorized personnel based on job requirements. Where available, we enable single sign-on (SSO), two-factor authentication (2FA), and enforce strong password policies to comprehensively enhance the security of access to sensitive resources.


Least Privilege Principle


BasicAI strictly adheres to the principle of least privilege for permission management. All user permissions are granted based on roles and job responsibilities, providing only the minimum permissions necessary to perform required tasks. This approach effectively reduces the risk of internal permission abuse.


Access Reviews


We conduct quarterly access reviews of all team members who can access sensitive systems.

Password Requirements


All BasicAI team members must adhere to a minimum set of password requirements and access complexity.

Vendor and Risk Management 


Annual Risk Assessment

We perform a comprehensive information security risk assessment at least annually to identify any potential threats, including fraud considerations.


Vendor Risk Management


We determine vendor risk and perform appropriate reviews prior to authorizing new vendors.

Does BasicAI comply with GDPR requirements?


Yes, BasicAI is fully compliant with the requirements of the European Union's General Data Protection Regulation (GDPR). By default, we store customer data on AWS servers located in the United States, ensuring that data remains within that region. However, if customers have specific data localization requirements, we can also provide data storage nodes located in Europe.

Our platform collects necessary cookies and analytics data to better understand user preferences and improve product features. For detailed information on the types of cookies we use, please refer to BasicAI's data privacy statement.

By using BasicAI's services, users agree with our privacy policy. We will never share any personally identifiable information with third parties without explicit user authorization, unless we enter into a GDPR-compliant data sharing agreement.

Does BasicAI comply with HIPAA requirements?

BasicAI strictly follows the guidelines of the U.S. Health Insurance Portability and Accountability Act (HIPAA) to fully protect the security and privacy of medical and health data on the platform. The measures we take include, but are not limited to:


  • Data encryption throughout transmission.

  • Automatic logout of sessions after prolonged inactivity to prevent unauthorized access.

  • Strict data access controls, with different roles having access to only the minimum necessary datasets

  • Suppression of header information for end users in cases of accidentally uploaded non-anonymized DICOM data.

  • Strict storage of customer data meeting HIPAA standards on BasicAI's servers without transfer elsewhere.

  • Quarterly vulnerability scans of the platform.

  • Continuous threat monitoring of the platform's security status.

  • Established robust information leakage incident response mechanism and handling guidelines.

  • Mandatory HIPAA compliance training for all employees who come into contact with user data.

  • Annual audits of BasicAI's HIPAA compliance status.


How is my data legally protected? 


Intellectual Property

In accordance with BasicAI's terms of service, unless explicitly agreed upon otherwise, BasicAI and the customer each retain their respective intellectual property rights to the content they provide. The customer maintains ownership of their data, while BasicAI retains the intellectual property of the BasicAI platform and services. This agreement does not constitute any transfer of intellectual property rights from one party to the other, whether implied or otherwise.


Use of Customer Data


We do not access or use customer data, utilizing it only when necessary to deliver services and provide technical support.


Customer Feedback


If a customer provides feedback to BasicAI about the Services, then BasicAI may use that information without obligation to the customer. However, data uploaded and stored by customers on the BasicAI platform remains the property of the customer. BasicAI has no right to access or use this data without a user request for platform services or explicit written permission. BasicAI never combines customer data with other data sources or grants access to third parties. We do not disclose data without the customer's written consent, ensuring the security of customer data.

How can I restrict access to my data on BasicAI? 


Data Permission Management

BasicAI strictly isolates data by team (tenant) to prevent data from being mutually accessible between different teams. Within a team, members are assigned roles such as admins and regular members. During the task execution phase, roles are further divided into admins, workers, and inspectors. Users have the flexibility to customize different roles and granularly control their read and write permissions for various data types, adhering to the principle of least privilege.


Data Archiving and Deletion


Users can delete datasets and their associated annotation results at any time through BasicAI's user-friendly graphical interface or API. To safeguard against data loss caused by accidental operations, deleted data is temporarily retained in a recycle bin for a specified period before being permanently erased. This provides users with an opportunity to recover data if needed.

Does BasicAI conduct regular vulnerability testing?

Yes, BasicAI collaborates with Intruder to perform comprehensive vulnerability scans and penetration tests on our systems every quarter.

Does BasicAI perform threat detection and continuous monitoring?

Yes, BasicAI has deployed advanced threat detection tools, such as AWS Guard Duty, to continuously monitor our production systems in real-time.

bottom of page