How It WorksFeaturesPricingFAQRequest Demo
← Back to Home

Privacy Policy

Last Updated: June 27, 2026

At Baseplate Security (“Baseplate,” “we,” “us,” or “our”), we are committed to protecting the security and privacy of the information you share with us. Baseplate provides an automated CMMC 2.0 and NIST SP 800-171 compliance orchestration platform designed specifically for defense subcontractors.

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website, SaaS platform, and related compliance services.

Important Notice on CUI Data: Baseplate is designed to orchestrate and track your compliance metadata, SSP control descriptions, and audit evidence. Under no circumstances should you upload actual, unencrypted Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) files to the platform unless explicitly prompted or handled via designated secure vaults.

1. Information We Collect

We collect information necessary to deliver compliance orchestration, questionnaire branching, and document generation:

  • Account Information: Name, email address, company name, phone number, and billing credentials when you register an account.
  • Compliance Questionnaire Answers: Your answers regarding access controls, network configurations, encryption schemes, physical security, and organizational policies.
  • Evidence Vault Metadata: File headers, upload timestamps, control tags, and file hashes for screenshots, policy drafts, and security logs you choose to store as C3PAO evidence.
  • Usage Metrics: Details about your interactions with the platform (e.g., page views, questionnaire completion time, and export clicks).

2. How We Use Your Information

We use the collected information for the following operational and product purposes:

  • To generate your System Security Plan (SSP) narratives and Plan of Action & Milestones (POA&M) drafts.
  • To translate your plain-English questionnaire answers into auditor-ready prose using our FedRAMP-compliant LLM API.
  • To build and maintain your secure Evidence Vault to prove compliance posture to certified C3PAO auditors.
  • To verify transaction credentials and manage billing cycles.
  • To monitor application health, resolve bugs, and optimize the logic engine.

3. Data Security and Infrastructure

Security is the core of our platform. Baseplate operates under federal-grade hosting standards:

  • Secure Hosting: Our databases and LLM APIs reside on FedRAMP-authorized cloud infrastructure.
  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access Isolation: Your compliance database is logically isolated from other customer workspaces, and access is protected by strict Multi-Factor Authentication (MFA).

4. Information Sharing and Disclosure

We do not sell, rent, or trade your compliance or organizational data to third parties. We share information only under these specific parameters:

  • Assessor Access: You can choose to generate and export an assessor package or invite certified C3PAO auditors directly into your portal. We only share access upon your explicit command.
  • Service Providers: Trusted processors who handle our hosting, billing (e.g., Stripe), and AI engines (FedRAMP-compliant endpoints) under strict data-protection agreements.
  • Legal Mandate: If required to comply with a subpoena, court order, or federal defense regulation.

5. Contact Us

If you have any questions or concerns regarding this Privacy Policy, please reach out to us at:

privacy@baseplatesecurity.com