Subprocessors Directory
Governance, risk & compliance
Base44 is SOC 2 Type II and ISO 27001 certified, maintaining strict governance and GDPR standards. We ensure continuous risk management and partner with leading providers for secure payment processing.
Compliant
SOC 2 Type II
Independent audit framework evaluating the design and effectiveness of security and operational controls.
Security you can build on
Security controls and compliance practices are applied consistently throughout all stages
Secure Software Development Lifecycle (SSDLC)
Security is at the core of every stage in how we design, build, and maintain our products. Through threat modeling, secure design, code reviews, and penetration testing, Base 44 implements proven best practices to ensure reliable protection across the platform. These controls are integrated throughout the SDLC, enabling early identification and effective resolution of potential risks.
Penetration testing
We perform both internal tests and third-party penetration testing to validate the security of our environment. These assessments, based on OWASP methodologies, simulate real-world attack scenarios to identify vulnerabilities and evaluate the effectiveness of our defenses. All findings are reviewed, prioritized, and tracked as part of our continuous security improvement process.
Secure payments & anti-fraud
Payment processing is handled by trusted, PCI DSS–certified providers to ensure customer payment information remains secure and compliant with global standards. Sensitive payment data is encrypted in transit and is never stored within our environment. Our risk management framework protects against fraud, abuse, and safety threats across our entire platform. From secure payment processing to content moderation, we combine industry-leading third-party solutions with proprietary technologies to keep our community safe.
Third-party risk management
Base 44 maintains a comprehensive Third-Party Risk Management (TPRM) program designed to ensure that all vendors comply with our security and compliance standards. Vendors are assessed against defined requirements, and their adherence is periodically validated to confirm ongoing alignment with our expectations.
Bug Bounty Program
We believe that transparency and collaboration are key to maintaining strong security. That’s why we operate a comprehensive bug bounty program that invites independent security researchers from around the world to responsibly disclose vulnerabilities. By opening our doors to the wider security community, we continuously challenge our systems, learn from diverse perspectives, and strengthen our defenses.
Every submission is carefully reviewed and validated by our security team to ensure accuracy and impact assessment. Confirmed vulnerabilities are prioritized for remediation according to their severity and potential risk. This structured process not only ensures rapid mitigation but also helps us continuously evolve and improve our overall security posture.
Our bug bounty program embodies our commitment to proactive security - turning potential threats into opportunities to grow stronger, together.
Mongo
Data storage and hosting
COUNTRY
US
SendGrid
Email transmission and external communication
COUNTRY
US
Render
Server services
COUNTRY
US
GCP - Google cloud
Analytics services
COUNTRY
US
OpenAI
API calls to LLM
COUNTRY
US
Anthropic
API calls to LLM
COUNTRY
US
Wix.com Ltd.
Providing and improving the services
COUNTRY
Israel
DataDog
General logging purposes
COUNTRY
US
Security controls
Security is integrated into the platform by design, so every application starts protected, and you have the flexibility to take security even further.
Authentication & SSO
Individual Users: Base44 supports Google SSO, enabling secure and seamless authentication. We also support traditional email+password based login which includes Anti-Bot controls and email verification.
Enterprise Customers: Our platform supports multiple customer-managed SSO IDPs, giving organizations the power to enforce secure access and manage visibility across all their applications and workspaces
Built-in security scans
Our Security Scan analyzes your app’s code to identify vulnerabilities before they reach production, checking for hardcoded secrets like exposed API keys, tokens, or credentials (with guided migration to secure secret management), validating row-level security to ensure users can access only authorized records, and identifying backend functions that lack proper server-side authentication.
Data access control
Base44 utilizes Row-Level Security to restrict data access at the database level. Each data entity supports granular CRUD (Create, Read, Update, Delete) permissions.
IP allowlist
For organizations requiring network-level security, admins can restrict access to workspaces and apps based on client IP addresses.
App visibility & governance:
Stay in control of how applications are shared across your workspace. Set each app’s visibility to Private, Workspace-only, or Public. With Enterprise Governance, admins can also define the default visibility for new apps and decide whether members are allowed to create and publish public-facing apps.
Extensible security (GitHub integration)
For teams with established security pipelines, our 2-way GitHub integration allows you to export your application code. This enables you to run your own external security tooling, or specialized compliance scanners, alongside our built-in protections.
Account security
Security is integrated into the platform by design, so every application starts protected, and you have the flexibility to take security even further.
Authentication & SSO
Individual Users: Base 44 supports Google SSO, enabling secure and seamless authentication. We also support traditional email+password based login which includes Anti-Bot controls and email verification.
Enterprise Customers: Our platform supports multiple customer-managed SSO IDPs, giving organizations the power to enforce secure access and manage visibility across all their applications. Organizations have the option to enforce SSO across all apps built on Base44.
Application security center
As part of our built-in security offering, we provide users with an Application Security Center that scans each created app and guides them on how to avoid common security pitfalls — such as misconfigured RLS, exposed secrets, or unauthenticated API endpoints.
Data Access Control
Each dataset has its own security rules that define who can read, write, create, and delete records. Multiple rules are combined using OR logic.