Blog
News 2 min read

RenBase achieves GDPR compliance

Data residency, tenant isolation, and the right to erasure. How we built GDPR compliance into RenBase from the ground up.

RT
RenBase Team
GDPR compliance privacy security

We’re pleased to announce that RenBase is now fully GDPR compliant, effective July 2025.

This isn’t a checkbox exercise. We’ve had external auditors review our data architecture, updated our Data Processing Agreement, and made several infrastructure changes to support the rights guaranteed under the Regulation. Here’s what changed and why it matters.

What GDPR compliance means for RenBase

GDPR applies whenever RenBase processes personal data of EU residents. In practice, this means customer documents that contain personal data (employee records, customer contracts, support tickets, research notes) are subject to the Regulation’s requirements.

We handle compliance at the infrastructure layer so you don’t have to implement it yourself.

Tenant isolation

Every knowledge base lives in a fully isolated tenant. Documents, embeddings, metadata, and query logs are stored in tenant-specific namespaces with no shared infrastructure between customers. This means a data breach affecting one tenant cannot expose another tenant’s data.

EU data residency

Enterprise and Team customers can now elect EU-only data residency. Your documents, embeddings, and all intermediate processing outputs remain within EU data centers. We do not transfer data to non-EU jurisdictions for these customers.

Right to erasure

When you submit a deletion request via the API or dashboard, RenBase:

  1. Removes the original document from storage within 24 hours
  2. Purges all derived embeddings and extracted metadata
  3. Deletes associated query logs and cache entries
  4. Issues a certificate of deletion within 30 days

For documents that contain multiple data subjects (e.g., a contract with several signatories), we support granular deletion at the document level.

No model training on your data

This was already true before GDPR certification, but worth restating: your documents are never used to train, fine-tune, or improve any AI model. The embeddings generated from your documents are used exclusively for retrieval within your knowledge base.

Data Processing Agreement

A standard DPA is now available for all paid plans. Enterprise customers can request a customised DPA with additional provisions. Contact us at legal@renbase.com.

What’s next

SOC 2 Type II audit is underway and expected to complete in Q4 2025. ISO 27001 is on the roadmap for 2026.

frequently asked questions

Is RenBase GDPR compliant?

Yes. RenBase is fully GDPR compliant as of July 2025. This includes data residency options (EU-only), tenant isolation, right-to-erasure support, and a Data Processing Agreement available for all plans.

Where is data stored when using RenBase?

Enterprise and Team customers can elect EU-only data residency. All data is stored in isolated per-tenant storage with no cross-tenant access possible at the infrastructure level.

How does RenBase handle the right to erasure?

When a deletion request is received, RenBase removes all document embeddings, extracted metadata, and query logs associated with the specified data subject within 30 days, with a certificate of deletion available on request.