Urgent Clarification Required: GDPR Compliance, Health Data Processing, and Data Location for

Dear Base44 Support/Legal Team,

I am writing to seek urgent clarification regarding the GDPR compliance status of my application, built on the Base44 platform. Our application processes sensitive health data (special categories of personal data under GDPR Article 9), and recent information has raised critical concerns that require immediate and definitive answers.

My concerns are specifically related to the following points:

1. Conflicting Information on Data Storage Location:

   • I previously understood that data processed on the Base44 platform would be stored within the EU/EEA. However, your official FAQ ([link to Base44 FAQ you found]) now explicitly states: "All Base44 servers are currently located in the United States."

   • This discrepancy is highly problematic for our GDPR compliance, especially as we are handling health data.

2. Processing of Sensitive Health Data (GDPR Article 9 Data):

   • Your Terms of Service specifically under the "Responsibility for Customer Data" section, states: "(iii) no sensitive data that is protected under a special legislation and requires unique treatment (such as protected health information...) will be shared with the Platform, other than if expressly agreed by the Company in prior writing and the appropriate agreement in place."

   • As I manage sensitive health data, it is imperative that we understand the process for obtaining this "expressly agreed in prior writing and the appropriate agreement." Is your standard Data Processing Addendum (DPA) sufficient for processing health data, or is a separate, specialized agreement required for healthcare data controllers? Without such an explicit agreement, we are unable to use your platform for this purpose.

3. Implications of US Data Storage for GDPR Compliance (Schrems II & DPF):

   • Given that all Base44 servers are located in the United States, and we are an EEA-based entity processing EEA citizens' health data, this poses significant challenges under GDPR, particularly in light of the Schrems II ruling.

   • Please provide a clear and detailed explanation of the legal basis and specific transfer mechanisms Base44, Inc. relies upon for the transfer of personal data from the EEA/Norway to the USA. This should explicitly address:

     • Your certification status and adherence to the EU-US Data Privacy Framework (DPF).

     • If Standard Contractual Clauses (SCCs) are used, what specific supplementary measures does Base44 implement to ensure a level of protection for health data that is essentially equivalent to GDPR requirements, especially concerning potential US government access (e.g., under FISA 702 or the CLOUD Act)?

4. Future Plans Regarding Evolving EU/GDPR Regulations:

   • The regulatory landscape in the EU is constantly evolving, with ongoing discussions and potential new interpretations or frameworks for international data transfers.

   • What are Base44's mid-to-long term plans to address these evolving EU and GDPR requirements, especially for customers who require data residency within the EU/EEA or stricter guarantees for sensitive data processing? Are there plans to offer EU/EEA-based data storage options in the future?

We require a clear, comprehensive, and written statement addressing these points. The ability to guarantee GDPR compliance, particularly for sensitive health data, is non-negotiable for our operations.

We look forward to your prompt response.

Sincerely,