HoangASOQ: Data security and privacy - EU user under GDPR
Hi! I’ve been using BrandBay and really like the concept, but before I expand my use I’d like clarity about data security and privacy (I’m an EU user under GDPR).
Could you confirm:
1. Where customer files are stored (country / provider)?
2. Are they encrypted at rest & in transit, and who controls the keys?
3. Can any staff or partners view file contents?
4. Do you have audits (SOC 2, ISO 27001)?
5. How do you handle GDPR rights & cross-border data transfers?
6. Any plan for EU-based or zero-knowledge storage?
This will help many of us decide whether to expand or keep usage limited. Thanks for your transparency!
Hoang
Danielle_BrandBay
Oct 17, 2025A: Hello @HoangASO!
Thank you for reaching out. There was a recent question posted below this one where we do a bit of a bigger discussion on this subject.
In short, we are a USA company where most data is stored in the USA.
While technically the GDPR makes provision for this, there are other international laws that have a bit of discrepancy between USA and EU relationships when it comes to PII data.
Our stance as a company is that we endeavor to be in compliance as much as we possibly can however some of the current laws make some situations impossible for USA SaaS founders.
All PII data is encrypted, and our hosting providers follow top standards and are of the bigger hosting companies.
Internal staff is able to view file contents for support purposes.
You control who can see assets outside of the app with privacy control settings that are available to you.
Our hosting providers are SOC 2 Type II and ISO 27001 compliant . We have not sought out such certifications for ourselves separately (yet), however we take security and privacy seriously here as a team.
If you have any other questions, please feel free to reach out to us directly at support@brandbay.io or in our new Zeru Apps Community: https://go.zeruapps.com/e/community