Trust Center
Security

How we protect your data

A closer look at the controls behind the Trust Center. This page describes what each control does and how it works, in plain terms.

Draft, pending review. This page has not been finalized. It is held out of search results until the company legal name, effective date, and trust contact are confirmed and legal review is complete.

Access and authentication

Access to BlueTower is protected by layered authentication. Privileged roles cannot sign in until multi-factor authentication is enrolled, and repeated failures lock the account.

  • MFA required for privileged roles
  • TOTP secrets encrypted at rest
  • Passwords and backup codes hashed with bcrypt
  • Automatic lockout on repeated failures
  • Single sign-on via SAML and OIDC

Encryption

Data is encrypted in transit and at rest, and application secrets get an additional layer of field-level encryption.

  • AES-256-GCM for secrets at rest
  • TLS 1.2 or higher in transit
  • Encrypted database storage and backups

Monitoring and audit

Sensitive actions are recorded in an audit trail designed to detect tampering, and security signals are surfaced in real time.

  • Tamper-evident audit logs with integrity hashes
  • Real-time security event alerting
  • Login, lockout, and access telemetry retained for review

Data and privacy

Customers stay in control of their data, with self-service rights and enforced retention limits.

  • Self-service data export and erasure
  • Retention limits with scheduled purge
  • Documented records of processing
  • Public privacy notice

AI governance

AI assists with reviewing SOC reports, but a person is always in control, and personal data is minimised before any text leaves our systems.

  • A person reviews and approves every AI suggestion
  • Personal identifiers redacted before text reaches an AI provider
  • Providers bound not to train on customer data

Infrastructure and resilience

The platform runs on hardened, least-privilege infrastructure with defensive controls around uploads and tenant isolation.

  • Least-privilege access
  • Uploads scanned for malware, blocked if the scan cannot finish
  • Row-level security on tenant data
  • Documented backup and recovery

Responsible disclosure

If you believe you have found a security issue, we want to hear from you. We investigate every report and will keep you updated.

Report a vulnerability

Email our security team with details and steps to reproduce. Please do not share the issue publicly until we have resolved it.

[security@yourcompany.example]