
BlueTower is a governance, risk, and compliance platform. This page explains how we protect the data our customers trust us with, and where we stand on SOC 2, ISO 27001, and GDPR.
We report status honestly. We are not certified yet, and we do not show badges we have not earned.
Full internal gap assessment complete against the Trust Services Criteria. Remediation is underway. Independent audit not yet started.
Statement of Applicability drafted across all 93 Annex A controls. Certification audit not yet started.
Data processing agreement, subject-request tooling, records of processing, and subprocessor transparency are in place and maintained.
Every item below reflects a control that is live in the product today.
The providers that help us run the service, and what each one handles.
| Subprocessor | Purpose | Data handled | Location |
|---|---|---|---|
| Supabase | Database and file storage | Tenant data, uploaded files | United States |
| Vercel | Application hosting | Request metadata | United States |
| Anthropic (Claude) | AI analysis of SOC reports | Redacted document text | United States |
| Google (Gemini) | AI analysis of SOC reports | Redacted document text | United States |
| Resend | Transactional email | Name, email address | United States |
| VirusTotal | Malware hash lookup | File hash only | United States |
The full list with transfer mechanisms is in the documents below.
Public documents are available now. Our internal policy set and audit artifacts are maintained internally and shared with customers and auditors under NDA as part of a security review.
Publicly available
Available to customers and auditors under NDA
Our full governance set is provided under NDA and scoped to your engagement. Some artifacts, such as the risk register and full Statement of Applicability, are limited to auditors.
Request our policy set, ask a security question, or start a vendor assessment. We usually reply within two business days.