Trust Center

Security you can verify, not just take our word for.

BlueTower is a governance, risk, and compliance platform. This page explains how we protect the data our customers trust us with, and where we stand on SOC 2, ISO 27001, and GDPR.

Last reviewed 12 Jul 2026 · Version 1.0
Draft, pending review. This page has not been finalized. It is held out of search results until the company legal name, effective date, and trust contact are confirmed and legal review is complete.
Compliance posture

Where we stand

We report status honestly. We are not certified yet, and we do not show badges we have not earned.

SOC 2 Type II

Working toward

Full internal gap assessment complete against the Trust Services Criteria. Remediation is underway. Independent audit not yet started.

ISO/IEC 27001

Working toward

Statement of Applicability drafted across all 93 Annex A controls. Certification audit not yet started.

GDPR

Controls in place

Data processing agreement, subject-request tooling, records of processing, and subprocessor transparency are in place and maintained.

How we protect data

Security controls

Every item below reflects a control that is live in the product today.

Access and authentication

  • MFA required for privileged roles
  • TOTP secrets encrypted at rest
  • Passwords and backup codes hashed with bcrypt
  • Automatic lockout on repeated failures
  • Single sign-on via SAML and OIDC

Encryption

  • AES-256-GCM for secrets at rest
  • TLS 1.2 or higher in transit
  • Encrypted database storage and backups

Monitoring and audit

  • Tamper-evident audit logs with integrity hashes
  • Real-time security event alerting
  • Login, lockout, and access telemetry retained for review

Data and privacy

  • Self-service data export and erasure
  • Retention limits with scheduled purge
  • Documented records of processing
  • Public privacy notice

AI governance

  • A person reviews and approves every AI suggestion
  • Personal identifiers redacted before text reaches an AI provider
  • Providers bound not to train on customer data

Infrastructure and resilience

  • Least-privilege access
  • Uploads scanned for malware, blocked if the scan cannot finish
  • Row-level security on tenant data
  • Documented backup and recovery
Supply chain

Subprocessors

The providers that help us run the service, and what each one handles.

SubprocessorPurposeData handledLocation
SupabaseDatabase and file storageTenant data, uploaded filesUnited States
VercelApplication hostingRequest metadataUnited States
Anthropic (Claude)AI analysis of SOC reportsRedacted document textUnited States
Google (Gemini)AI analysis of SOC reportsRedacted document textUnited States
ResendTransactional emailName, email addressUnited States
VirusTotalMalware hash lookupFile hash onlyUnited States

The full list with transfer mechanisms is in the documents below.

Documentation

Policies and reports

Public documents are available now. Our internal policy set and audit artifacts are maintained internally and shared with customers and auditors under NDA as part of a security review.

Publicly available

PublicSecurity Overview
View
PublicPrivacy Notice
View
PublicSubprocessor List
View

Available to customers and auditors under NDA

Requested during a security review or audit

Our full governance set is provided under NDA and scoped to your engagement. Some artifacts, such as the risk register and full Statement of Applicability, are limited to auditors.

Information Security Policy
Access Control Policy
Vendor Management Policy
Incident Response Plan
Risk RegisterAuditor only
Statement of ApplicabilityAuditor only
NDA required, reply within two business days

Need something for your review?

Request our policy set, ask a security question, or start a vendor assessment. We usually reply within two business days.