How we secure your data
Blue Vellum runs on boring, well-understood infrastructure on purpose — a small stack of best-in-class managed services, each with its own publicly verifiable compliance certifications.
The subprocessor stack
Authentication
Sign-in and sessions run through Clerk, hosted on AWS. Passwords are never stored on Blue Vellum's servers; sessions are short-lived JWTs. Two-factor auth available on every account.
Hosting
The web application is deployed on Vercel and served from Vercel's global edge network, with automatic TLS and DDoS mitigation. All connections use TLS 1.2 or higher. US-only data residency.
Database
Customer drawings, BOMs, and account data live in Supabase (managed PostgreSQL) running on AWS in the US. Encrypted at rest by default.
AI
In-product AI features run on Anthropic's Claude API. Anthropic does not train on customer data and applies limited retention.
Account and product-update email is sent through Resend — to you, never to the contacts you store in the product. Account data is stored in the US.
Geocoding
Address autocomplete uses Google Maps Platform. Only the address being looked up is sent; no customer records are stored there.
Found a vulnerability? Tell us.
Email security@bluevellum.com with a description and reproduction steps. We acknowledge security reports within one business day. If we confirm a breach affecting customer data, we'll notify affected customers within 72 hours.