SECURITY · DATA HANDLING

How we secure your data

Blue Vellum runs on boring, well-understood infrastructure on purpose — a small stack of best-in-class managed services, each with its own publicly verifiable compliance certifications.

01 — Infrastructure

The subprocessor stack

Authentication

Sign-in and sessions run through Clerk, hosted on AWS. Passwords are never stored on Blue Vellum's servers; sessions are short-lived JWTs. Two-factor auth available on every account.

SOC 2 Type 2 HIPAA

Hosting

The web application is deployed on Vercel and served from Vercel's global edge network, with automatic TLS and DDoS mitigation. All connections use TLS 1.2 or higher. US-only data residency.

SOC 2 Type 2 ISO 27001

Database

Customer drawings, BOMs, and account data live in Supabase (managed PostgreSQL) running on AWS in the US. Encrypted at rest by default.

SOC 2 Type 2 ISO 27001 HIPAA

AI

In-product AI features run on Anthropic's Claude API. Anthropic does not train on customer data and applies limited retention.

SOC 2 Type 2 ISO 27001 ISO 42001

Email

Account and product-update email is sent through Resend — to you, never to the contacts you store in the product. Account data is stored in the US.

SOC 2 Type 2

Geocoding

Address autocomplete uses Google Maps Platform. Only the address being looked up is sent; no customer records are stored there.

SOC 2 Type 2 ISO 27001
02 — Incident contact

Found a vulnerability? Tell us.

Email security@bluevellum.com with a description and reproduction steps. We acknowledge security reports within one business day. If we confirm a breach affecting customer data, we'll notify affected customers within 72 hours.