Security & Compliance

Last updated: April 20, 2026

Bluite handles some of the most sensitive data inside a commercial organization: every sales rep's compensation, every pay period, every plan rule. We built Bluite's security posture to match the expectations of our clients in the pharmaceutical and medical device industries — where audit readiness, traceability, and data governance are not optional.

1. Identity and access

1.1 Single Sign-On (SSO)

Bluite supports enterprise SSO via standards-based protocols (SAML 2.0 and OpenID Connect / OAuth 2.0). We integrate with the identity providers our clients already use, including Microsoft Entra ID (Azure AD), Google Workspace, Okta, and other major SAML-compatible IdPs.

1.2 Role-based access control

Every user in Bluite is assigned a role with the minimum permissions required for their function — rep, manager, commission administrator, finance, or auditor. Administrative actions on commission rules and payout approvals are gated by role and logged.

1.3 Multi-factor authentication

For clients not using SSO, Bluite enforces multi-factor authentication (MFA) for administrator accounts. MFA for end users is available and recommended.

2. Data protection

2.1 Encryption in transit

All traffic to and from Bluite is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. HSTS is enabled on our production domains.

2.2 Encryption at rest

Customer data, including commission calculations, sales records, and employee metadata, is encrypted at rest using industry-standard AES-256 encryption via our managed cloud database infrastructure.

2.3 Secrets management

API credentials, database passwords, and integration tokens are stored in managed secret vaults — never in source control or plain-text configuration files.

3. Operational controls and provider posture

3.1 SOC 2 posture

Bluite is an early-stage company and is not yet SOC 2 certified as a company. Our product, however, is built on an infrastructure stack of providers that maintain active SOC 2 Type II (or equivalent) certifications — including Supabase (managed Postgres and auth), Auth0 (identity), Railway (application hosting), and Vercel (edge delivery / CDN). Bluite inherits the controls of these certified providers and layers our own operational practices on top: role-based access, audit logging, encrypted secrets, and change-management workflows. Clients with specific certification requirements or a compliance roadmap question can reach out at carlos@bluite.co.

3.2 Audit trail

Every calculation, rule change, approval, and payout action is logged with the actor, timestamp, and context. This produces an immutable, end-to-end audit trail — a critical requirement for finance, internal audit, and regulatory review.

3.3 Backups and disaster recovery

We perform automated daily backups of all customer data with point-in-time recovery available. Backups are retained for 30 days by default, with longer retention available under custom SLA. Restoration procedures are documented and tested.

3.4 Availability and SLA

Bluite offers availability SLAs tailored to each engagement. Typical commitments include 99.9% monthly uptime and defined response times for severity-1 incidents. Full SLA terms are provided as part of the Master Services Agreement.

3.5 Vulnerability management

Bluite applies security patches on managed infrastructure within vendor-recommended windows and runs dependency scanning in our CI pipeline. Critical vulnerabilities are remediated on an accelerated schedule.

4. Privacy and data governance

Bluite processes Customer Data as a data processor on behalf of our clients. We do not use Customer Data to train machine learning models, we do not sell it, and we do not share it with third parties except as required to operate the Service (for example, managed cloud infrastructure and email delivery). See our Privacy Policy for full detail.

4.1 Data residency

Production data is hosted in geographic regions selected to align with our clients' data residency expectations. Clients with specific residency requirements should raise this during procurement.

4.2 Subprocessors

We maintain a list of subprocessors used to deliver the Service (cloud hosting, email, analytics, support tooling). The current list is available on request and is updated when material changes occur.

5. Incident response

Bluite maintains a documented incident response process. In the event of a confirmed security incident affecting Customer Data, we will notify affected clients without undue delay in accordance with applicable law and our data processing agreements, and will provide information on scope, root cause, and remediation.

6. Reporting a security concern

If you believe you have found a security vulnerability in Bluite, please email carlos@bluite.co. We appreciate responsible disclosure and will acknowledge receipt of reports within two business days.

7. Frequently asked questions

Is Bluite SOC 2 certified?

Not yet as a company. Our infrastructure providers (Supabase, Auth0, Railway, Vercel) maintain active SOC 2 Type II (or equivalent) certifications, and we build on top of those controls. A Bluite-level SOC 2 attestation is planned as we scale. Clients with certification-timing questions can contact us at carlos@bluite.co.

Does Bluite support a custom Data Processing Agreement (DPA)?

Yes. We execute DPAs aligned with GDPR and Colombian data-protection law (Ley 1581 de 2012) as part of enterprise engagements.

Can I get a security questionnaire response?

Yes. We routinely respond to vendor security questionnaires (SIG, CAIQ, bespoke). Send the questionnaire to carlos@bluite.co.