How we protect your data

Encryption

All traffic between your browser and Blumify is encrypted in transit with TLS 1.2 or higher. Data at rest in our database and file storage is encrypted with AES-256.

Authentication

Authentication is handled by Clerk (SOC 2 Type II certified). Passwords are never stored by Blumify. Social sign-in (Google) is supported. Session tokens are signed JWTs rotated on sign-in and sign-out.

Data residency

Application data is stored in Supabase (PostgreSQL) in AWS us-east-1 by default. Enterprise customers can request EU residency on onboarding. Lead discovery uses the Google Maps API; all external calls happen server-side.

Subprocessors

We use a small list of vetted subprocessors, each with their own compliance programmes: Supabase (database, file storage); Clerk (authentication); Stripe (payments — we never see card numbers); Google Cloud (Maps, PageSpeed); Hunter.io (email discovery); Inngest (background jobs); OpenRouter (AI inference); Vercel (hosting).

Access controls

Workspace data is strictly tenant-isolated at the database level — every lead, campaign, and export is scoped to a workspace ID and cross-workspace reads are blocked by Row-Level Security. Only named engineers have production database access, logged and audited.

Compliance & reporting

We process personal data in line with GDPR and Australian Privacy Principles. To report a vulnerability, responsible-disclosure concern, or data-subject request, email security@blumify.io (forwarded via Stipple AI Pty Ltd). We acknowledge reports within two business days.