Security | Bloom

Security Controls

Encryption Everywhere

AES-256 encryption at rest. TLS 1.3 in transit. Passwords hashed with bcrypt. Your data is encrypted whether it's moving or sitting still.

Two-Factor Authentication

TOTP-based two-factor authentication is available to every user. Mandatory MFA enforcement across all data-access endpoints is being rolled out (see roadmap below).

Role-Based Access Control

Role-based access: Owner, Adviser, Paraplanner, Admin and Customer. PostgreSQL Row-Level Security enforces tenant isolation at the database level.

Password Security

10+ character minimum with complexity requirements. When a password is changed it's screened against HaveIBeenPwned's breached-credential database using k-anonymity, so it never leaves our servers.

Distributed Rate Limiting

Redis-backed rate limiting on authentication and sensitive endpoints, shared across all serverless instances, to throttle brute-force attempts and abuse.

Compliance Audit Logging

Security and authentication events are recorded with timestamps, user IDs and IP addresses in an append-only log — updates and deletes are blocked at the database, so entries are tamper-resistant. Coverage is being extended to every client-record access.

Database-Level Isolation

Row-Level Security policies scope each firm's data to that firm, enforced by PostgreSQL at the database layer beneath the application.

Automatic Backups

Daily database backups with point-in-time recovery. Multi-region edge hosting with zero-downtime deployments and instant rollback capability.

Infrastructure

Every provider in our stack holds SOC 2 Type II certification.

Provider	Role	Certification	Detail
Vercel	Hosting & CDN	SOC 2 Type II	Global edge network, DDoS protection, automatic HTTPS
Supabase	Database & Auth	SOC 2 Type II	PostgreSQL with RLS, encrypted at rest, daily backups
Upstash	Rate Limiting	SOC 2 Type II	Serverless Redis, encrypted at rest and in transit
Cloudflare	DNS & DDoS Protection	SOC 2 Type II	Enterprise-grade DDoS mitigation, DNS security

Certification Roadmap

Our ongoing commitment to independently verified security.

Cyber Essentials

In progress

Target: Q3 2026

Integration secrets encrypted (AES-256-GCM)

Complete

Target: Q2 2026

Mandatory MFA (all advisers)

In progress

Target: Q3 2026

CREST Penetration Test

Planned

Target: Q4 2026

ISO 27001 Gap Analysis

Roadmap

Target: 2027

Data Protection

Compliance

UK GDPR & Data Protection Act 2018
Data Processing Agreement available on request
ICO registered data controller

Your Rights

Full data portability — export anytime
Right to erasure — complete deletion on request
No data sold to third parties, ever

Sub-Processors

Third parties that process data on our behalf.

Provider	Purpose	Data Location
Vercel	Application hosting	London (lhr1)
Supabase	Database, authentication	London (eu-west-2)
Upstash	Rate limiting (Redis)	EU
Cloudflare	DNS, DDoS protection	Global (edge)
Stripe	Payment processing	EU / UK
Anthropic (Claude)	AI features (drafting, meeting summaries)	US
Speech-to-text providers	Meeting / dictation transcription	US

Questions about security?

We're happy to answer security questionnaires, provide our Data Processing Agreement, or walk through our controls with your compliance team.

Contact Security Team Privacy Policy GDPR Compliance

Your clients' data is safe with Bloom