Encryption in transit and at rest
All traffic to and from Blue Belmont travels over TLS 1.3. All customer data is encrypted at rest with AES-256. Database backups use independent envelope keys rotated on a quarterly cadence.
Security
How we handle your data.
Every control listed below is in production today, not on a roadmap, not planned. Security is a requirement, not a tier we sell as an upgrade.
Controls in production
Six pillars, every account.
No enterprise-only security tier. What protects a brokerage's data is what protects a solo agent's data.
Role-based access control
Every row returned by the API is scoped to the requesting user or team. Admin roles require hardware-backed 2FA. Brokerage owners can restrict seats to read-only, list-edit, or full-pipeline access.
Audit logging
Every authentication event, list modification, export, and admin action is logged with the actor, timestamp, source IP, and action payload. Brokerage owners can request their team's audit trail at any time.
Public-record sourcing
Every parcel field we surface is drawn from a public source: Indiana county assessors, recorders, and GIS portals. No private credit-header data, no telephone-number databases, no social-media scraping.
Key management
Production secrets live in an encrypted secret manager with programmatic-only access. Humans never see plaintext API keys or database passwords. Keys auto-rotate on documented schedules.
Incident response
A documented incident-response runbook with a defined SLA for customer notification. If customer data is ever compromised, affected users are notified within 72 hours with the scope, root cause, and remediation status.
Responsible disclosure
Found a vulnerability?
We treat security researchers as partners. Report a finding directly to james@bluebelmont.com and we'll acknowledge inside two business days and give you a status update every five days until the issue is resolved.
We don't prosecute good-faith research, we don't gate acknowledgments behind NDAs, and we credit every reporter publicly on request.
- Acknowledgment within 2 business days
- Status updates every 5 days while the investigation is open
- No prosecution of good-faith research
- Public credit on the disclosure page when you want it
- Swag and thank-you for critical and high findings
Security team
Request a security review
Brokerages and enterprises can request a written security review covering our controls, data flow, and incident-response posture. Usually returned inside five business days.
james@bluebelmont.comResponsible disclosure
Report a vulnerability
Security researchers: the fastest path to acknowledgment and remediation. We respond to every report by a human, usually the founder, and we take your time seriously.
Read the full policy →Questions about our controls?
Security reviews, questionnaires, and compliance letters answered inside five business days.