This page describes how we protect your data and the platform itself. Every claim below is either verifiable by inspection (encryption protocols, authentication mechanisms) or documented in a related policy (Privacy, DPA, Terms).
Infrastructure security
Encryption in transit, All connections use TLS 1.3. HTTP requests are redirected to HTTPS. No plaintext traffic reaches the application.
Encryption at rest, Data stored in PostgreSQL is encrypted at rest using AES-256. Backups are encrypted with the same standard.
Access controls, Internal access to production systems uses role-based controls with least-privilege enforcement. Access is reviewed quarterly.
Penetration testing, Annual third-party penetration tests. Findings are triaged and remediated before the next test cycle.
Deployment, Multi-region infrastructure. Application updates are deployed continuously with automated rollback on failure.
Data handling
The platform aggregates public records from government sources. We do not collect data from private databases, scrape third-party aggregators, or purchase consumer data.
Eight primary sources, 92 county assessor systems, Indiana DLGF, Indiana Sales Disclosure Forms, FEMA NFHL, USGS NHD, USDA SSURGO, US Census ACS, and Microsoft Buildings. Each source is documented on the integrations page.
Nightly refresh, Every county assessor system is re-ingested every night. Maximum data staleness is 24 hours.
Provenance tracking, Every parcel record carries its source layer, ingestion timestamp, and version hash. You can see where each data point came from.
No third-party scrapes, All property data comes directly from the government agency that published it. No aggregator intermediaries, no secondary resellers.
Authentication and sessions
JWT-based authentication, Stateless tokens issued at login, validated on every API request. Tokens expire and require re-authentication.
Password requirements, Minimum 8 characters. Password changes require the current password. Fields are cleared after a successful change.
Session expiry, The application warns users before session expiration and provides a one-click re-authentication flow. Expired sessions redirect to login with a return URL so no work is lost.
401 handling, Invalid or expired tokens are rejected immediately. The client clears the stored token and redirects to login. Parallel requests are guarded against duplicate redirects.
Compliance
SOC 2 Type II, Audit window opens Q4 2026. The platform is designed to meet the Trust Services Criteria for security, availability, and confidentiality.
GDPR and CCPA, Users can request access, correction, or deletion of personal data. Requests are fulfilled within 30 days. See the Privacy Policy.
TCPA, The platform provides data for prospecting but does not make calls or send messages on your behalf. Users are responsible for compliance with TCPA, CAN-SPAM, and state telemarketing rules when contacting property owners. See the Acceptable Use section of our Terms.
Data Processing Addendum, Available for Enterprise and institutional customers who require a formal data processing agreement. See the DPA.
Availability and reliability
Uptime target, 99.9% for all customers. Contracted SLAs with credit-back terms are available on request for brokerages and institutional accounts.
Nightly batch processing, County data ingestion runs every night. The application remains available during ingestion; new data becomes queryable after the batch completes.
Request timeouts, API requests time out after 30 seconds to prevent indefinite hangs. Downloads (large CSV exports) have a 120-second window.
Retry logic, The client automatically retries transient server errors (502, 503, 504) for read-only requests with exponential backoff. Mutations are never retried automatically.
Offline detection, The application detects network loss and displays a persistent banner until connectivity returns.
Third-party services
We use a small number of third-party services, each under a data processing agreement:
Stripe, Payment processing. Stripe handles all credit card data; we never see or store card numbers. See Stripe's privacy policy.
Cloud infrastructure provider (US-based), Application hosting and database. Data resides in US data centers.
Skip-trace providers, Owner contact lookups are processed through vetted providers. Results are cached to reduce repeated lookups. Provider details are on the integrations page.
Incident response
Breach notification, We will notify affected customers within 72 hours of confirming a data breach, in accordance with applicable law and the terms of our Data Processing Addendum.
Incident log, Security incidents are logged, investigated, and reviewed. Remediation steps are documented and verified.
Customer communication, Notifications are sent via email to the address on file. Critical incidents may also be surfaced in-app.
Responsible disclosure
If you've found a security vulnerability, we want to hear about it and will work with you to address it promptly.
What to include: description of the vulnerability, steps to reproduce, proof-of-concept if available, and your contact information.
Our commitments:
Acknowledge your report within 2 business days
Provide an initial assessment within 5 business days
Keep you informed of remediation progress
Not pursue legal action against researchers who follow this policy
Credit you publicly (with your permission) when the fix ships
In scope: bluebelmont.com and all subdomains, the web application at /app, authentication and session management, data access controls.
Out of scope: social engineering against staff, denial-of-service attacks, physical security, vulnerabilities in third-party services (Stripe, hosting), automated scanning without prior coordination.