Security | Bloom

Security Controls

Encryption Everywhere

AES-256 encryption at rest. TLS 1.3 in transit. Passwords hashed with bcrypt. Your data is encrypted whether it's moving or sitting still.

Mandatory Two-Factor Authentication

TOTP-based 2FA is mandatory for all advisers and firm owners. Compromised passwords alone cannot grant access to client data.

Role-Based Access Control

Three-tier access: Owner, Adviser, Customer. PostgreSQL Row-Level Security enforces tenant isolation at the database level — no application code can bypass it.

Password Security

10+ character minimum with complexity requirements. Every password is checked against HaveIBeenPwned's database of breached credentials using k-anonymity.

Distributed Rate Limiting

Redis-backed rate limiting across all serverless instances. Brute-force login attempts, API abuse, and signup spam are blocked automatically.

Compliance Audit Logging

Every client record view, edit, deletion, login, and MFA event is logged with timestamps, user IDs, and IP addresses. Logs are write-only and tamper-resistant.

Database-Level Isolation

Row-Level Security policies mean Firm A's data is invisible to Firm B — enforced by PostgreSQL, not application code. Even a bug in our code can't leak cross-firm data.

Automatic Backups

Daily database backups with point-in-time recovery. Multi-region edge hosting with zero-downtime deployments and instant rollback capability.

Infrastructure

Every provider in our stack holds SOC 2 Type II certification.

Provider	Role	Certification	Detail
Vercel	Hosting & CDN	SOC 2 Type II	Global edge network, DDoS protection, automatic HTTPS
Supabase	Database & Auth	SOC 2 Type II	PostgreSQL with RLS, encrypted at rest, daily backups
Upstash	Rate Limiting	SOC 2 Type II	Serverless Redis, encrypted at rest and in transit
Cloudflare	DNS & DDoS Protection	SOC 2 Type II	Enterprise-grade DDoS mitigation, DNS security

Certification Roadmap

Our ongoing commitment to independently verified security.

Cyber Essentials

In progress

Target: Q3 2026

Mandatory MFA (all advisers)

Complete

Target: Q2 2026

CREST Penetration Test

Planned

Target: Q4 2026

ISO 27001 Gap Analysis

Roadmap

Target: 2027

Data Protection

Compliance

UK GDPR & Data Protection Act 2018
Data Processing Agreement available on request
ICO registered data controller

Your Rights

Full data portability — export anytime
Right to erasure — complete deletion on request
No data sold to third parties, ever

Sub-Processors

Third parties that process data on our behalf.

Provider	Purpose	Data Location
Vercel	Application hosting	London (lhr1)
Supabase	Database, authentication	London (eu-west-2)
Upstash	Rate limiting (Redis)	EU
Cloudflare	DNS, DDoS protection	Global (edge)
Stripe	Payment processing	EU / UK

Questions about security?

We're happy to answer security questionnaires, provide our Data Processing Agreement, or walk through our controls with your compliance team.

Contact Security Team Privacy Policy GDPR Compliance

Your clients' data is safe with Bloom