Sign Up
Contact Log In Sign Up
System Status

Blue is designed from the ground up for security and scale.

Last updated: July 16, 2025

Blue delivers enterprise-grade security and seamless scalability for your critical processes. Designed for high availability and trusted by 15,000+ teams in 120+ countries, Blue powers your global operations with confidence.

Our platform is built on a robust architecture that prioritizes both security and scalability from its core. We understand that as your business grows, your project management needs evolve, and Blue is designed to grow with you. Whether you're a small team or a large enterprise, our system can handle your workload efficiently and securely.

Secure & Scalable Platform

Blue ensures the highest level of security and scalability for your project management needs. Our enterprise-grade measures protect your data and enable you to grow without limits.

We've implemented defense-in-depth security architecture with multiple protective layers:

API Protection

  • Intelligent rate limiting: Operation-specific limits prevent abuse while maintaining usability (e.g., 5 requests/60s for general operations, 1 request/50s for exports)
  • Query depth limiting: Maximum 10 levels deep to prevent circular GraphQL query attacks
  • Request size limits: 256MB for GraphQL operations, with larger limits for direct file uploads
  • Security headers: Helmet.js integration provides X-Frame-Options, X-Content-Type-Options, and other protective headers

Data Protection

  • Input sanitization: All user-generated HTML content is sanitized using a whitelist approach
  • SQL injection prevention: Parameterized queries through Prisma ORM eliminate SQL injection risks
  • XSS protection: Both server-side sanitization and Vue.js template escaping prevent cross-site scripting
  • File upload validation: MIME type verification, extension validation, and filename sanitization for all uploads

Enterprise-Level Encryption

Blue implements military-grade AES-256-GCM encryption with authenticated encryption to protect your sensitive data.

We use AES-256 encryption in Galois/Counter Mode (GCM) with PBKDF2 key derivation using 100,000 iterations. This authenticated encryption not only protects your data but also ensures it hasn't been tampered with. Each encryption operation uses a unique salt and initialization vector (IV), making every piece of encrypted data cryptographically unique. All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher, with WebSocket connections automatically upgrading to WSS (WebSocket Secure) for real-time features.

Advanced Protection Systems

Blue employs multiple layers of automated protection to ensure platform security and reliability.

Real-Time Protection

  • Rate limiting by operation: Different API operations have tailored rate limits (5 req/60s for general ops, 1 req/50s for exports, 3 req/60s for security-sensitive operations)
  • Automated threat detection: Failed authentication attempts and suspicious patterns trigger automatic protective measures
  • Query complexity analysis: Deep GraphQL queries are limited to 10 levels with logging for queries approaching limits
  • CORS and CSRF protection: Cross-origin requests validated with proper credentials and SameSite cookie attributes

Infrastructure Security

  • Redis-backed rate limiting: Distributed rate limiting across all servers ensures consistent protection
  • Secure file handling: File uploads validated for MIME types, extensions, and size limits (256MB GraphQL, 4.8GB direct)
  • Environment-based security: Different security configurations for development, staging, and production environments
  • Key rotation support: Separate secrets for access and refresh tokens enable independent key rotation

Multi-Layer Authentication & Authorization

Blue implements a sophisticated authentication system with multiple layers of protection.

Authentication Methods

  • Dual-token JWT system: Short-lived access tokens (15 minutes) paired with longer refresh tokens (60 days) minimize exposure windows
  • Personal Access Tokens (PAT): For API integrations, hashed with bcrypt before storage and validated on each request
  • Firebase Authentication: Seamless integration for web and mobile apps with automatic token management
  • Email-based security codes: Time-limited codes for sensitive operations with automatic cleanup after use

Fine-Grained Authorization

Our GraphQL API uses Shield middleware to enforce permissions at the field level. We implement role-based access control (RBAC) with six distinct permission levels: Owner, Admin, Member, Client, View Only, and Comment Only. These permissions are context-aware, checking both company-level and project-level access for every operation.

Beyond standard roles, Blue supports custom user roles that enable even more granular access controls. Organizations can create tailored roles with specific permissions like canCreateRecords, canEditRecords, canDeleteRecords, and canViewAnalytics, allowing precise control over what each team member can do. Custom roles can be applied at both company and project levels, enabling different permission sets across different projects. Special rules handle archived projects and inactive companies to ensure data remains protected even in edge cases.

Continuous Security Monitoring

Blue implements comprehensive monitoring to maintain security integrity.

Our systems include real-time monitoring for security events, failed authentication attempts, and unusual access patterns. Rate limiting automatically prevents brute force attacks, while query depth limiting protects against resource exhaustion. All security-relevant events are logged with detailed audit trails, enabling rapid investigation of any suspicious activity.

Daily Data Backups

Your data is backed up daily to ensure data integrity and enable quick disaster recovery if needed.

We perform automated daily backups of all customer data, storing these backups in secure, geographically diverse locations. Additionally, our platform implements comprehensive session security:

Session Management

  • Secure cookies: All session cookies use httpOnly (preventing JavaScript access), secure (HTTPS-only), and sameSite='strict' (CSRF protection) flags
  • Token rotation: Refresh tokens are automatically rotated on sign-in to prevent token replay attacks
  • Domain isolation: Multi-tenant security through domain-specific cookie settings
  • Automatic expiration: Sessions expire after defined periods with secure cleanup of authentication artifacts

Technical Security Implementation

Blue's security is built into every layer of our application architecture.

Frontend Security

  • No local storage of tokens: Authentication tokens are managed by Firebase SDK, never stored in localStorage
  • Automatic token refresh: Tokens are refreshed seamlessly before expiration
  • Route guards: Every page validates user permissions before rendering
  • Form validation: Comprehensive client-side validation with VeeValidate before server submission

Backend Security Architecture

  • GraphQL Shield: Every API operation is protected by specific permission rules
  • Prisma ORM: Type-safe database queries prevent injection attacks
  • Redis-backed systems: Rate limiting and session management use Redis for performance and reliability
  • Audit logging: Security-sensitive operations are logged for compliance and debugging

Password & Token Security

  • BCrypt hashing: All passwords and personal access tokens use bcrypt with appropriate work factors
  • No plaintext storage: Sensitive data is never stored in readable format
  • Secure comparison: Timing-safe comparison functions prevent timing attacks
  • One-time codes: Security codes are invalidated immediately after use
© Blue | Designed with across the

AI Assistant

Responses are generated using AI and may contain mistakes.

How can I help you?

Ask me anything about Blue or this documentation.

Enter to send • Shift+Enter for new line • ⌘I to open