'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Security
Blue is designed from the ground up for security and scale.
Last updated: April 21, 2026
Blue delivers enterprise-grade security and seamless scalability for your critical processes. Designed for high availability and trusted by 19,000+ teams in 120+ countries, Blue powers your global operations with confidence.
Our platform is built on a robust architecture that prioritizes both security and scalability from its core. We understand that as your business grows, your process management needs evolve, and Blue is designed to grow with you. Whether you’re a small team or a large enterprise, our system can handle your workload efficiently and securely.
Secure & Scalable Platform
Blue ensures the highest level of security and scalability for your process management needs. Our enterprise-grade measures protect your data and enable you to grow without limits.
We’ve implemented defense-in-depth security architecture with multiple protective layers:
API Protection
- Operation-specific rate limiting: Every API operation has its own Redis-backed limit. General operations, exports, and security-sensitive endpoints have progressively tighter caps, enforced at the per-key, per-user, and per-organization level so abuse on one account never affects another.
- Query depth limiting: GraphQL queries are capped at 10 levels deep to prevent circular query attacks, with warnings emitted as queries approach the limit.
- Request size limits: 256MB for GraphQL operations and up to 4.8GB for direct file uploads, with Content-Length validated before any byte reaches object storage.
- Security headers: Helmet.js enforces HTTP security headers on every response.
Data Protection
- Input sanitization: User-generated HTML is sanitized with a strict whitelist via DOMPurify, blocking script tags, inline event handlers,
data:URIs, and custom protocols. - SQL injection prevention: Parameterized queries through Prisma ORM eliminate SQL injection risks.
- XSS protection: Vue 3 template auto-escaping on the frontend combined with server-side sanitization on ingestion.
- File upload validation: MIME type verification, extension validation, filename sanitization, and pre-upload size guards for all uploads.
Enterprise-Level Encryption
Blue implements military-grade AES-256-GCM encryption with authenticated encryption to protect your sensitive data.
We use AES-256 encryption in Galois/Counter Mode (GCM) with PBKDF2 key derivation using 100,000 iterations. This authenticated encryption not only protects your data but also ensures it hasn’t been tampered with. Each encryption operation uses a unique salt and initialization vector (IV), making every piece of encrypted data cryptographically unique.
All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher, with WebSocket connections automatically upgrading to WSS (WebSocket Secure) for real-time features. Public TLS certificates are issued by Let’s Encrypt via Caddy and rotated automatically. Internal database traffic between application and MySQL servers is also encrypted with TLS 1.2+ using dedicated 4096-bit RSA certificates managed through Ansible.
Advanced Protection Systems
Blue employs multiple layers of automated protection to ensure platform security and reliability.
Real-Time Protection
- Redis-backed distributed rate limiting: Distributed across all servers with per-key, per-user, and per-organization dimensions so abuse from one account can’t affect another.
- Automated threat detection: Failed authentication attempts and suspicious patterns trigger automatic protective measures.
- Query complexity analysis: Deep GraphQL queries are limited to 10 levels with logging for queries approaching limits.
- Feature-flag enforcement: Custom role permissions are enforced on both read and write paths server-side, so role-bypass attempts fail even with direct API access.
- Plan-limit enforcement: Structured quota errors on every mutation that affects billable resources (workspaces, automations, file size, custom fields, etc.), with locked-organization bypass prevention.
Infrastructure Security
- SSH hardening: Public-key authentication only, limited login attempts, and fail2ban for brute-force mitigation on every server.
- Host firewall: UFW restricts access to the minimum ports required for application and internal service traffic.
- Secrets management: Infrastructure secrets are stored in Ansible Vault; application secrets are injected at deploy time rather than committed to source control.
- Environment-based security: Separate configurations and credentials for development, staging, and production environments.
- Key rotation support: Separate secrets for access and refresh tokens enable independent key rotation.
- High-availability database: A replicated MySQL pair (primary + replica) with automatic failover via Replication Manager keeps writes flowing if a node fails.
Multi-Layer Authentication & Authorization
Blue implements a sophisticated authentication system with multiple layers of protection.
Authentication Methods
- Dual-token JWT system: Short-lived access tokens (15 minutes) paired with longer refresh tokens (60 days) minimize exposure windows.
- Personal Access Tokens (PAT): For API integrations, hashed with bcrypt before storage and validated on each request.
- Firebase Authentication: User passwords are managed by Google Firebase Authentication — Blue never sees, stores, or hashes plaintext passwords.
- Email-based security codes: Time-limited codes for sensitive operations, indexed by email, category, and expiry, and invalidated immediately after use.
Fine-Grained Authorization
Our GraphQL API uses Shield middleware to enforce permissions at the field level. We implement role-based access control (RBAC) with six distinct permission levels: Owner, Admin, Member, Client, View Only, and Comment Only. These permissions are context-aware, checking both organization-level and workspace-level access for every operation.
Beyond standard roles, Blue supports custom user roles that enable even more granular access controls. Organizations can create tailored roles with specific permissions like canCreateRecords, canEditRecords, canDeleteRecords, and canViewAnalytics, allowing precise control over what each team member can do. Custom roles can be applied at both organization and workspace levels, enabling different permission sets across different workspaces. Special rules handle archived workspaces and inactive organizations to ensure data remains protected even in edge cases.
On top of record-level roles, Blue enforces field-level permissions: custom roles can restrict viewing and editing of specific field types — for example, preventing client-tier users from modifying assignees, tags, due dates, or record dependencies. These checks run on every read and write path server-side through GraphQL Shield, regardless of the client making the request.
Continuous Security Monitoring
Blue implements comprehensive monitoring to maintain security integrity.
Our systems include real-time monitoring for security events, failed authentication attempts, and unusual access patterns. Rate limiting automatically prevents brute force attacks, while query depth limiting protects against resource exhaustion. All security-relevant events are logged with detailed audit trails, enabling rapid investigation of any suspicious activity.
Data Residency & EU Hosting
All Blue infrastructure — application servers, primary and replica databases, and backups — runs in Hetzner’s Germany (FSN1) data center. This gives every Blue customer EU data residency by default:
- GDPR-aligned by design: Personal data processed through Blue never leaves the European Union, supporting GDPR, UK GDPR, and Australian Privacy Act requirements without additional cross-border transfer safeguards.
- Sovereign processing: No reliance on US cloud hyperscalers for primary workloads, reducing exposure to non-EU jurisdictional data requests.
- Low-latency replication: Replica databases sit in the same region as the primary, keeping failover fast and cross-node latency minimal.
Customers requiring additional compliance coverage can self-sign a Data Processing Agreement (DPA) and, for regulated industries, the applicable Business Associate Agreement (BAA), Health Data Addendum, or sector-specific addendum directly in their organization settings.
Daily Data Backups
Your data is backed up daily to ensure data integrity and enable quick disaster recovery if needed.
Our layered backup strategy minimizes data loss and speeds up recovery:
- Daily incremental backups (Monday–Saturday) capture every day’s changes.
- Weekly full backups (Sunday) provide a clean recovery baseline.
- Hourly binary log sync streams transaction logs offsite, keeping our recovery point objective at 1 hour or better.
- Retention: 30 days of daily backups and 12 weeks of full backups (3 months total).
- Offsite encrypted storage: All backups are compressed and encrypted before streaming to Backblaze B2.
- Recovery targets: 10–20 minutes for local restores; 1–2 hours for full restores from offsite storage.
Additionally, our platform implements comprehensive session security:
Session Management
- Secure cookies: All session cookies use httpOnly (preventing JavaScript access), secure (HTTPS-only), and sameSite=‘strict’ (CSRF mitigation) flags.
- Token rotation: Refresh tokens are automatically rotated on sign-in to prevent token replay attacks.
- Domain isolation: Multi-tenant security through domain-specific cookie settings.
- Automatic expiration: Sessions expire after defined periods with secure cleanup of authentication artifacts.
Technical Security Implementation
Blue’s security is built into every layer of our application architecture.
Frontend Security
- No local storage of auth tokens: Authentication tokens are managed entirely by the Firebase SDK and are never written to localStorage. Only non-sensitive UI state (theme, organization context, login hint) persists locally.
- Automatic token refresh: Tokens are refreshed seamlessly before expiration, with a shared refresh promise to prevent thundering-herd calls after periods of inactivity.
- Route guards: Every authenticated route validates session, organization membership, workspace access, and module-level permissions before rendering.
- Form validation: HTML5 validation (email, phone, required, pattern) combined with dedicated client-side validators (for example, libphonenumber-js for international phone numbers) catches errors before they reach the server.
Backend Security Architecture
- GraphQL Shield: Every API operation is protected by specific permission rules.
- Prisma ORM: Type-safe database queries prevent injection attacks.
- Redis-backed systems: Rate limiting, session management, and job queues use Redis for performance and reliability.
- Audit logging: Security-sensitive operations are logged for compliance and debugging.
Password & Token Security
- Firebase-managed passwords: User passwords are handled by Google Firebase Authentication and are never stored in Blue’s own systems.
- BCrypt-hashed tokens: Personal Access Tokens are hashed with bcrypt using appropriate work factors before storage.
- Secure comparison: Timing-safe comparison functions prevent timing attacks.
- One-time codes: Email-based security codes are invalidated immediately after use.