Security

Last updated: 9 June 2026

Your compliance records are the product. Five years of logbooks, lab results and certificates that an auditor may one day ask for — losing or leaking them isn't an option. This page explains how we protect them, in plain terms, including what we don't claim.

Where your data lives

BlueWave runs on managed cloud infrastructure from a major provider. We aim to keep customer data in the UK and EEA; hosting details and regions will be published alongside our sub-processor list, which is being finalised and will be linked from here.

⚠ For review: Provider and region are named once the sub-processor list is confirmed (US-016 / open Q2) — until then this section stays deliberately generic rather than half-right.

Encryption

All traffic between you and BlueWave is encrypted in transit (TLS, with HSTS enforced). At rest, data sits on managed storage that is encrypted by default.

Tenant isolation

Every record in BlueWave belongs to exactly one business, and every query the platform runs is scoped to that business at the data layer. Isolation isn't a per-feature setting someone can forget to apply — it's the default shape of the platform. One customer's engineers, jobs and lab results are invisible to every other customer, structurally.

Access and authentication

Sign-in runs through an established identity provider using short-lived, signed tokens. Inside the platform, access is role-based: office staff, engineers and administrators each see what their role needs and no more. The same principle applies to our own staff — least privilege, not standing access.

Audit trails

The platform keeps an audit trail of changes to your records — who did what, when. For a compliance product that's not an extra; it's part of the point.

Backups and recovery

Customer data is backed up automatically on managed infrastructure.

⚠ For review: Before this section publishes, ops must confirm and record: backup schedule, retention period, and the date of the last successful restore test. A backup that's never been restored is a hope, not a backup — we don't publish specifics until they're verified.

Reporting a vulnerability

If you find a security problem, tell us at security@usebluewave.com [pending mailbox] and give us a reasonable chance to fix it before disclosing. Good-faith research is welcome; the boundaries are in our acceptable use policy. We'll acknowledge reports promptly and keep you informed.

Compliance posture

Honesty over badges: we don't hold SOC 2 or ISO 27001 certification today, and we won't imply otherwise. What we do have: the controls above, a UK GDPR-aligned data protection setup — privacy policy, a data processing agreement and a public sub-processor list (being finalised; it'll be linked from here), ICO registration [pending] — and cookieless analytics that gives us nothing to leak about your visitors.

Questions?

If security is the deciding factor — and for compliance managers it often is — ask us the hard questions directly: security@usebluewave.com [pending mailbox], or book a demo and bring your security questionnaire along.