Security

• All connections to and from the Service are encrypted in transit using TLS 1.2 or higher.
• Internal links between the website and the extraction service are TLS-protected and authenticated with rotating API keys.
• Connections from the public website to our processing infrastructure traverse a hardened tunnel and are not exposed on the public internet.

• Customers authenticate using third-party single sign-on providers. We never receive, see, or store your password.
• Every internal API request must include a valid API key in addition to your user session.
• Administrative access to production systems is restricted to authorized personnel and logged.
• The processing service supports IP allowlisting, so the set of callers permitted to reach it can be restricted to the website service and known operator IP addresses.

• All customer data is stored in the United States.
• Uploaded PDFs, extraction results, and review submissions are kept so that customers can return to past extractions and re-export results. Customers may request deletion at any time.
• Operational logs containing IP addresses and request timestamps are retained for up to twelve months and used for security monitoring, rate limiting, and debugging.

• We do not use customer-uploaded statements or extraction results to train our own or any third party's machine-learning models.
• We do not sell or rent customer data. We do not share customer data with advertising networks.
• We share data only with service providers necessary to operate the Service, and only for the purposes described in our Privacy Policy.

• We use a small number of third-party service providers in categories including hosting, identity, natural-language processing, and business directory lookup. Every sub-processor is bound by contract to handle data consistently with our Privacy Policy and applicable law, and none may use customer data to train their own models.
• We perform diligence on each sub-processor before engaging it and review the security posture of existing sub-processors regularly.
• Business customers may request our current list of named sub-processors and a Data Processing Agreement by emailing contact@blueprintledger.com.

• The extraction service enforces per-IP rate limits to deter automated abuse.
• Public API documentation is disabled in production — there is no browseable surface enumerating our endpoints.
• Uploads larger than our published size limit are rejected at the edge.
• Access events and processing activity are continuously logged and reviewed for anomalies.

If we become aware of a personal-data breach affecting customer data, we will notify affected customers without undue delay, and in any event within seventy-two (72) hours of becoming aware, in accordance with applicable law and the commitments in our Data Processing Agreement. We will provide what we know about the nature of the incident, the data affected, the likely consequences, and the steps we are taking in response.

If you believe you have discovered a security issue with the Service, we want to hear about it. Please email contact@blueprintledger.com with details, including steps to reproduce and any relevant logs or screenshots. We commit to:

• Acknowledge your report within three business days;
• Investigate and respond with a remediation plan or rationale;
• Not pursue legal action against good-faith researchers who follow this process and avoid privacy violations, data destruction, and service disruption.

For questions about this page, security practices, or to request a Data Processing Agreement or named sub-processor list, contact: