Information Security Policy

1. Policy Scope

This policy applies to all information systems, data, personnel, contractors, and third-party service providers that access, process, store, or transmit Blueprint data — including but not limited to user financial data, authentication credentials, and personally identifiable information (PII).

2. Information Security Governance

Blueprint has designated responsibility for information security oversight to its leadership team. Our security program includes:

• Documented security policies and procedures reviewed at least annually
• Assignment of security roles and responsibilities
• Regular risk assessments to identify and prioritize threats
• Monitoring and enforcement of security controls across all systems

3. Risk Identification and Assessment

Blueprint conducts ongoing risk assessments to identify threats and vulnerabilities across our systems. Our risk management process includes:

• Periodic review of attack surfaces including authentication, APIs, payment systems, and third-party integrations
• Vulnerability assessments and security testing prior to major releases
• Evaluation of third-party service providers for security compliance
• Threat modeling for new features that handle sensitive financial or personal data

4. Access Control

Access to Blueprint systems and user data is governed by the principle of least privilege. Controls include:

• Role-based access controls (RBAC) limiting data access to authorized personnel only
• Multi-factor authentication (MFA) required for all administrative access
• Unique user accounts — shared credentials are prohibited
• Access reviews conducted periodically and upon personnel changes
• Immediate revocation of access upon termination or role change

5. Data Protection

Blueprint implements technical and organizational controls to protect user data:

• All data in transit is encrypted using TLS 1.2 or higher
• Sensitive data at rest is encrypted using industry-standard encryption
• Financial data accessed via Plaid is handled in accordance with Plaid's security standards and our data sharing agreements
• Payment processing is handled by Stripe — Blueprint does not store raw payment card data
• Row-level security (RLS) enforced at the database layer to prevent unauthorized cross-user data access

6. Application Security

Blueprint follows secure development practices to protect our web and mobile applications:

• Security headers enforced on all web responses (HSTS, CSP, X-Frame-Options, etc.)
• Input validation and output encoding to prevent injection attacks
• Rate limiting applied to all authentication and API endpoints
• UUID validation on all data access routes to prevent insecure direct object reference (IDOR) attacks
• Authentication required on all routes that access user-specific data
• Regular review of OWASP Top 10 vulnerabilities

7. Incident Response

Blueprint maintains an incident response process to detect, contain, and remediate security incidents:

• Security incidents are escalated immediately to leadership
• Affected users are notified promptly in accordance with applicable laws and regulations
• Post-incident reviews are conducted to identify root causes and prevent recurrence
• Error monitoring and alerting systems are in place to detect anomalies in real time

8. Third-Party Risk Management

Blueprint evaluates and monitors third-party service providers that access, process, or store our data. Key providers include:

• Supabase — database and authentication infrastructure
• Plaid — bank account connectivity and transaction data
• Stripe — payment processing
• Anthropic — AI/ML processing
• Vercel — web application hosting
• Resend — transactional email delivery

All third-party providers are evaluated for their security posture, certifications, and data handling practices prior to integration.

9. Business Continuity

Blueprint maintains procedures to ensure continuity of service in the event of a disruption, including regular data backups, redundant infrastructure, and documented recovery procedures.

10. Compliance

Blueprint's security program is designed to align with the following frameworks and regulations:

• OWASP Top 10 — web application security
• GDPR / CCPA — user data privacy rights
• PCI DSS — payment card data security (via Stripe)
• SOC 2 principles — security, availability, and confidentiality

11. Data Retention and Deletion

Blueprint maintains a defined data retention and deletion policy in compliance with applicable data privacy laws including GDPR and CCPA:

• User account data is retained for the duration of the account's active status
• Upon account deletion, personal data is purged from production systems within 30 days
• Transaction and financial data sourced from Plaid is retained only as long as necessary to deliver the service and is deleted upon account closure
• Backups containing user data are retained for up to 90 days, after which they are permanently deleted
• Users may request deletion of their data at any time by contacting blueprintappai@outlook.com
• This policy is reviewed at least annually to ensure compliance with applicable laws

12. Policy Review

This policy is reviewed at least annually and updated as needed to reflect changes in our technology, operations, or regulatory environment. All personnel with access to Blueprint systems are expected to comply with this policy.