NewWeather Demand Modelling is live. Forecast demand before it arrivesWeather Demand Modelling is live

Blufire Trust Center

Request the DPAStart a security review

How Blufire protects your data: the infrastructure we are built on, the controls we run, who processes your data, and the documents you can request. Your data is stored in Australia, and we connect to your systems read-only.

Overview

Blufire handles commercial and customer data for businesses turning over millions, so security is a precondition of the product, not an add-on. We build on infrastructure that is already certified to the highest standards, keep your data in Australia, give each customer an isolated environment, and only ever read from your systems. We are transparent about every provider that touches your data, and we are pursuing our own SOC 2 Type 2 certification.

Compliance

Infrastructure certified to
SOC 2 Type IIISO 27001ISO 42001 (AI)PCI DSSHIPAA-ready
We align with
Australian Privacy ActGDPRCCPA

Documents

What you can access today, and what is on the way. Request gated documents from our security team.

Compliance
Sub-processor list
View
Legal
Data Processing Agreement
Request
Compliance
SOC 2 Type 2 report
On roadmap
Security
Penetration test report
On roadmap
Legal
Privacy policy
View

SOC 2 and penetration-test reports are on our compliance roadmap and are not yet available. The certifications shown in Compliance are held by our infrastructure providers, not by Blufire, and underpin the services we run on.

Data profile

Data residencyAustralia
System accessRead-only
Tenant modelIsolated
Recovery objective~1 hour

Product security

  • Encryption at rest and in transit
  • Multi-factor authentication
  • Append-only audit logging
  • Single sign-on (SAML / SCIM)

Resilience

  • Point-in-time recovery
  • Encrypted redundant backups (AU)
  • Continuous monitoring
  • Verified data deletion

Data security

  • AES-256 encryption at rest
  • TLS encryption in transit
  • Per-tenant encryption keys
  • Crypto-shred on deletion

Access control

  • Row-level security
  • Single sign-on (SAML / SCIM)
  • Multi-factor authentication
  • Least-privilege access

Infrastructure

  • Supabase (SOC 2 / ISO 27001)
  • Vercel (SOC 2 / ISO 27001)
  • Google Cloud and AWS
  • Environment segregation

Data residency

  • Stored in AWS Sydney
  • Encrypted backups in AU
  • Core data stays in Australia
  • Transparent sub-processors

Data privacy

  • Data minimisation
  • Opt-out, anonymised benchmarking
  • Breach notification
  • We never sell your data

AI

  • Transparent AI use
  • No training on your data
  • Zero-data-retention option
  • Analytics product uses no AI

Data connections

  • Read-only access only
  • Official APIs (Shopify, Google)
  • OAuth you can revoke
  • Tokens never logged

Isolation

  • Separate database per tenant
  • No shared data tables
  • Default-deny access
  • Per-tenant Cube context

Continuity

  • Point-in-time recovery
  • RTO ~1h / RPO ~5min
  • 12-month hot audit log
  • 7-year cold archive

Sub-processors

Every third-party provider Blufire relies on. Locations in teal store your data in Australia.

CompanyPurposeLocation
SupabasePrimary database, authentication and storageAustralia (Sydney)
Amazon Web ServicesCloud infrastructure and audit-log storageAustralia (Sydney)
CloudflareEncrypted secondary backup storage (R2)Australia (Sydney)
UpstashCaching layer (Redis)Australia (Sydney)
Fly.ioApplication and client-portal hostingAustralia / global
VercelWeb application hosting (runs on AWS)USA
GoogleAdvertising and analytics data accessGlobal, AU region
AnthropicAI processing for the service platform (Claude)USA
InngestBackground job and workflow orchestrationUSA
ResendTransactional email deliveryUSA / global
WorkOSEnterprise single sign-on (SAML / SCIM)USA
Voyage AIText embeddings for similarity matchingUSA

We update this list as our infrastructure changes and notify customers with a data-processing agreement of material changes.

Knowledge base

Where is my data stored?+
Your core data is stored in Supabase and AWS in the Sydney region (ap-southeast-2), with encrypted secondary backups in Cloudflare R2 Sydney. A small number of specialist providers process specific data in transit, and every one is listed in the sub-processors section above.
Do you train AI models on my data?+
No. Our service platform uses Anthropic's Claude to process campaign data, and Anthropic does not train its models on your data and offers a zero-data-retention option. Our ecommerce analytics product uses no AI models at all.
Can I delete my data?+
Yes. On a verified erasure request we delete your records within 30 days and crypto-shred the per-tenant encryption keys, which renders historical backups unreadable.
Do you write changes back to my store or ad accounts?+
No. We connect to Shopify, Google Ads and GA4 read-only, through their official APIs, using OAuth tokens you authorise and can revoke at any time. We never push changes back into your systems.
Are you SOC 2 certified?+
We are built entirely on SOC 2 Type 2 and ISO 27001 certified infrastructure (Supabase, Vercel, Google Cloud, AWS), and we are working toward our own SOC 2 Type 2 attestation. We do not yet hold one, and we will not claim otherwise.
Can I get a DPA or do a security review?+
Yes. Email info@blufire.com.au for a security review or questionnaire, or to request our Data Processing Agreement.

Security

Report a vulnerability, request our security documentation, or run a review: info@blufire.com.au. Please give us a reasonable chance to remediate before any public disclosure.

Privacy

Privacy questions, data-handling and erasure requests, and DPA requests: info@blufire.com.au.

Running a vendor security review?We will walk your team through the architecture and complete your questionnaire.
Book a call Email us