We work with an independent auditor to maintain a SOC 2 Type 2 report, on an annual basis, which objectively certifies our controls to ensure the continuous security of our customers' data. Blue J can provide its SOC 2 report to customers upon receipt of a signed Non-Disclosure Agreement (NDA).
The Blue J platform is a cloud native research platform that includes the following user-friendly tools:
Our generative AI solution, Ask Blue J, answers challenging tax law questions using a natural language interface. Additional AI-powered tools for case research and analysis use the selection of values for factors considered relevant to case decisions. This does not require PII input.
The diagramming tool assists users with tax entity and relationship planning. The user is in control of this data and while it does not require them to enter sensitive data, client information and relationships are likely to be defined by the user in the diagram. This and all data is stored and managed with the strictest of security practices as documented on this page.
PII collection for our users is limited to the data necessary to manage Authentication and Authorization for the purposes of using the Blue J platform (email address and name).
Blue J has established an Information Security Program that maintains a set of policies that are reviewed annually. Policies pertinent to security include:
At Blue J security compliance is overseen by our CTO, Brett Janssen.
Additional information can be found in our Trust Center
During onboarding, new employees must complete Security Awareness training provided by a trusted vendor. Additionally, this training must be completed annually by all existing employees to ensure that security remains a top priority within the organization.
The Blue J Information Security program policies must be read and accepted by employees, during onboarding and renewed annually or when changes may occur to the policies.
Development team staff also complete additional training such as OWASP Top 10 Security Vulnerability training which is also renewed annually.
All Blue J employees are screened prior to employment using standard background checks provided by a trusted vendor and include:
Blue J’s Business Continuity and Disaster Recovery approach includes plans that are maintained and reviewed annually to ensure the business can react appropriately to large scale, unplanned events. Our plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
Regular backups and an Infrastructure as Code implementation of hosting environments allow our operations team to react quickly and effectively in the event of large scale outages or disaster.
Blue J’s Information Security Program includes policies that are maintained and reviewed annually to ensure the business can react appropriately to unplanned or malicious events. This includes identifying, responding to, communicating and documenting the information related to a security incident. In the event of a data breach, Blue J will promptly report to required parties to comply with all applicable regulatory requirements. Incident Response plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
Blue J achieves high availability by using multiple load balancers, servers and datastores for redundancy. In addition to redundancy we have engineered our platform to self-heal so that most issues can be recovered from quickly and automatically.
Blue J uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Blue J to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
This includes monitoring of individual employee workstations to ensure that full drive encryption, screen lock, a trusted password manager and malware protection are enabled at all times.
The System Access Control Policy defines how access to the Blue J network and its resources are managed. This includes adoption of the “Principle of Least Privilege” which limits access only to the level required to perform their job function.
2FA (Two Factor Authentication) is enforced for employee accounts and an annual review of access levels is conducted to ensure that employees maintain an appropriate level of authorization.
Blue J performs annual, whole corporation risk assessments across each of the Engineering, Human Resources (HR), Information Security, Finance, Sales, and Legal departments. The assessment team uses a customized version of the Consensus Assessments Initiative Questionnaire (CAIQ) published by the Cloud Security Alliance (CSA). The questionnaire assists the team in both identifying and quantifying risks. Any identified risks are both catalogued and subsequently actioned in a manner suited to the individual risk’s severity.
Any client, present or past, has a right to be forgotten. Upon email request to [email protected] any and all data pertaining to the client in question will be permanently erased within 7 days. A confirmation email will follow on completion of the request.
An independent, third party vendor provides Blue J with annual penetration testing. Mitigation and remediation of any vulnerabilities found during testing are prioritized within our Software Development Life Cycle.
An independent, third party vendor provides Blue J with quarterly vulnerability scanning. Mitigation and remediation of any vulnerabilities found during scanning are prioritized within our Software Development Life Cycle.
The Blue J Platform is entirely hosted in the cloud by Cloudflare and within AWS, in the us-east-1 North Virginia region. Blue J relies upon the security controls adopted by AWS and Cloudflare to ensure the security of physical computing environments hosting cloud based resources.
Access to cloud hosted resources are controlled by AWS IAM and authorization is granted on a “Principle of Least Privilege” basis, with annual reviews of authorization levels. We use BastionZero for secure remote access to server resources allowing Secure shell (SSH) access to be disabled and commonly attacked ports to remain closed.
Blue J has implemented comprehensive logging of operations conducted within the application as well as within the infrastructure hosting the application. Application Performance Management (APM) with alerting provides another layer of security and oversight.
Blue J benefits from the vendor provided security controls enabled within the AWS cloud infrastructure. In addition, Blue J continually monitors our workloads for malicious activity via AI enhanced threat detection software.
Our Software Development Life Cycle policy defines the standard for the process we use to build our product at Blue J, which is consistent, repeatable and maintains information security at every stage. This includes the adoption of best practices which include:
The Blue J platform includes email notifications to support user collaboration across Workspaces. We have SPF and DKIM records set, and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. It is still strongly recommended that customers add to their allowlist the bluejlegal.com, bluej.com and askbluej.com domains to ensure consistent user access to both notification emails and our products themselves.
Automated full backups of all production databases occur daily, with incremental backups happening throughout the day at 5 minute intervals. Database backups are encrypted to the same standards as live production data.
Data at rest is encrypted using the industry standard AES-256 algorithm. Cryptographic keys are protected using AWS KMS ( Key Management Service).
Data in transit is encrypted using a minimum of HTTPS transport layer security TLS 1.2.
Customer data is retained and protected by Blue J indefinitely unless a formal request for removal is received. Customers can submit a request for data removal by contacting their dedicated Customer Success Manager or by sending an email to [email protected].
All data is stored and processed in the United States in the AWS us-east-1 North Virginia region. We do not currently offer the ability to store data in any other jurisdictions. We do not currently offer an on-premise solution.
Blue J depends on carefully selected vendors and sub-processors to build our product and provide our services. The following list of partners and their respective security practices have been reviewed in accordance with our Vendor Management Policy.
If you believe you have discovered a bug or have another concern with Blue J’s security, please contact our security team at [email protected].
Whether you have questions or are interested in booking a demo, we would love to hear from you.