Version 1.0 · Effective [to be set on publication] · Last reviewed 2026-07-09
[COMPANY LEGAL NAME] ("we", "us") operates BlueTower, a B2B governance, risk and compliance platform that helps organisations run vendor-risk reviews and analyse SOC reports. Registered address: [REGISTERED ADDRESS]. Privacy contact: [privacy@yourcompany.example].
We have two roles under GDPR. We are a processor (Art. 28) for the data our business customers put into their BlueTower tenant — their employees' user accounts, vendor contacts, and the SOC reports and evidence they upload; for that data the customer is the controller and is your first point of contact. We are a controller (Art. 4(7)) for data we determine the purposes of: our own platform-administrator accounts, security and audit logs, session/login records (including IP addresses and device strings), and customer-administrator contact details for account management. This notice covers the data for which we are the controller and, for transparency, explains how we handle customer tenant data as a processor.
Our data-protection contact: [dpo@yourcompany.example]. Until a DPO/SRI appointment is finalised (an Art. 37 assessment is in progress), privacy enquiries are handled by [privacy@yourcompany.example].
As controller (platform and security data):
| Category | Examples | Data subjects |
|---|---|---|
| Account identity | Name, email, initials, role | Platform / customer administrators |
| Authentication data | bcrypt password hashes, MFA/TOTP secrets and backup codes, hashed session tokens | Administrators, customer users |
| Security telemetry | IP address, user-agent, login timestamps, failed-login / lockout records | All authenticated users |
| Audit records | Actor name, role, action, IP, timestamp, tamper-evidence hash | All authenticated users |
| Account-management data | Customer-admin names/emails, billing notes | Customer administrators |
As processor (customer tenant data, controlled by our customers):
| Category | Examples | Data subjects |
|---|---|---|
| Tenant user accounts | Name, email, initials, role | Customer employees |
| Vendor and contact records | Vendor contact name, email, phone, business-owner email | Vendor personnel; customer employees |
| Share recipients | Questionnaire and draft-share recipient names/emails | External auditors and recipients |
| Uploaded documents | SOC reports, evidence and screenshots that may name auditors, signatories and personnel | Individuals named in documents |
We do not intend to process special-category data (Art. 9); uploaded documents are free-form and could incidentally contain sensitive content, which we flag as a residual risk addressed in our DPIA. We do not knowingly collect data from children.
| Purpose | Lawful basis |
|---|---|
| Providing the platform: accounts, authentication, review workflows | Contract (Art. 6(1)(b)) |
| Account security: sessions, MFA, rate limiting, lockout, audit logging | Legitimate interests (Art. 6(1)(f)) |
| Detecting and investigating security incidents and abuse | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) for breach records |
| AI-assisted analysis of uploaded SOC reports (Section 9) | Processor activity on customer (controller) instructions |
| Account management, support and billing | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) |
| Transactional email (password resets, share links, notifications) | Contract (Art. 6(1)(b)) |
Each legitimate-interests claim is supported by a documented Legitimate Interests Assessment retained as evidence. We do not sell personal data and do not use it for cross-context behavioural advertising.
We share personal data with the providers that operate our infrastructure and features, each acting as our processor under an Art. 28 contract: cloud infrastructure and storage (Supabase, Vercel); AI/LLM providers for SOC-report analysis (Google Gemini, Anthropic Claude, Hugging Face embeddings); transactional email (Resend); security tooling (VirusTotal file-hash lookup — hash only, not file content); and single sign-on (BoxyHQ SAML Jackson). Our current subprocessors, the data each receives, their location and the transfer mechanism are maintained in our Subprocessor List, updated with advance change-notification. We may also disclose data where required by law or to establish or defend legal claims.
Our infrastructure and subprocessors are US-hosted. For UK/EEA personal data transferred to the US we rely on the EU–US Data Privacy Framework / UK–US Data Bridge where a subprocessor holds a current certification, with 2021 Standard Contractual Clauses maintained as a parallel safeguard, plus supplementary technical measures (encryption in transit and at rest; PII redaction before AI processing). The DPF is under appeal to the CJEU (Case C-703/25 P), so we keep SCCs ready as an alternative so a subsequent invalidation would not interrupt lawful transfer. Details are available on request.
| Data category | Retention |
|---|---|
| Audit-log records | 7 years (scheduled purge) |
| Uploaded SOC reports | 3 years |
| Evidence files | 2 years |
| Review records | 5 years |
| Sessions and reset tokens | 90 days / on expiry |
| Deprovisioned customer (tenant) data | 30 days after account termination |
Retention is enforced in the platform by scheduled purge jobs. We keep personal data only as long as necessary for the stated purpose, then delete or anonymise it.
Where we are the controller, you have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and to withdraw consent where we rely on it. You will not be subject to a solely automated decision producing legal or similarly significant effects (Art. 22 — see Section 9). Authenticated users can export their own data in-app; contact [privacy@yourcompany.example] to exercise any right. We respond within one month and free of charge, extendable by up to two months for complex requests. If your data sits inside a customer's tenant, the customer is the controller — please direct your request to them, and we assist them as their processor.
BlueTower uses AI to assist with reviewing SOC reports (extracting control objectives, CUECs and exceptions). A human is always in the loop: AI output is stored as a pending, AI-attributed suggestion that never overwrites a human answer, and a qualified reviewer must accept, edit or reject it — there is no solely automated decision with legal or similarly significant effect. Before document text is sent to an AI provider, obvious incidental identifiers (person emails, phone numbers, national ID numbers) are redacted; vendor and control references are preserved because the analysis needs them. AI providers are listed as subprocessors and are bound, or are being bound, not to train models on our customers' data.
BlueTower uses only strictly necessary cookies to keep you logged in and secure your session (bt-session), which are exempt from consent because they are essential to the service. We do not use analytics, advertising or tracking cookies. If that changes, we will present an equal-prominence Accept/Reject consent choice before any non-essential cookie is set.
You may lodge a complaint with a supervisory authority, in particular in your country of residence, place of work, or place of the alleged infringement. UK: Information Commissioner's Office (ico.org.uk, 0303 123 1113). EU lead supervisory authority: [EU lead supervisory authority]. We would appreciate the chance to address your concern first — please contact [privacy@yourcompany.example].
We review this notice at least annually and whenever our processing materially changes. The version and effective date are shown at the top; material changes are communicated to account administrators.
General compliance information, not legal advice. © 2026 [COMPANY LEGAL NAME].