Security at BlueTone.

Transport

trybluetone.com is served exclusively over HTTPS with TLS 1.3. HTTP requests are redirected with HSTS preload enabled. We pin only modern cipher suites (AES-GCM, ChaCha20-Poly1305).

Payments

Card data is collected directly in iframes hosted by Stripe (PCI-DSS Level 1). Crypto on-ramp payments are collected in MoonPay's hosted widget. BlueTone servers never receive, log, or store full card numbers, CVVs, or wallet seed phrases.

Customer data

Order data is stored in a managed PostgreSQL database, encrypted at rest (AES-256) and in transit. Access is restricted by role and audited. Backups are encrypted and retained for 30 days.

Authentication

Customer accounts use passwordless email magic-links with short-lived tokens. Staff accounts require hardware-backed multi-factor authentication (WebAuthn / FIDO2).

Vulnerability disclosure

If you believe you've found a security issue, please email contact@trybluetone.com with subject "Security disclosure". We respond within 2 business days and will not pursue legal action against good-faith researchers acting within this policy.

Incident response

In the event of a data breach affecting EU residents, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Affected customers will be notified directly.