Security
The foundations we build on — and the ones you should verify.
Encrypted in transit & at rest
TLS 1.3 for every connection. AES-256 at rest for databases, object storage, and backups.
Least-privilege access
Employees authenticate with SSO + hardware keys. Production access is just-in-time, scoped, and audited.
API keys you can rotate
Revoke or rotate keys instantly. Every key action writes to an immutable audit log.
Secrets never in client code
The developer portal uses HTTP-only cookies through a BFF — no JWTs exposed to JavaScript.
Report a vulnerability
We take security reports seriously. Email security@bluehive.health — include reproduction steps and any impact assessment. We respond within one business day.