Security & Encryption
Security is not an afterthought in Bloomx. It is the core constraint of our architecture. We operate on a "Zero Trust" model where even the database administrator cannot read your sensitive credentials.
The Vault (Credentials)
Expansion credentials (like Google Refresh Tokens, Notion API Keys, and Slack Tokens) are never stored in plain text.
AES-256-CBC Encryption
We use industry-standard AES-256-CBC encryption for all 'Expansion Settings' at rest. The Initialization Vector (IV) is unique per record.
Key Derivation
The encryption key is derived from a master server secret (`DATA_ENCRYPTION_KEY`) which exists only in the runtime environment memory, never in the database.
Authentication & Session
Secure Cookies
In production, sessions are tracked via `__Secure-next-auth.session-token`. Only HTTPS connections can transmit this cookie.
Middleware Protection
All protected routes are guarded by a specialized Edge Middleware that validates tokens before the request even reaches the server logic.
Data Ownership
Unlike typical SaaS email clients, Bloomx is designed to point to your database and your S3 bucket. We do not proxy your data through a "Bloomx Cloud". You own the infrastructure.