Built to be trusted

Security you can hand to your CISO.

Accreditation data is sensitive: names, contact details, documents and who is allowed where. Here is how Bloop is built to protect it, in plain language and honest about what we do and do not yet claim. Last updated: 18 July 2026.

Architecture & tenancy

Bloop is a multi-tenant SaaS platform for event accreditation. Every organisation's data is logically isolated, and access is enforced by zero-trust, org- and event-scoped middleware: every request is checked against the caller's organisation, the specific event they are acting on, and their role before any data is read or written.

  • The backend runs on Node and Express with tRPC, using Drizzle ORM over MySQL. The React PWA front end never talks to the database directly — all access is mediated by the API and its authorisation checks.
  • Role-based access control (RBAC) with four roles — owner, admin, manager and viewer — plus per-event membership, so a person only sees the events they have been added to.
  • Scoping is applied server-side on every call, not in the browser, so a tampered client cannot reach another tenant's or another event's data.

Authentication

Different people need different ways in, so Bloop matches the access method to the risk.

Staff — SSO / OIDC

Your team signs in with single sign-on over OIDC. Supported identity providers include Auth0, Clerk, Okta, Google, Microsoft Entra ID and Keycloak, so account lifecycle, MFA and password policy stay with your existing identity platform.

Suppliers & crew — magic link

Suppliers and crew get in via a one-time magic link sent to their email. There is no password and no standing account to leak, phish or reuse — access is tied to the current link and the work in front of them.

Scanner devices — API keys

Gate scanning devices authenticate with API keys. Each key is shown once at creation, then stored only as a hash, and can be rotated at any time, so a lost or retired device can be cut off without disturbing the rest of the operation.

Data protection

  • In transit: all traffic is encrypted with TLS.
  • At rest & data residency: documents and photos are held in S3-compatible object storage (AWS S3, Cloudflare R2, Backblaze B2 or self-hosted MinIO). Because you choose the bucket and region, encryption-at-rest and data residency follow the storage you select — your data lives where you decide it should.
  • Structured data — people, passes, permissions and audit records — is held in MySQL.

Audit & accountability

Bloop keeps a structured audit log of significant actions, with a typed actor so you can tell whether a change was made by a user, a supplier or the system itself. That gives you a clear who, what and when when you need to answer a question after the fact.

Availability & the gate

The gate cannot stop because the Wi-Fi did. Bloop's scanning app is an offline-first PWA: a service worker and an offline mutation queue let staff keep scanning and admitting people through patchy signal or a full connectivity drop, then sync the queued activity automatically when the connection returns.

Sub-processors

Bloop relies on a small set of well-established providers to deliver the service. Which of these are active depends on the features you switch on.

  • Resend — transactional email (magic links, invites, alerts).
  • Twilio — SMS notifications.
  • Stripe — card payments (catering and pay-online).
  • Square — guest-list paywall, taken on the operator's own Square account.
  • Google — Sheets and Drive integration, via a service account you connect.
  • See Tickets — ticketing barcode sync and gate-scan register-back.
  • Hosting, database & storage provider — the infrastructure Bloop runs on (for example Railway with MySQL) and your chosen S3-compatible object storage.

What we don't claim yet

Being trustworthy means being straight about the gaps, too.

  • Bloop does not hold SOC 2 or ISO 27001 certification today. We apply the practices above; we are not making a certified-audit claim.
  • GDPR data-export and retention automation is on our roadmap rather than shipped — talk to us about your current requirements and we will tell you exactly what is possible today.
  • Need something reviewed formally? Send a security questionnaire to security@bloophq.com and we will complete it.

Send us your questionnaire

We are happy to walk your security team through any of the above and to fill in your standard due-diligence questionnaire. Email security@bloophq.com and we will get it back to you.