Security is the core of our business and a top priority.

SOC 2, which stands for Service Organization Control 2, is a set of compliance standards and guidelines developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is specifically designed for service organizations — such as cloud service providers, data centers, SaaS companies, and other entities that handle customer data involving the storage, processing, or transmission of that data.

The SOC 2 framework focuses on the controls and processes a service organization has in place to ensure the security, availability, processing integrity, confidentiality, and privacy of customer data. These are often referred to as the "Trust Services Criteria."

• Security:Assesses security measures to protect customer data from unauthorized access, breaches, and other threats — encompassing physical security, logical access controls, data encryption, and related practices.
• Availability:Measures system uptime and reliability, ensuring services are accessible when customers need them — including the ability to maintain operations even in the face of disruptions or outages.
• Processing Integrity:Evaluates the accuracy, completeness, and validity of data processing — ensuring data is handled correctly with controls in place to prevent errors and unauthorized alterations.
• Confidentiality:Focuses on protecting sensitive information from unauthorized disclosure through data access controls, encryption, and data classification.
• Privacy:Addresses how personal information is handled and how the organization complies with privacy regulations such as GDPR and HIPAA.

To achieve SOC 2 compliance, BlueDot underwent a thorough audit by an independent third-party auditor who assessed our controls and processes against these criteria. SOC 2 compliance has become a valuable standard for organizations handling customer data — it is often a requirement for businesses seeking to work with larger enterprises or in industries with strict data protection requirements.

The EU AI Act is the world's first comprehensive, legally binding framework for artificial intelligence, established by the European Union to regulate the development and use of AI systems across member states. It applies to any provider whose AI systems are used within the European Union, regardless of where the provider is based, and aligns with the broader objectives of the General Data Protection Regulation (GDPR) in safeguarding fundamental rights.

At its core, the Act adopts a risk-based approach that classifies AI systems according to their potential impact on safety, fundamental rights, and societal well-being. Each tier carries a different set of binding obligations.

• Unacceptable Risk:AI systems that pose a clear threat to safety, livelihoods, or rights — including social scoring, manipulative behavioral systems, and untargeted facial-recognition databases — are prohibited outright.
• High Risk:AI used in critical infrastructure, education, employment, essential services, law enforcement, migration, and the administration of justice is subject to strict requirements covering risk management, data governance, transparency, human oversight, and cybersecurity.
• Limited Risk:AI systems that interact with users — such as chatbots and AI-generated content — must meet transparency obligations, including clear disclosure that users are engaging with AI.
• Minimal Risk:The vast majority of AI applications fall into this tier, with no specific obligations beyond existing law, while being encouraged to adopt voluntary codes of conduct.

BlueDot's AI features operate within the limited-risk category and are designed to meet and exceed the Act's transparency and human-oversight requirements. Every AI interaction is explicitly user-initiated, all outputs are advisory rather than autonomous, no personal data is retained beyond the request, and human review is required before any AI-extracted information is saved to a client record.

To achieve EU AI Act compliance, BlueDot has implemented a documented governance program covering AI use disclosure, data minimization, model-vendor due diligence, and continuous monitoring — independently verified through our compliance partner. This certification confirms that BlueDot's AI implementation meets the regulatory expectations for organizations serving clients within the European Union.

BlueDot is hosted on Microsoft Azure Cloud Servers and leverages Azure's state-of-the-art network infrastructure — including Intrusion Protection, Web Application Firewalls, Performance and Availability Monitoring Systems, and Antivirus Systems — providing real-time protection from hackers, viruses, and other threats while ensuring the highest level of performance across our systems.

• TLS Encryption:BlueDot uses the highest HTTPS encryption method available (TLS) for all communication across the internet. Databases use Transparent Data Encryption, which encrypts data at rest. All uploaded documents are also encrypted at rest.
• Two-Factor Authentication:BlueDot offers Microsoft Two-Factor Authentication (2FA) — a method in which users are granted access only after successfully presenting two pieces of evidence to the authentication mechanism, adding a critical layer of identity verification.
• Privacy Shield:BlueDot has been issued the Privacy Shield Framework Seal by the US Department of Commerce, issued to companies that commit to data protection principles consistent with EU law and GDPR regulations.

BlueDot follows GDPR guidelines and provides customers with an Administrator Module that enables them to protect, update, delete, and manage their information and security settings. We do not access or use customer content for any purpose other than providing support, maintaining and improving BlueDot services, and as otherwise required by law.

The Administrator Module allows customers to:

• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal data
• Export personal data

Data Security: BlueDot is hosted on Microsoft Azure, which meets a broad set of international and industry-specific compliance standards including ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits by the British Standards Institute verify Azure's adherence to strict security controls.

Disclosure of Customer Service Data: BlueDot only discloses Service Data to third parties where disclosure is necessary to provide services or as required to respond to lawful requests from public authorities. For more details please read our Privacy Policy.

Transparent Policies: BlueDot has developed security protections and control processes to help our customers maintain a secure environment for their information, and we have updated our Privacy Policy to reflect these changes. BlueDot has a process in place to make customers and relevant supervisory authorities aware of personal data breaches in accordance with GDPR timeframes.

BlueDot is TX-RAMP certified — a security compliance standard established by the State of Texas to ensure that cloud service providers meet rigorous requirements for the protection of sensitive government and regulated data. TX-RAMP (Texas Risk and Authorization Management Program) is designed to align with nationally recognized frameworks, including NIST and FedRAMP principles, and requires independent third-party security assessments, continuous monitoring, and documented risk management practices.

This certification demonstrates BlueDot's commitment to maintaining a strong security posture, robust operational controls, and strict data-protection standards.

For law firms, institutions, and organizations handling highly sensitive immigration and personal data, TX-RAMP certification provides additional assurance that BlueDot operates in accordance with government-level security expectations and best practices for confidentiality, integrity, and availability of data.

BlueDot is certified under both the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, administered by the U.S. Department of Commerce. These frameworks establish a structured mechanism for the lawful transfer of personal data from the European Union and Switzerland to the United States, replacing the former Privacy Shield program and aligning with the requirements of the EU General Data Protection Regulation (GDPR).

• EU-U.S. Data Privacy Framework:Governs the transfer of personal data from the European Union to the United States. Certified organizations must adhere to DPF principles covering notice, choice, accountability for onward transfer, security, data integrity, purpose limitation, access, and recourse — enforced by the U.S. Federal Trade Commission.
• Swiss-U.S. Data Privacy Framework:Extends equivalent protections to the transfer of personal data from Switzerland to the United States, ensuring BlueDot meets the data protection standards required under Swiss law in addition to EU requirements.

Certification under both frameworks confirms that BlueDot has self-certified to the DPF principles and committed to resolving any privacy complaints in accordance with the program's dispute resolution requirements. Both certifications carry Active status for Non-HR Data.

You can verify BlueDot's active certification in the Data Privacy Framework List by searching for Small Business Web Solutions Inc. (DBA BlueDot).