Security overview

At Bluetree Media we take the security of your project data seriously. The Bluetree Client Portal is a secure window onto the HubSpot records we already manage for you. This page explains how your data is protected, what we store, and the providers we rely on.

We don't run a separate database. Every piece of information you see in the portal — tickets, projects, threads, attachments — lives in our HubSpot CRM, the same system our team uses day-to-day. The portal is a read layer on top of HubSpot; when a ticket is updated in HubSpot it updates for you, and vice versa.

• There is no second copy of your data to worry about, back up, or leak.
• Deleting a record in HubSpot removes it everywhere.
• HubSpot's own security, compliance and data-residency commitments apply to your data end-to-end.

Access is gated by your email address as it appears on your HubSpot contact record:

• Sign-in is passwordless. You enter your email and receive a one-time link by email.
• The link is valid for 15 minutes and can only be used once.
• If you enter an email that is not on a contact record associated with a Bluetree project, no link is sent — but we reveal nothing about whether that address exists on our side.
• A signed session lasts 30 days before you have to sign in again. You can sign out at any time.

Once signed in, the portal only shows you the projects and tickets directly associated with your HubSpot contact record. Every API request is checked on our server before any data is returned:

• Listing projects → we confirm each project is associated with your contact.
• Opening a ticket → we confirm your contact is associated with that ticket.
• Downloading a document → we confirm the file is attached to a project you can see.

You cannot view another client's data by guessing a URL; access is verified server-side on every request.

• The portal is served only over HTTPS/TLS 1.3, with HSTS enforced by our hosting provider.
• Session tokens are stored in cookies marked HttpOnly, Secure, and SameSite=Lax, so they cannot be read by JavaScript, intercepted over plain HTTP, or leaked to third-party sites.
• Session tokens are signed with HS256 using a secret held only in our server environment.
• File downloads are served through short-lived signed URLs that expire in five minutes — the underlying file is never publicly accessible.

Sign-in links and notifications are sent from support@bluetree-media.co.uk via Resend. The sending domain is authenticated with SPF, DKIM and DMARC so that recipients and mail providers can verify that email claiming to come from us really did.

• The portal connects to HubSpot using a private-app token with the minimum scopes required: read & write on tickets and emails, and read-only on contacts, companies, projects and files. It can see nothing else in the HubSpot account.
• All secrets (API keys, signing secrets) are stored as encrypted environment variables in our hosting platform and are never committed to source control.
• Access to rotate or revoke the token is restricted to Bluetree administrators.

We rely on a small set of reputable, compliance-audited providers. Each holds relevant third-party attestations — linked here for your own due diligence.

• We do not store your data outside HubSpot.
• We do not sell, share, or market to your data.
• We do not allow third-party trackers, advertising scripts, or analytics cookies inside the authenticated portal.
• We do not provide public, unauthenticated access to any ticket, thread or file.

If you believe you have seen data that is not yours, spotted a vulnerability, or have a security question of any kind, email support@bluetree-media.co.uk with "Portal security" in the subject. We will acknowledge within one working day.

Changes to this statement will be announced at the top of this page with an updated date. Material changes will also be communicated to active clients by email.