BlueSky
Sign in
Trust

By design, we never receive your credentials.

BlueSky's Level-1 setup never asks for, receives, or stores your identity-provider credentials. You complete every credential entry in your own Claude, identity-provider, and connector screens. We provide guidance, copy-ready config values, and a human for exceptions. We collect configuration metadata and setup-completion evidence — never secrets.

Verifiable: no field in any form or API schema accepts a password, OAuth client secret, SCIM bearer token, write-scope token, customer API key, or signing-certificate private key. This page states our gaps plainly — that candor is the point.

See the governance model

The credential-free promise

No password, OAuth secret, SCIM token, write-scope token, API key, or private key has a field anywhere in our forms or schemas.
Live Admin Assist is customer-controlled screen-share. The in-app form requires you to accept that BlueSky will not ask for or handle passwords, MFA, OAuth approvals, connector credentials, or private keys.

What we collect — and what we never collect

We do collect (config metadata + evidence)

  • Lead details: email, company, and how you found us.
  • Assessment answers: Claude purchase status, identity-provider type, and connector targets.
  • Setup profile: company, domain, admin emails, departments, connector targets, and policy preferences.
  • Task state: status, blockers, and the completion evidence (a screenshot URL or attestation) you choose to attach.
  • Connector selections and custom-connector requests (system name, owner email, auth-model name as text, and requirements).
  • Training assignments and completions, workflow-opportunity descriptions, live-assist requests, and operational exceptions.

We never collect

  • Identity-provider or admin passwords.
  • OAuth client secrets or write-scope tokens.
  • SCIM bearer tokens.
  • Customer API keys or service-account secrets.
  • Identity-provider signing-certificate private keys.
  • Your documents or chat content.
Honest nuance: admin email addresses are stored and not redacted — our redaction strips secrets and keys, not emails. They are PII and travel into the setup-profile context, making them our most sensitive field. We disclose it rather than hide it.

What BlueSky can and cannot see

BlueSky can see

  • Config values you paste: domain, identity-provider type, and connector targets.
  • Admin email addresses you provide — our most sensitive field, stored in the setup profile and not redacted.
  • Connector inventory and your approval choices.
  • Rollout counts and task status.
  • Setup screenshots and attestations you choose to attach.

BlueSky cannot see

  • Your identity-provider passwords, MFA, or write-scope tokens.
  • Your Claude or identity-provider admin console — we never log in as you.
  • OAuth approvals or connector credentials — those are entered in your own screens.
  • Your conditional-access policies after handoff.
  • Anything we do not ask for — there is no field for it.

Where your data lives

Residency is us-east-1 only. There is no multi-region replication; all customer data sits in the US. EU and other residency is not built.
Stores: DynamoDB (primary Launchpad table plus webhook, CRM-sync, and calendar-booking tables), S3 (assets and reports buckets), and Cognito for auth.
Encryption at rest: AWS KMS on all DynamoDB tables and S3 buckets, with key rotation enabled. All S3 public-access blocks are enabled and there are no public bucket policies.
BlueSky's own service secrets (billing, CRM, scheduling, support, and identity-provider app registrations) live in AWS Secrets Manager, read only by server-side functions. These are BlueSky's sub-processor secrets — separate from, and never including, your identity-provider credentials.

Retention & deletion

DataRetention today
Reports (S3 reports bucket)Auto-expire after 365 days.
DynamoDB recordsNo TTL — retained indefinitely until manual deletion.gap
S3 assets bucketNo lifecycle rule — retained indefinitely.gap
Async / dead-letter queue14 days.
No automated data-deletion endpoint or process exists today. Right-to-erasure requests are handled manually. Automated deletion is on the roadmap, not shipped.

Sub-processors

The third parties that process data on BlueSky's behalf, and exactly what each one receives. All inbound webhooks (Stripe, Calendly, Attio) are HMAC-SHA256 signature-verified before processing.

Stripe

Billing

Billing email, package intent, session and customer IDs.

Attio

CRM sync (outbound)

Company, email, event type, and light metadata.

AWS SES

Email

Recipient email, company, and package or task names.

Calendly

Scheduling (inbound webhook)

Name, email, and event URI.

Cognito

Auth

Email, temporary password, tenant ID, and group.

Verity

Support / feedback widget

Server token and widget IDs.

Vercel

Hosting

Deployment artifacts only — no customer data.

Google / Microsoft / SAML APIs

Optional read-only directory validation (Level 2)

Read-only reads via BlueSky's own app with customer consent. Not in the starter package.

Compliance posture

BlueSky holds no SOC 2, ISO 27001/42001, or DPA/BAA.

BlueSky holds no SOC 2, ISO 27001/42001, or DPA/BAA. Our controls are an implementation plan, not a certification.
Anthropic holds the Claude certifications (SOC 2, ISO, HIPAA-eligible, GDPR). We configure customers to those controls; we do not inherit or re-sell them.
Our infrastructure is audit-supportive (CloudTrail, KMS, tenant isolation, RBAC) — but that is not a certification, and the setup evidence we store is self-attested screenshots, not audit-grade.
No DPA or sub-processor agreement template exists. A DPA plus this sub-processor list is the minimum a regulated buyer requires.

Known gaps & roadmap

The deficiencies a reviewer will find — disclosed, because hiding one discounts everything else.

GapStatus
Automated data deletion / right to erasureNot built — handled manually on request.
DynamoDB TTL / retention scheduleNot built.
Formal incident response, break-glass owner, and DRNot built.
DPA and sub-processor agreement templateNot built.
MFA enforcement (currently optional)Not built.
EU / non-US data residencyNot built.
SOC 2 / ISO (if a buyer requires it)Not committed.