Overview
We have strict standards of security to safeguard your data and that of your borrowers. We have physical, electronic, and procedural safeguards in place to control and safeguard sensitive information.
We feel security starts by keeping employee access limited. Thus we follow a least-privledge model for employees as well as client access to data. This means Blueprint employees as well as users only have access to the data they require to execute their jobs. Blueprint maintains all data domestically in Microsoft data centers.
Service Overview
Blueprint processes client-provided data entered by authorized employees or agents of the client (aka users) for the purpose of calculating borrower income as part of a mortgage underwriting process. Income calculations and analysis seek to satisfy agency guidelines for determining the borrower’s qualified income.
Blueprint is not the controller of the data provided, we are a processor of the data.
Blueprint does not interact with the client’s borrowers.
Blueprint is a Business to Business company and does not serve consumers directly.
Types of data collected
Blueprint collects different types of data depending on which product is being used and the person or entity in question. The following tables describe the data based on the products.
Data collected on clients
| Type of Data | IncomeXpert | IncomeXpert PLUS |
| Name | Yes | Yes |
| Yes | Yes | |
| Credit Card Information | Yes | Yes |
Data collected on users
| Type of Data | IncomeXpert | IncomeXpert PLUS |
| Name | Yes | Yes |
| Yes | Yes | |
| Usage and analytics data | Yes | Yes |
Data collected on borrowers
| Type of Data | IncomeXpert | IncomeXpert PLUS |
| Name | Optional | Optional |
| SSN | No | Yes |
| EIN | No | Yes |
| Address | Optional | Yes |
| Employer | Optional | Yes |
| Income | Yes | Yes |
| Account Numbers | No | No |
Usage and analytics data is collected to monitor the health and performance of the web application. This data is used for diagnostic and troubleshooting purposes, detection of potential security and data breaches, and to support projecting user demand for scaling up/down computing resources. The types of data collected are:
- Login / logout events
- Web pages accessed
- Web page duration
- IP address
- Web browser type
- Error logs
How data is collected
All data is collected via the Blueprint website. Users of IncomeXpert or IncomeXpert PLUS interact with the Blueprint website to directly enter information, upload information, or interact with the site. Data is not obtained through other channels or applications.
How is the data used
Blueprint processes client data entered by users for the purpose of calculating borrower income for the purpose of satisfying agency guidelines for qualified income determination. Said plainly, Blueprint provides calculation and processing services using the data provided by users. Blueprint is not the controller of the data provided, we are a processor of the data.
Data collected on clients is used for the following purposes
- Billing and commercial transactions
- Customer support
- Change notifications
- Incident response and remediation
Data collected on users is used for the following purposes
- Customer support
- Change notifications
- Diagnostic and performance monitoring to improve and maintain the health and performance of the web application
Data collected on borrowers is used for the following purposes
- Facilitation of mortgage income calculations, trending analysis
- Borrower names are used for distinguishing multiple borrowers on a loan file for human reference purposes
- Last-four of the SSN is used to map borrowers created in a Blueprint loan to uploaded tax and income documents for data extraction purposes.
- EIN is used to map business tax documents to borrowers on the loan file
- Addresses are used to identify real-estate owned as indicated on the Schedule E
- Addresses can be included in the labeling of businesses owned or operated by the borrower
Third Parties
As a general policy, we use all data for internal purposes only. We do not sell or rent information about you. We will not disclose personal information to third parties without your consent.
If an authorized disclosure of information is fulfilled, a record of the request, data released, requesting party, and authorization for the requested information will be stored as a business record.
Compliance
Blueprint cooperates with government and law enforcement officials to enforce and comply with the law. We may therefore disclose personal information, usage data, and any other information, if we deem that it is reasonably necessary to:
(a) satisfy any applicable law, regulation, legal process (such as a subpoena or court order), or enforceable governmental request;
(b) enforce the Terms of Use, including investigation of potential violations thereof;
(c) detect, prevent, or otherwise address fraud, security or technical issues; or
(d) protect against harm to the rights, property or safety of the Company, its users or the public, as required or permitted by law.
Blueprint does not operate or service borrowers in the European Union, and as such does not comply with GDPR regulations.
Blueprint does do business with California residents, however CCPA and CPRA regulations do not apply to Blueprint. Blueprint does NOT
- Have gross revenue over $25 million
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Opt In/Out
The ability to opt in or opt out of data collection is not supported. Blueprint collects the minimal necessary data to support efficient and effective business operations. As such no optional data is available at the client or user level.
Optionality is available at the borrower level whey by the users, at their discretion, and choose to not populate Borrower Name or Address information. This information is only used as a convenient data label for users to refer to in the future, and is not used in any way for the processing or functionality of the product. As such, anonymous data can be used such as Borrower One, Borrower Two, Property One, or Property Two.
Client Rights
You may ask us to confirm what information we hold in your account at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. We will not charge you for this unless your request is “manifestly unfounded or excessive”. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
As a Blueprint client you can make self-service requests about your data. Users with administrative rights can access these reports.
- File usage reports
- Export of users
Clients have the right to request their data be deleted from the system. Clients shall make requests to Blueprint Customer Support for data deletion. Client requests will be independently validated prior to data deletion.
Borrower Rights
Blueprint is not a borrower-facing product and is intended for use by mortgage professionals. While borrower data may be retained in our systems, Blueprint will direct all borrowers to the client for data management questions. At the direction of a client, borrower data can be erased from the system.
Data Storage
Blueprint maintains safeguards which include technical and organizational security measures to protect your data from loss, misuse, unauthorized use, access, inadvertent disclosure, alteration, and destruction.
We update and test security on an ongoing basis and restrict access to your data to only those who need to know in order to provide Blueprint’s products, content or services to you.
Data Quality
Blueprint will ensure the user entered data is correctly transmitted, stored, and retrieved whenever it is accessed by authorized users.
Users have the responsibility to ensure the data they enter is correct and not fraudulent.
Data Access
Blueprint uses role-based access controls for internal as well as external users Additionally Blueprint segments client data to ensure only users associated with a particular client can access the data associated with that client. Refer to the Access Control Policy for full details.
Authentication
All users and staff must authenticate prior to accessing any company or client data.
Client Authentication
User authentication is controlled by user ID and passwords are reset every 90 days and following a strong password policy. The password policy requires a minimum of 8 alphanumeric characters and one non-alphanumeric character.
Clients can setup and configure single-sign-on for authentication to Blueprint.
Employee Authentication
User authentication is controlled by user ID and passwords are reset every 90 days and following a strong password policy. The password policy requires a minimum of 8 alphanumeric characters and one non-alphanumeric character.
Employee authentication is controlled by two-factor authentication when the employee has DevOps access to source code, database, and record storage.
Employee authentication for non-DevOps staff is the same as user authentication.
Authorization
Blueprint uses role based access controls for internal staff and clients. Refer to the Access Control Policy for full details.
Storage Location
We store client data using United States based Microsoft’s servers. Microsoft does not use or have access to your personal data other than for cloud storage and retrieval, and Blueprint requires these entities to employ at least the same level of security that we use to protect client data.
Data Transmissions
Blueprint uses encryption when transmitting and receiving data from clients. Data is gathered from clients via our website. The Blueprint website is protected with a SSL certificate using a minimum of TLS 1.2.
Data Encryption
Once data is received from clients, it is stored and encrypted. The encryption keys are unique, symmetric, and securely managed by the data center provider. The encryption algorithm is AES 256.
Data Backup
To limit potential data breach and limit the attack surface, only required information is backed up.
Business critical data is backed up by locally and geographically diverse locations.
Non-business critical data is only locally backed up.
Data Retention
Per the Terms of Service client data is automatically purged periodically unless otherwise agreed with the client. IncomeXpert data is maintained for a period of 3 years for Enterprise clients. Data older than 3 years is purged nightly from the system.
Data Disposal
Data is automatically deleted when it is no longer needed or being utilized by the client.
Blueprint regularly reviews users on accounts and removes user access when the user has not been active on the platform for 180 days (Premium accounts) or 365 days (Teams/Enterprise) accounts. The deletion of users does not delete that user’s data. Deletion of the user account only removes that user’s access to the client’s data.
When the number of active users on an account reaches zero, the client account is deleted. Deleting the client account will delete all loans and data associated with the client. The deletion of client accounts is limited to Premium and Teams tiers. Enterprise accounts are manually reviewed and deleted, if required.
Data Breach
Blueprint uses the diagnostic monitoring and analytics data collected to identify and remediate data breaches should they occur. In the event of a detected data breach the Blueprint team will take swift action to cease any ongoing data leakage. This remediation may result in a lack of system availability. When it is safe to do so, the Blueprint team will restore access to the web application and complete the remediation of the data breach.
At the onset of a detected data breach Blueprint will communicate to our clients the status and nature of the detected data breach. Clients will be kept informed throughout the remediation process through email and status banners on our website.
A record of the data breach will be stored as a business record.
Refer to the Blueprint Disaster and Recovery Plan for more information
Threat Management
Blueprint employs an active threat management system to monitor our security posture and notify system administrators of anomalous activity or system degradation. The scope of threat management includes
- Networking log analysis
- Data egress log analysis
- System resource change log analysis
- Login / authentication log analysis
- Update / patch management
- Secure baseline deviations in system configuration
- Penetration testing results
- System availability
- Data backup log analysis
The threat management system employs a number of automated systems to regularly scan system configurations, log files, and test results. Alerts are automatically routed to Blueprint staff for degradations or anomalies detected in the system. Additionally the status of the threat management scope items are manually reviewed on a weekly basis by Blueprint personnel.
A SIEM is used to support the Blueprint team in reviewing and aggregating log information. Anomalies are raised and tracked through to issue resolution using the SIEM.
If appropriate, identified threats may trigger the Disaster Recovery and Mitigation Plan which would involve the notification of impacted stakeholders.