Service Overview

Blueprint processes client-provided data entered by authorized employees or agents of the client (aka users) for the purpose of calculating borrower income as part of a mortgage underwriting or auditing process. Income calculations and analysis seek to satisfy agency guidelines for determining the borrower’s qualified income.   

Blueprint is not the controller of the data provided, we are a processor of the data.

Blueprint does not interact with the client’s borrowers.  

Blueprint is a Business to Business company and does not serve consumers directly.


Types of data collected

Blueprint collects different types of data depending on which product is being used and the person or entity in question.  The following tables describe the data based on the products.

Data collected on clients

Type of DataIncomeXpertIncomeXpert PLUS
Credit Card InformationYesYes


Data collected on users

Type of DataIncomeXpertIncomeXpert PLUS
Usage and analytics dataYesYes


Data collected on borrowers

Type of DataIncomeXpertIncomeXpert PLUS
Account NumbersNoNo


Usage and analytics data is collected to monitor the health and performance of the web application.  This data is used for diagnostic and troubleshooting purposes, detection of potential security and data breaches, and to support projecting user demand for scaling up/down computing resources.  The types of data collected are:

  • Login / logout events
  • Web pages accessed
  • Web page duration
  • IP address
  • Web browser type
  • Error logs


How data is collected

All data is collected via the Blueprint website.  Users of IncomeXpert or IncomeXpert PLUS interact with the Blueprint website to directly enter information, upload information, or interact with the site.  Data is not obtained through other channels or applications.


How is the data used

Blueprint processes client data entered by users for the purpose of calculating borrower income for the purpose of satisfying agency guidelines for qualified income determination.  Said plainly, Blueprint provides calculation and processing services using the data provided by users.  Blueprint is not the controller of the data provided, we are a processor of the data.


Data collected on clients is used for the following purposes

  • Billing and commercial transactions
  • Customer support
  • Change notifications
  • Incident response and remediation

Data collected on users is used for the following purposes

  • Customer support
  • Change notifications
  • Diagnostic and performance monitoring to improve and maintain the health and performance of the web application

Data collected on borrowers is used for the following purposes

  • Facilitation of mortgage income calculations, trending analysis
  • Borrower names are used for distinguishing multiple borrowers on a loan file for human reference purposes
  • Last-four of the SSN is used to map borrowers created in a Blueprint loan to uploaded tax and income documents for data extraction purposes.
  • EIN is used to map business tax documents to borrowers on the loan file
  • Addresses are used to identify real-estate owned as indicated on the Schedule E
  • Addresses can be included in the labeling of businesses owned or operated by the borrower


Third Parties

As a general policy, we use all data for internal purposes only. We do not sell or rent information about you. We will not disclose personal information to third parties without your consent.

If an authorized disclosure of information is fulfilled, a record of the request, data released, requesting party, and authorization for the requested information will be stored as a business record.



Blueprint cooperates with government and law enforcement officials to enforce and comply with the law. We may therefore disclose personal information, usage data, and any other information, if we deem that it is reasonably necessary to: (a) satisfy any applicable law, regulation, legal process (such as a subpoena or court order), or enforceable governmental request; (b) enforce the Terms of Use, including investigation of potential violations thereof; (c) detect, prevent, or otherwise address fraud, security or technical issues; or (d) protect against harm to the rights, property or safety of the Company, its users or the public, as required or permitted by law.

Blueprint does not operate or service borrowers in the European Union, and as such does not comply with GDPR regulations.  

Blueprint does do business with California residents, however CCPA and CPRA regulations do not apply to Blueprint.  Blueprint does NOT

  • Have gross revenue over $25 million
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.


Opt In/Out

The ability to opt in or opt out of data collection is not supported.  Blueprint collects the minimal necessary data to support efficient and effective business operations.  As such no optional data is available at the client or user level.  

Optionality is available at the borrower level whey by the users, at their discretion, and choose to not populate Borrower Name or Address information.  This information is only used as a convenient data label for users to refer to in the future, and is not used in any way for the processing or functionality of the product.  As such, anonymous data can be used such as Borrower One, Borrower Two, Property One, or Property Two.


Client Rights

You may ask us to confirm what information we hold in your account at any time, and request us to modify, update or delete such information.  We may ask you to verify your identity and for more information about your request.  We will not charge you for this unless your request is “manifestly unfounded or excessive”.  Where we are legally permitted to do so, we may refuse your request.  If we refuse your request we will always tell you the reasons for doing so.

As a Blueprint client you can make self-service requests about your data.  Users with administrative rights can access these reports.

  • File usage reports
  • Export of users

Clients have the right to request their data be deleted from the system.  Clients shall make requests to Blueprint Customer Support for data deletion.  Client requests will be independently validated prior to data deletion.

Borrower Rights

Blueprint is not a borrower-facing product and is intended for use by mortgage professionals.  While borrower data may be retained in our systems, Blueprint will direct all borrowers to the client for data management questions.  At the direction of a client, borrower data can be erased from the system.


Data Storage

Blueprint maintains safeguards which include technical and organizational security measures to protect your data from loss, misuse, unauthorized use, access, inadvertent disclosure, alteration, and destruction.

We update and test security on an ongoing basis and restrict access to your data to only those who need to know in order to provide Blueprint’s products, content or services to you.



Storage Location

We store client data using United States based Microsoft’s servers. Microsoft does not use or have access to your personal data other than for cloud storage and retrieval, and Blueprint requires these entities to employ at least the same level of security that we use to protect client data.


Data Transmissions

Blueprint uses encryption when transmitting and receiving data from clients.  Data is gathered from clients via our website.  The Blueprint website is protected with a SSL certificate using a minimum of TLS 1.2.


Data Encryption

Once data is received from clients, it is stored and encrypted.  The encryption keys are unique, symmetric, and securely managed by the data center provider.  The encryption algorithm is AES 256.


Data Backup

To limit potential data breach and limit the attack surface, only required information is backed up.

Business critical data is backed up by locally and geographically diverse locations.  

Non-business critical data is only locally backed up.


Data Retention

Per the Terms of Service client data is automatically purged periodically unless otherwise agreed with the client.  IncomeXpert data is maintained for a period of 3 years for Enterprise clients.  Data older than 3 years is purged nightly from the system.


Asset Management

All assets that interface with Blueprint or customer data shall be managed.

All Blueprint owned assets shall be tracked for

  • Owner
  • Model & serial number
  • Type of asset
  • Location
  • Status

All company leased assets shall be digitally tracked through a management portal.  Leased assets are virtual machines, databases, and storage accounts.  The cloud service provider enables online asset management, automated inventory, and disposal.

The disposal of leased assets is managed by the cloud service provider and their policies.  Refer to cloud service provider SOC 2 report.

The disposal of company owned assets follows a managed process.  Blueprint owned assets are wiped clean of all company and client data prior to disposal.  Upon separation from the company, employees are instructed to return all company owned assets.


Data Quality

Blueprint will ensure the user entered data is correctly transmitted, stored, and retrieved whenever it is accessed by authorized users.

Users have the responsibility to ensure the data they enter is correct and not fraudulent.


Data Access

Blueprint uses role-based access controls for internal as well as external users  Additionally Blueprint segments client data to ensure only users associated with a particular client can access the data associated with that client. Refer to the Access Control Policy for full details.



All users and staff must authenticate prior to accessing any company or client data.


Client Authentication

User authentication is controlled by user ID and passwords are reset every 90 days and following a strong password policy.  The password policy requires a minimum of 8 alphanumeric characters and one non-alphanumeric character.

Clients can setup and configure single-sign-on for authentication to Blueprint.


Employee Authentication

User authentication is controlled by user ID and passwords are reset every 90 days and following a strong password policy.  The password policy requires a minimum of 8 alphanumeric characters and one non-alphanumeric character.

Employee authentication is controlled by two-factor authentication when the employee has DevOps access to source code, database, and record storage.

Employee authentication for non-DevOps staff is the same as user authentication.



Blueprint uses role based access controls for internal staff and clients.  Refer to the Access Control Policy for full details.


Data Disposal

Data is automatically deleted when it is no longer needed or being utilized by the client.  

Blueprint regularly reviews users on accounts and removes user access when the user has not been active on the platform for 180 days (Premium accounts) or 365 days (Teams/Enterprise) accounts.  The deletion of users does not delete that user’s data.  Deletion of the user account only removes that user’s access to the client’s data.

When the number of active users on an account reaches zero, the client account is deleted.  Deleting the client account will delete all loans and data associated with the client.  The deletion of client accounts is limited to Premium and Teams tiers.  Enterprise accounts are manually reviewed and deleted, if required.


Data Breach

Blueprint uses the diagnostic monitoring and analytics data collected to identify and remediate data breaches should they occur.  In the event of a detected data breach the Blueprint team will take swift action to cease any ongoing data leakage.  This remediation may result in a lack of system availability.  When it is safe to do so, the Blueprint team will restore access to the web application and complete the remediation of the data breach.

At the onset of a detected data breach Blueprint will communicate to our clients the status and nature of the detected data breach.  Clients will be kept informed throughout the remediation process through email and status banners on our website.

A record of the data breach will be stored as a business record.

Refer to the Blueprint Disaster and Recovery Plan for more information


Antivirus & Malware

The cloud service provider manages antivirus and antimalware software and provides a Platform as a Service model for the Blueprint application services.  The cloud service provider maintains and updates the antivirus software and antimalware software automatically.  For more information refer to the SOC 2 report by the cloud service provider.

Blueprint configures all virtual machines with antimalware software.  Protection is configured to be real-time and system scans are conducted weekly outside operating hours.


Patching and Updates

OS and runtime patching is managed by the cloud service provider.  Refer to the cloud service provider SOC 2 audit report for more information.  Updates are pushed on a monthly basis for all application services as well as virtual machines.  Zero day vulnerabilities are managed on a case by case basis.


Vendor Management

Blueprint minimizes the number of vendors wherever possible.

Blueprint restricts vendors with access to client data to a single cloud service providers.  Blueprint currently maintains all data and computing resources in the Microsoft Azure ecosystem.  Microsoft Azure has their own SOC 2 report that can be reviewed as needed.

Blueprint uses other tools and service vendors for executing business activities.  These vendors do not have access to client data and are assessed as low risk to information security, availability, and processing integrity.


Risk Management

Blueprint employs a risk management program that supports

  • Risk identification
  • Risk analysis
  • Risk mitigation
  • Risk monitoring


The scope of risk management includes the following

  • Privacy
  • Information security
  • System availability


Risks can be identified and enter the risk management workflow at any time.  However on an annual basis the catalog of identified risks are reviewed to evaluate if they are still risks and the efficacy of the mitigations.


Risks are assessed by estimating their severity and likelihood.  The severity and likelihood are entered into a risk scoring matrix to determine the final risk assessment.  


Scope Considerations

The following outlines the considerations for each of the risk management scopes


  • Data collected on borrower
  • Data collected on clients
  • Data collected on users


Information Security

  • Data access
  • Data encryption
  • Data transport
  • Data storage
  • Data destruction


System Availability

  • System functional architecture
  • System physical architecture
  • SLA


Threat Management

Blueprint employs an active threat management system to monitor our security posture and notify system administrators of anomalous activity or system degradation.  The scope of threat management includes

  • Networking log analysis
  • Data egress log analysis
  • System resource change log analysis
  • Login / authentication log analysis
  • Update / patch management
  • Secure baseline deviations in system configuration
  • Penetration testing results
  • System availability
  • Data backup log analysis


The threat management system employs a number of automated systems to regularly scan system configurations, log files, and test results.  Alerts are automatically routed to DevOps staff for degradations or anomalies detected in the system.  Additionally the status of the threat management scope items are manually reviewed on a weekly basis by DevOps personnel.

A SIEM is used to support the DevOps team in reviewing and aggregating log information. Anomalies are raised and tracked through to issue resolution using the SIEM.

If appropriate, identified threats may trigger the Disaster Recovery and Mitigation Plan which would involve the notification of impacted stakeholders.  Refer to Disaster Mitigation and Recovery Plan for more information.


Security Awareness Training

Blueprint conducts security awareness training for all new hires during the on-boarding process.  Additionally current employees are retrained annually.  Security awareness training addresses the following topic areas.

  • Intro to cybersecurity
  • Phishing
  • Information Security
  • Secure Browsing
  • Passwords
  • Removable Media
  • Privacy
  • Confidential Information


How to contact us

Clients can proactively reach out to Blueprint through the following communication channels.