Security Policy

1. Authentication & authorization

• OAuth + JWT; session scoping; no silent perpetual sessions.
• RBAC at organization/project level (owner / member / viewer).

2. Data protection

• In transit: TLS 1.2 or higher
• At rest: Encrypted storage for databases and files; secrets in managed vaults (or environment-specific KMS).
• Passwords Both OAuth (federated login) and email+password login are supported. Passwords are managed via Supabase Auth and are hashed with bcrypt before storage; no plaintext is ever stored.

3. Application security

• Input validation via schema and ORM.
• XSS protection and markdown sanitization.
• CSRF mitigations: Authentication cookies are issued with HttpOnly, Secure, and SameSite flags (Lax for access tokens, Strict for refresh tokens), reducing exposure to cross-site request forgery.
• Rate limiting & abuse controls on auth and API endpoints (progressively rolled out).

4. Logging & monitoring

• Centralized error and performance telemetry.
• Usage model for tokens, tool calls, timestamps.
• Change history for documents and key admin actions.

5. Business continuity & backups

• Regular database backups with integrity checks; retention schedules are defined in our Business Continuity / Disaster Recovery (BC/DR) Plan and may vary by data tier.

6. Vulnerability & incident response

• Patch management with risk-based prioritization.
• Coordinated vulnerability disclosure channel (security@glidely.ai).
• Breach notification: we notify customers without undue delay; where law requires, we notify regulators and affected users within 72 hours of awareness.
• Post-incident review and preventive actions documented.

7. Compliance posture

• We maintain a formal information security program and are currently undergoing a SOC 2 Type II examination covering Security, Availability, and Confidentiality (auditor: Sensiba; compliance platform: Vanta). A summary or report can be provided under NDA on request.
• Where applicable, we support data subject rights (such as access and deletion) under privacy laws including CCPA, via our DPA and privacy request process.

Appendices

A. Data Processing Addendum

• Roles: Customer = Controller; Glidely = Processor.
• Subject matter & duration: provision of the Service for the subscription term.
• Nature & purpose: hosting, indexing, generation, collaboration.
• Categories of data subjects: customer users and their vendors/contacts.
• Categories of personal data: identifiers, professional info, communications metadata, documents.
• Subprocessing: information about subprocessors (e.g., cloud infrastructure, AI providers) is available upon request. Customers will be notified of material changes and may raise objections in accordance with the DPA.
• Security measures: as per Security Policy.
• International transfers: Currently US-only infrastructure. If future international transfers are required, SCCs will be implemented; transfer impact assessment on request.
• Deletion/return: at termination or upon request.

B. AI usage commitments

• No training of general-purpose third-party models on customer content without express opt-in.
• AI usage is transparent and configurable; enterprise customers may request additional audit rights via contract.