Security Policy

Our commitment to protecting your data and maintaining security

1. Authentication & authorization

  • OAuth + JWT; session scoping; no silent perpetual sessions.
  • RBAC at organization/project level (owner / member / viewer).

2. Data protection

  • In transit: TLS 1.3 (or higher)
  • At rest: Encrypted storage for databases and files; secrets in managed vaults (or environment-specific KMS).
  • Passwords Both OAuth (federated login) and email+password login are supported. Passwords are managed via Supabase Auth and are hashed with bcrypt before storage; no plaintext is ever stored.

3. Application security

  • Input validation via schema and ORM.
  • XSS protection and markdown sanitization.
  • CSRF mitigations: Authentication cookies are issued with HttpOnly, Secure, and SameSite flags (Lax for access tokens, Strict for refresh tokens), reducing exposure to cross-site request forgery.
  • Rate limiting & abuse controls on auth and API endpoints (progressively rolled out).

4. Logging & monitoring

  • Centralized error and performance telemetry.
  • Usage model for tokens, tool calls, timestamps.
  • Change history for documents and key admin actions.

5. Business continuity & backups

  • Regular database backups with integrity checks; 30-day retention period.

6. Vulnerability & incident response

  • Patch management with risk-based prioritization.
  • Coordinated vulnerability disclosure channel (security@glidely.ai).
  • Breach notification: we notify customers without undue delay; where law requires, we notify regulators and affected users within 72 hours of awareness.
  • Post-incident review and preventive actions documented.

7. Compliance posture

  • Alignment with SOC 2 (Security, Availability, Confidentiality) and ISO/IEC 27001 controls; Type II audit is planned on the public roadmap.
  • Mapping to NIST CSF 2.0 functions for continuous improvement.
  • Support for GDPR/CCPA rights via our DPA and admin tools.

Appendices

A. Data Processing Addendum

  • Roles: Customer = Controller; Glidely = Processor.
  • Subject matter & duration: provision of the Service for the subscription term.
  • Nature & purpose: hosting, indexing, generation, collaboration.
  • Categories of data subjects: customer users and their vendors/contacts.
  • Categories of personal data: identifiers, professional info, communications metadata, documents.
  • Subprocessing: information about subprocessors (e.g., cloud infrastructure, AI providers) is available upon request. Customers will be notified of material changes and may raise objections in accordance with the DPA.
  • Security measures: as per Security Policy.
  • International transfers: Currently US-only infrastructure. If future international transfers are required, SCCs will be implemented; transfer impact assessment on request.
  • Deletion/return: at termination or upon request.

B. AI usage commitments

  • No training of general-purpose third-party models on customer content without express opt-in.
  • AI usage is transparent and configurable; enterprise customers may request additional audit rights via contract.

Company Information

Entity: Glidely, Inc. (Delaware)

Location: San Francisco, CA

Document Details

Version: 1.0.0

Effective: 2025-09-28