Security

How we protect your data and maintain system integrity

Security-First Architecture

GlyphNet is built with security as a foundational principle. We employ defense-in-depth strategies, encrypt all data at rest and in transit, and undergo regular third-party security assessments to ensure your data remains protected.

Compliance

SOC 2 Type II

Annual audit covering security, availability, processing integrity, confidentiality, and privacy.

GDPR Compliant

Full compliance with EU data protection regulations including data portability and right to erasure.

CCPA Compliant

California Consumer Privacy Act compliance with opt-out mechanisms and data access requests.

HIPAA Ready

Enterprise plans include BAA agreements for healthcare applications handling PHI.

Data Handling

Data Processing

Text submitted for verification is processed in real-time
No customer content is stored after processing (stateless API)
Aggregated usage metrics are retained for billing and analytics
Enterprise customers can opt into request logging for debugging

Data Retention

API requests: Not stored (processed and discarded)
Account data: Retained while account is active
Billing records: 7 years (legal requirement)
Audit logs: 90 days rolling

Data Deletion

Upon account deletion, all personal data is permanently removed within 30 days. Request deletion via privacy@glyphnet.io.

Encryption

Layer	Standard	Details
In Transit	TLS 1.3	All API communication, HSTS enabled
At Rest	AES-256	Database, backups, all storage
API Keys	Argon2id	Hashed, never stored in plaintext
Secrets	KMS	AWS KMS for key management

Infrastructure Security

Cloud Platform

Hosted on AWS with multi-AZ deployment
Vercel edge network for API delivery
DDoS protection via Cloudflare
99.95% uptime SLA (Enterprise)

Network Security

WAF (Web Application Firewall)
Rate limiting per API key
IP allowlisting (Enterprise)
VPC isolation for databases

Access Control

Role-based access (RBAC)
Multi-factor authentication
SSO via SAML 2.0 (Enterprise)
Principle of least privilege

Monitoring

24/7 security monitoring
Automated threat detection
Real-time alerting
Incident response team

Authentication & Authorization

API Authentication

API keys with gn_live_ and gn_test_ prefixes
Keys are 32 bytes of cryptographically secure random data
Revocable instantly via dashboard
Automatic rotation available (Enterprise)

Dashboard Authentication

OAuth 2.0 via Google and GitHub
Session-based with secure HTTP-only cookies
CSRF protection on all forms
Automatic session expiration after 7 days

Vulnerability Management

Security Testing

Annual penetration testing by third-party firm
Continuous automated vulnerability scanning
Static code analysis on every deployment
Dependency scanning for known CVEs

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly.

Report to: security@glyphnet.io
PGP key available upon request
Safe harbor for good-faith research
Response within 48 hours

Incident Response

Our incident response plan follows industry best practices:

Detection - Automated monitoring identifies potential incidents
Triage - Security team assesses severity and impact
Containment - Immediate steps to limit damage
Eradication - Root cause identified and removed
Recovery - Systems restored to normal operation
Notification - Affected customers notified within 72 hours
Post-mortem - Lessons learned documented and shared

Business Continuity

Backups

Continuous database replication
Daily encrypted backups
30-day backup retention
Cross-region backup storage

Disaster Recovery

RTO: < 4 hours
RPO: < 1 hour
Annual DR testing
Multi-region failover capability

Security Contact

For security concerns, vulnerability reports, or compliance inquiries:

Security Team: security@glyphnet.io
Privacy Officer: privacy@glyphnet.io
Compliance: compliance@glyphnet.io

Trust Center

Enterprise customers can request our SOC 2 report, penetration test summary, and security questionnaire responses via security@glyphnet.io.