Security Policy

How we protect customer data and infrastructure — and how to report a vulnerability if you find one.

Certifications & compliance

• SOC 2 Type II — Annual audit by an independent firm. Report available under NDA.
• ISO 27001 ISMS — Aligned controls; full certification in progress for 2026.
• HIPAA — Available on Enterprise plans with a signed BAA.
• GDPR — DPA available; EU data-residency options on Frankfurt region.
• India DPDP Act 2023 — Local data residency on Mumbai/Bangalore by default.
• PCI-DSS — We do not store cardholder data; payment processing is delegated to PCI-Level-1 providers.

Data protection

In transit

• TLS 1.3 with modern cipher suites (AES-256-GCM, ChaCha20-Poly1305) on every external endpoint.
• mTLS between all internal services using SPIFFE identities.
• HSTS enforced; HTTP automatically redirected.
• Certificate transparency monitoring; certificates rotated automatically.

At rest

• AES-256-GCM volume-level encryption on every disk.
• Database-level transparent data encryption (TDE) with rotated keys.
• Customer-managed keys via HSM or your KMS available on Enterprise plans.
• Backups encrypted with separate keys; tested restores monthly.

In use

• Confidential Computing options on supported hardware (AMD SEV-SNP, Intel TDX where available).
• Memory wiped between tenant sessions on shared infrastructure.
• Audit logging on every access to customer cluster admin interfaces.

Identity & access

• SSO via SAML 2.0 / OIDC for customer console (mandatory on Enterprise).
• MFA required for all Glixy employees with production access; hardware keys (YubiKey) issued.
• Role-based access control (RBAC) with attribute-based extensions for fine-grained permissions.
• Just-in-time, audited admin grants for customer cluster access — every session logged with reason and reviewer.
• Session timeout 12 hours for customers, 4 hours for Glixy operators.

Network security

• VPC isolation per customer; no shared layer-2 between tenants.
• Default-deny firewall posture; explicit allow rules required for ingress.
• DDoS protection at the edge (Cloudflare for our marketing site, custom scrubbing for customer endpoints).
• Web Application Firewall on console endpoints.
• Anomaly detection on east-west traffic; alerts sent to security on-call.

Application security

• SAST + DAST on every pull request (CodeQL + Semgrep).
• Container image scanning (Trivy) on every build; high/critical CVEs block merge.
• Dependency scanning (Dependabot) with weekly review.
• Annual third-party penetration test; findings fixed before publication of next quarter's release.
• Internal red-team exercises twice a year.

Operational security

• Production access requires MFA + a signed access request reviewed by a peer.
• All production changes deployed via CI/CD; no SSH-in-and-edit allowed.
• Centralized log aggregation; 13-month retention; tamper-evident.
• Background checks on all employees with access to customer data.
• Annual security training; phishing simulations every quarter.

Incident response

We maintain a published incident response plan with named on-call rotations 24/7. Severity-1 incidents trigger paging within 1 minute of detection. Customer notification SLA:

• Confirmed customer-data breach: within 24 hours of confirmation.
• Service availability incident: public update on status.glixy.com within 15 minutes of detection.
• Suspected anomaly under investigation: proactive notification at our discretion if risk warrants.

Vulnerability disclosure

If you believe you've found a security vulnerability, please email security@glixy.com. Use our PGP key (fingerprint published in /.well-known/security.txt) for sensitive details. We commit to:

• Acknowledge receipt within 24 hours.
• Provide an initial assessment within 5 business days.
• Keep you informed throughout the investigation.
• Credit you publicly (with your permission) when the fix is shipped.

We don't pursue legal action against good-faith security research that follows responsible disclosure: don't access data beyond proof-of-concept, don't degrade the service, and give us reasonable time to fix before public disclosure.

Subprocessors

The list of third-party processors we use is published in our Privacy Policy. Material additions are announced 30 days in advance to give customers time to object.

Need our SOC 2 report, audit letters, or pen-test summary? Email trust@glixy.com with an NDA.