Legal Center

Security & Trust

12 min readLast updated: Jan 7, 2026

Quick Summary

  • We're SOC 2 Type II and ISO 27001 certified. HIPAA compliance available for Enterprise.
  • All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • We use AWS infrastructure with multi-AZ deployment, DDoS protection, and 24/7 monitoring.
  • Regular penetration testing, vulnerability scanning, and security audits by third parties.
  • Found a vulnerability? Report to support@glincker.com — we have a responsible disclosure program.

Security & Trust

Last Updated: January 7, 2026

At glincker, security is foundational to everything we build. This page describes our security practices, certifications, and commitments to protecting your data.

Our Security Commitment

We understand that you trust us with important documents and sensitive information. We take that responsibility seriously and have built glincker with security as a core principle, not an afterthought.

Security Certifications & Compliance

Current Certifications

| Certification | Status | Last Audit | | ------------- | ------------------------ | -------------- | | SOC 2 Type II | ✓ Certified | October 2025 | | ISO 27001 | ✓ Certified | September 2025 | | GDPR | ✓ Compliant | Ongoing | | CCPA/CPRA | ✓ Compliant | Ongoing | | HIPAA | ✓ Available (Enterprise) | Upon Request |

Compliance Reports

Enterprise and Team customers can request copies of our:

  • SOC 2 Type II Report
  • ISO 27001 Certificate
  • Penetration Test Summary
  • Security Questionnaire Responses

Contact support@glincker.com to request documents.

Infrastructure Security

Cloud Infrastructure

  • Provider: Amazon Web Services (AWS) with multi-region deployment
  • Data Centers: SOC 1/2/3, ISO 27001, PCI DSS Level 1 certified facilities
  • Regions: US (primary), EU (for EU customers), with additional regions available for Enterprise
  • Redundancy: Multi-AZ deployment with automatic failover

Network Security

  • DDoS protection via AWS Shield and Cloudflare
  • Web Application Firewall (WAF) with custom rule sets
  • TLS 1.3 encryption for all data in transit
  • Private VPC with strict network segmentation
  • Regular vulnerability scanning and penetration testing

Physical Security

Our infrastructure is hosted in AWS facilities with:

  • 24/7 security personnel and video surveillance
  • Biometric access controls
  • Fire detection and suppression systems
  • Redundant power and cooling

Data Security

Encryption

| Data State | Encryption Standard | | -------------- | ------------------------------------ | | In Transit | TLS 1.3 (AES-256-GCM) | | At Rest | AES-256 | | Backups | AES-256 with separate key management | | Key Management | AWS KMS with HSM backing |

Data Isolation

  • Multi-tenant Architecture: Logical separation with tenant ID enforcement
  • Database Security: Row-level security policies, encrypted connections
  • Enterprise Option: Dedicated database instances available

Data Retention & Deletion

  • Active data retained while account is active
  • Deleted data purged within 30 days
  • Backups retained for 90 days, then securely destroyed
  • GDPR/CCPA deletion requests honored within 30 days

Application Security

Secure Development Lifecycle

  • Security training for all developers
  • Code review required for all changes
  • Automated security scanning in CI/CD (SAST, DAST)
  • Dependency vulnerability scanning (Snyk, Dependabot)
  • Regular security audits by third parties

Authentication & Access Control

| Feature | Description | | --------------------------- | --------------------------------------------------------- | | Password Security | bcrypt hashing, complexity requirements, breach detection | | Multi-Factor Authentication | TOTP, WebAuthn/FIDO2, SMS (backup only) | | Single Sign-On (SSO) | SAML 2.0, OIDC (Enterprise) | | Session Management | Secure cookies, automatic timeout, device tracking | | Role-Based Access Control | Granular permissions, audit logging |

API Security

  • OAuth 2.0 authentication
  • Rate limiting and throttling
  • Request validation and sanitization
  • API key rotation and scoping
  • Audit logging for all API calls

Organizational Security

Employee Security

  • Background checks for all employees
  • Security awareness training (annual + role-specific)
  • Principle of least privilege access
  • Mandatory security acknowledgment
  • Immediate access revocation upon termination

Vendor Management

  • Security assessment for all vendors
  • Data Processing Agreements (DPAs) with subprocessors
  • Regular vendor security reviews
  • Limited data sharing on need-to-know basis

Incident Response

We maintain a comprehensive incident response program:

  1. Detection: 24/7 monitoring, alerting, and anomaly detection
  2. Response: On-call security team with defined escalation paths
  3. Notification: Customer notification within 72 hours (GDPR requirement)
  4. Post-Incident: Root cause analysis, remediation, transparency report

Business Continuity

Disaster Recovery

| Metric | Target | | ------------------------------ | ------------- | | Recovery Time Objective (RTO) | 4 hours | | Recovery Point Objective (RPO) | 6 hours | | Backup Frequency | Every 6 hours | | Backup Retention | 30 days |

High Availability

  • Multi-AZ deployment with automatic failover
  • Load balancing across multiple instances
  • Database replication with automatic promotion
  • CDN caching for static assets

Vulnerability Disclosure

Responsible Disclosure Program

We welcome security researchers to help us keep glincker secure. If you discover a vulnerability:

  1. Report: Email support@glincker.com with details
  2. Include: Description, steps to reproduce, potential impact
  3. Wait: Allow us reasonable time to investigate and fix (typically 90 days)
  4. Recognition: We acknowledge researchers in our Security Hall of Fame

What's in Scope

  • glincker web application (app.glincker.com)
  • glincker API (api.glincker.com)
  • Authentication systems
  • Data storage and handling

What's Out of Scope

  • Social engineering attacks
  • Physical attacks
  • Denial of service attacks
  • Third-party services we don't control
  • Previously reported vulnerabilities

Safe Harbor

We will not pursue legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations, data destruction, or service disruption
  • Follow our disclosure guidelines
  • Do not exploit vulnerabilities beyond proof of concept

Security Updates

Patching Policy

  • Critical vulnerabilities: Patched within 24 hours
  • High severity: Patched within 7 days
  • Medium severity: Patched within 30 days
  • Low severity: Patched in next release cycle

Security Advisories

We publish security advisories for issues that may affect customers at status.glincker.com.

Your Security Responsibilities

While we secure our platform, you play a role in keeping your account safe:

  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Review sharing permissions regularly
  • Keep your devices and browsers updated
  • Report suspicious activity immediately
  • Train your team on security best practices

Contact Security Team

For security inquiries, reports, or questions:

  • Email: support@glincker.com
  • PGP Key: Available on request for encrypted communication
  • Response Time: Security reports acknowledged within 24 hours

For information about how we handle your data, see our Privacy Policy. For service reliability commitments, see our Service Level Agreement.

Was this page helpful?

Your feedback helps us improve our documentation.