Quick Summary
- We're SOC 2 Type II and ISO 27001 certified. HIPAA compliance available for Enterprise.
- All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- We use AWS infrastructure with multi-AZ deployment, DDoS protection, and 24/7 monitoring.
- Regular penetration testing, vulnerability scanning, and security audits by third parties.
- Found a vulnerability? Report to [email protected] — we have a responsible disclosure program.
Security & Trust
Last Updated: January 7, 2026
At Glincker, security is foundational to everything we build. This page describes our security practices, certifications, and commitments to protecting your data.
Our Security Commitment
We understand that you trust us with important documents and sensitive information. We take that responsibility seriously and have built Glincker with security as a core principle, not an afterthought.
Security Certifications & Compliance
Current Certifications
| Certification | Status | Last Audit |
|---|---|---|
| SOC 2 Type II | ✓ Certified | October 2025 |
| ISO 27001 | ✓ Certified | September 2025 |
| GDPR | ✓ Compliant | Ongoing |
| CCPA/CPRA | ✓ Compliant | Ongoing |
| HIPAA | ✓ Available (Enterprise) | Upon Request |
Compliance Reports
Enterprise and Team customers can request copies of our:
- SOC 2 Type II Report
- ISO 27001 Certificate
- Penetration Test Summary
- Security Questionnaire Responses
Contact [email protected] to request documents.
Infrastructure Security
Cloud Infrastructure
- Provider: Amazon Web Services (AWS) with multi-region deployment
- Data Centers: SOC 1/2/3, ISO 27001, PCI DSS Level 1 certified facilities
- Regions: US (primary), EU (for EU customers), with additional regions available for Enterprise
- Redundancy: Multi-AZ deployment with automatic failover
Network Security
- DDoS protection via AWS Shield and Cloudflare
- Web Application Firewall (WAF) with custom rule sets
- TLS 1.3 encryption for all data in transit
- Private VPC with strict network segmentation
- Regular vulnerability scanning and penetration testing
Physical Security
Our infrastructure is hosted in AWS facilities with:
- 24/7 security personnel and video surveillance
- Biometric access controls
- Fire detection and suppression systems
- Redundant power and cooling
Data Security
Encryption
| Data State | Encryption Standard |
|---|---|
| In Transit | TLS 1.3 (AES-256-GCM) |
| At Rest | AES-256 |
| Backups | AES-256 with separate key management |
| Key Management | AWS KMS with HSM backing |
Data Isolation
- Multi-tenant Architecture: Logical separation with tenant ID enforcement
- Database Security: Row-level security policies, encrypted connections
- Enterprise Option: Dedicated database instances available
Data Retention & Deletion
- Active data retained while account is active
- Deleted data purged within 30 days
- Backups retained for 90 days, then securely destroyed
- GDPR/CCPA deletion requests honored within 30 days
Application Security
Secure Development Lifecycle
- Security training for all developers
- Code review required for all changes
- Automated security scanning in CI/CD (SAST, DAST)
- Dependency vulnerability scanning (Snyk, Dependabot)
- Regular security audits by third parties
Authentication & Access Control
| Feature | Description |
|---|---|
| Password Security | bcrypt hashing, complexity requirements, breach detection |
| Multi-Factor Authentication | TOTP, WebAuthn/FIDO2, SMS (backup only) |
| Single Sign-On (SSO) | SAML 2.0, OIDC (Enterprise) |
| Session Management | Secure cookies, automatic timeout, device tracking |
| Role-Based Access Control | Granular permissions, audit logging |
API Security
- OAuth 2.0 authentication
- Rate limiting and throttling
- Request validation and sanitization
- API key rotation and scoping
- Audit logging for all API calls
Organizational Security
Employee Security
- Background checks for all employees
- Security awareness training (annual + role-specific)
- Principle of least privilege access
- Mandatory security acknowledgment
- Immediate access revocation upon termination
Vendor Management
- Security assessment for all vendors
- Data Processing Agreements (DPAs) with subprocessors
- Regular vendor security reviews
- Limited data sharing on need-to-know basis
Incident Response
We maintain a comprehensive incident response program:
- Detection: 24/7 monitoring, alerting, and anomaly detection
- Response: On-call security team with defined escalation paths
- Notification: Customer notification within 72 hours (GDPR requirement)
- Post-Incident: Root cause analysis, remediation, transparency report
Business Continuity
Disaster Recovery
| Metric | Target |
|---|---|
| Recovery Time Objective (RTO) | 4 hours |
| Recovery Point Objective (RPO) | 6 hours |
| Backup Frequency | Every 6 hours |
| Backup Retention | 30 days |
High Availability
- Multi-AZ deployment with automatic failover
- Load balancing across multiple instances
- Database replication with automatic promotion
- CDN caching for static assets
Vulnerability Disclosure
Responsible Disclosure Program
We welcome security researchers to help us keep Glincker secure. If you discover a vulnerability:
- Report: Email [email protected] with details
- Include: Description, steps to reproduce, potential impact
- Wait: Allow us reasonable time to investigate and fix (typically 90 days)
- Recognition: We acknowledge researchers in our Security Hall of Fame
What's in Scope
- Glincker web application (app.glincker.com)
- Glincker API (api.glincker.com)
- Authentication systems
- Data storage and handling
What's Out of Scope
- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Third-party services we don't control
- Previously reported vulnerabilities
Safe Harbor
We will not pursue legal action against researchers who:
- Act in good faith
- Avoid privacy violations, data destruction, or service disruption
- Follow our disclosure guidelines
- Do not exploit vulnerabilities beyond proof of concept
Security Updates
Patching Policy
- Critical vulnerabilities: Patched within 24 hours
- High severity: Patched within 7 days
- Medium severity: Patched within 30 days
- Low severity: Patched in next release cycle
Security Advisories
We publish security advisories for issues that may affect customers at status.glincker.com.
Your Security Responsibilities
While we secure our platform, you play a role in keeping your account safe:
- Use strong, unique passwords
- Enable multi-factor authentication
- Review sharing permissions regularly
- Keep your devices and browsers updated
- Report suspicious activity immediately
- Train your team on security best practices
Contact Security Team
For security inquiries, reports, or questions:
- Email: [email protected]
- PGP Key: Available on request for encrypted communication
- Response Time: Security reports acknowledged within 24 hours
For information about how we handle your data, see our Privacy Policy. For service reliability commitments, see our Service Level Agreement.
Was this page helpful?
Your feedback helps us improve our documentation.