Skip to main content

Security

Glasma is built with security-first principles. Your data, your integrations, and your team's work are protected at every layer.

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). OAuth tokens from your integrations are stored encrypted and never exposed in plaintext.

Infrastructure

Glasma runs on Vercel (CDN + serverless) backed by Supabase PostgreSQL. Both providers maintain SOC 2 Type II compliance. Data is stored in US-East regions.

Access Control

Row-level security enforces team isolation at the database level. All API routes require valid session tokens. Admin endpoints are restricted to verified admin users.

Audit Logging

All significant actions (logins, integrations, agent runs, admin actions) are written to an immutable audit log with timestamps and actor IDs. Logs are retained for 90 days.

Vulnerability Disclosure

Found a security issue? Please report it responsibly to security@glasma.app. We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days.

Rate Limiting

API endpoints are rate limited to prevent abuse. Auth endpoints enforce stricter limits. Webhook receivers enforce per-user-per-hour limits on AI skill triggers.

Report a Vulnerability

We take security reports seriously. Please do not disclose vulnerabilities publicly before giving us a chance to address them.

security@glasma.app