Overview
Glossa implements enterprise-grade security measures to protect your data throughout its lifecycle. This includes encryption for data in transit and at rest, secure infrastructure from trusted providers, automated backups, and comprehensive audit logging.
For complete details on Glossa's security practices, see our Security Policy at glossapro.ai/security-policy.
Data Encryption
Encryption in Transit
All data transmitted to and from Glossa is encrypted using TLS 1.2 or higher.
What this means:
Data traveling between your browser and Glossa servers is encrypted
Integration connections (Gmail, Jira, Slack, etc.) use encrypted channels
API communications are encrypted
No data is transmitted in plain text over the network
Encryption at Rest
All data stored in Glossa is encrypted using AES-256 encryption.
What this means:
Files you upload are encrypted in storage
Requirements, acceptance criteria, and tasks are encrypted
Database records are encrypted
Backups are encrypted
Data remains encrypted even if storage media is compromised
Application-Level Security
Beyond infrastructure encryption:
Sensitive fields use additional application-level encryption
Pseudonymization techniques for certain data types
Encryption keys are managed securely and rotated regularly
Infrastructure and Hosting
Glossa uses trusted, enterprise-grade infrastructure providers:
Primary infrastructure:
Google Cloud Platform (US) - Storage and AI/ML services
Supabase (US) - Database services
Vercel (US) - Web hosting and application delivery
Supporting services:
WorkOS (US) - Identity and authentication
Trigger.dev (UK) - Background job processing
Pipedream (US) - Integration platform (iPaaS)
PostHog (US) - Analytics (pseudonymized data only)
Data residency: All Glossa infrastructure is currently located in the United States.
For the complete list of subprocessors and their purposes, see glossapro.ai/security-policy.
Access Controls
Role-Based Access Control (RBAC)
Glossa implements role-based access controls with two roles:
Owner - Full access including billing and integrations
Member - Project work access only
See the User Roles article for detailed permissions.
Organization-Level Security
All access is at the organization level
Every member can access all projects in the organization
No per-project permission restrictions
Requires trust-based team composition
See the Organization-Level Access article for details.
Account Security
Authentication methods:
Password-based login
Social login via Google, Microsoft, or other providers (powered by WorkOS)
Current limitations:
Single Sign-On (SSO) is not currently available
Multi-Factor Authentication (MFA) is not currently available
Best practices:
Use strong, unique passwords
Consider using a password manager
Don't share account credentials
Remove team members promptly when they leave
Data Backups
Automated Backups
Glossa performs regular automated backups of all data:
Database backups
File storage backups
Configuration backups
Backup security:
All backups are encrypted
Stored in geographically redundant locations
Tested regularly for restoration capability
Backup frequency and retention: See glossapro.ai/security-policy for current backup schedule and retention policies.
Disaster Recovery
Glossa maintains disaster recovery capabilities:
Automated failover systems
Geographic redundancy
Regular disaster recovery testing
Audit Logging
Comprehensive Event Logging
Glossa maintains comprehensive audit logs of system activity:
User authentication and access
Data creation, modification, and deletion
Integration connections and activity
Administrative actions
Security-relevant events
Log retention: Audit logs are retained for security monitoring, incident investigation, and compliance purposes. See glossapro.ai/security-policy for retention periods.
Monitoring and Alerts
Glossa implements:
Continuous security monitoring
Real-time alerting for suspicious activity
Automated anomaly detection
Regular security log reviews
Data Processing and AI
LLM Data Processing
When you upload files to Glossa:
Content is sent to Google's AI/ML services for processing
Processing generates requirements, acceptance criteria, and tasks
Your data is not used to train or improve AI models
Google is contractually prohibited from using your data for model training
Data Ownership
You own your data:
All content you upload to Glossa belongs to you
All outputs generated by Glossa belong to you
Glossa does not use your data to train or improve our services
You can export or delete your data at any time
Security Incident Response
Incident Notification
In the event of a security incident affecting your data:
Glossa will notify you within 72 hours of becoming aware
Timely updates provided as investigation progresses
Incident Management
Glossa maintains an incident response plan:
Rapid containment procedures
Thorough investigation protocols
Remediation and recovery processes
Post-incident reviews and improvements
Data Isolation
Multi-Tenancy Security
Glossa is a multi-tenant platform with strict data isolation:
Each organization's data is logically separated
No data sharing between organizations
Application-level isolation controls
Database-level isolation where appropriate
Access Segregation
User access limited to their organization's data only
No cross-organization data access
Administrative access tightly controlled
Principle of least privilege enforced
Data Processing Agreement
A Data Processing Agreement (DPA) is available for customers. Most customers sign a DPA as an amendment to their service contract. The standard DPA is available at glossapro.ai/dpa - your organization's DPA may not be identical to that one. Contact [email protected] if you need help.
Data Retention and Deletion
Retention Policies
Data is retained while your account is active
Files, requirements, and project data stored indefinitely during active use
Audit logs retained per compliance requirements
Data Deletion
After account termination:
Data deleted within 60 days
Backups purged within retention period
Exception: Data may be retained longer if required by law
To request data deletion: Contact [email protected]
Third-Party Integrations
Integration Security
When you connect integrations (Gmail, Jira, Slack, etc.):
OAuth-based authentication (no password storage)
Minimal required permissions requested
Token-based access (can be revoked anytime)
Encrypted credential storage
Integration Data Handling
Integration data processed according to Glossa's security standards
Same encryption and security controls apply
Data from integrations treated as your data (you own it)
Revoking Integration Access
You can revoke Glossa's access to integrated services:
From Glossa (Integrations → Disconnect)
From the third-party service's account settings
Removes Glossa's access immediately
Security Best Practices for Users
Account Security
Recommendations:
Use strong, unique passwords
Don't share account credentials
Log out on shared devices
Report suspicious activity immediately
Data Handling
Recommendations:
Only upload data you're authorized to share
Review who has access to your organization
Remove team members promptly when they leave
Use organization deletion when no longer needed
Integration Management
Recommendations:
Only connect integrations you need
Review integration permissions before authorizing
Disconnect unused integrations
Monitor integration activity
Reporting Security Issues
How to Report
If you discover a security vulnerability or issue:
Do not disclose publicly
Email [email protected] immediately
Provide detailed description of the issue
Include steps to reproduce if applicable
What to Expect
Speedy acknowledgment
Investigation and assessment
Resolution and notification
Recognition for responsible disclosure (if desired)
Questions and Support
Security Questions
For security-related questions:
Email [email protected]
Reference this documentation
Review Security Policy at glossapro.ai/security-policy
Custom Security Requirements
If you have specific security requirements:
Contact our team to discuss
We can provide additional documentation
Security questionnaires can be completed
Custom security reviews available for enterprise customers