We understand how important security and compliance are, and we’ve worked hard to make sure that Glide is secure. The security and protection of our customers’ data is a top priority and this paper outlines our approach to security and compliance, and details the technical controls that keep your data safe.
What is Glide?
Glide is a No Code / Low Code app builder that allows you to make progressive web applications with a simple spreadsheet-style backend. You can connect to a Google Sheet or use our Glide Tables to power your applications. Soon you’ll be able to use Airtable and Excel too.
Apps are private by default. All data is securely hosted on our backend. Each connection made to Glide is end-to-end encrypted over HTTPS. We have very restricted access control policies for the live data, and apply industry standards for data at rest.
Security isn't just about making sure the right technology is in place. Glide makes sure we have the right people to build, maintain, and oversee the systems. Although we are a small team, we are rigorous in making sure we hire the right people.
Privacy and Trust
Glide has procedures in place that limit access to sensitive information and system access only to necessary staff. All staff members have individual credentials, and multi-factor authentication is mandatory for staff when accessing sensitive systems.
Glide uses a certified partner to handle all credit card information, and we do not store any PCI-DSS information ourselves. Our processor, Stripe, is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.
Physical and Network Security
All customer data, and Glide’s servers, are securely hosted on Google Cloud Platform (GCP) in the U.S. All of our users' data is being processed in the U.S.
GCP certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all datacenter entry points.
GCP is accredited against multiple security industry certifications including ISO27001. More details are available from the GCP website.
Each and every connection made to Glide is end-to-end encrypted over HTTPS. Glide forces HTTPS for all services, including our public website. Customer data is stored in encrypted form using state-of-the-art encryption.
Glide uses specialist security consulting firms to complete penetration tests on our infrastructure. You can request the results of our latest penetration test by emailing firstname.lastname@example.org
Far from being an afterthought, security is an integral part of Glide’s operations.
For employees, all staff members have a unique username/password. Access to all systems is role-based, with the principles of deny-by-default and least-privilege.
Planning, analysis, and design are carried out amongst all developers at regular meetings. We make significant use of GitHub and Continuous Integration. CI runs automated tests and pushes to a staging instance of Glide, where it is tested for at least two days. After success, it is tested again using automated tests and requires manual clearance from a senior engineer to be released to production. User feedback and monitoring tools report back to the planning phase.
Glide’s code is continuously checked against published security vulnerabilities. Patches for any security issue are evaluated and rolled out, via change management, as soon as possible.
Glide rapidly investigates all reported security issues. In compliance with international regulations, we will inform all customers affected by an incident as soon as possible - definitely within the legally mandated notification period of 72 hours.
Failover and Backup
Automatic backups are built into our system. If a single server fails, another one will take over instantaneously. All data is backed up daily and stored encrypted. Should the worst happen—such as losing a data center—we can rebuild all Glide data in a new location, and be fully operational within five days.
Glide is built with security-by-design.
Glide’s Builder is where users create Apps and Pages to share with others. Users self-register for the platform and are validated via email verification. Glide allows users to create “Teams” and invite users to those Teams. Any user within that Team is able to see the Projects in that Team.
Projects are Apps or Pages. Projects are Private by default, allowing only members of your Team to access the Project. From there, you have multiple different ways to allow access to your Project, including limiting access by password, email, or Team members only. You are also able to make the Project public, allowing anyone to view the Project, or public with email, to allow users to provide their email to store user-specific data. You can find more information on Project level access control in the documentation.
Customer Data Confidentiality
User data in Glide is strongly managed to ensure it remains confidential. We use the strong segregation mechanisms in GCP to ensure data does not leak outside of Glide’s control. All user data are stored in encrypted form, sandboxed and segregated from other users' data by the Glide backend, which controls all access to stored data and checks and enforces permissions for every network request.
Secure Software Development
We do code reviews very seriously and heavily, it takes a significant portion of our development time, and we don't compromise on it. Opening a Pull Request kicks off unit and integration tests which need to be fully completed, and pass testing.
We use Buildkite as our Continuous Integration/Deployment service. Glide’s code is hosted in GitHub's private repositories, and we take advantage of GitHub's code review tool.
Glide’s stack is React, TypeScript, and Node.js.
Glide is actively pursuing the American Institute of CPAs industry-standard cybersecurity program, SOC-2.
- Do you use TLS 1.2
- How long do you keep logs?
- We keep logs for 30 days.
- What is your data retention policy?
- 30 days – meaning if you delete something from the platform, it’s permanently deleted after 30 days.
- Is my data encrypted?
- We’re AES 256 bit encrypted at rest and in transit. We have the encryption keys and can access your data if you have a support ticket or need us to investigate your app for an issue.