Security Overview

1. Security Philosophy

GlideRun applies defence in depth, least privilege, continuous monitoring, and compliance-first architecture. Security controls are designed to protect customer workflows without slowing operational delivery.

Controls are reviewed as services change and as legal or regulatory requirements evolve.

2. Infrastructure Security

• Hosting: AWS eu-central-1 (Frankfurt) and Azure westeurope (Amsterdam).
• Network: VPC isolation, security groups, and WAF.
• DDoS protection: Cloudflare Enterprise.
• Vulnerability scanning: continuous and automated.
• Penetration testing: annual third-party assessment.

3. Data Security

Data in transit is encrypted with TLS 1.3 minimum. Data at rest is encrypted with AES-256. Enterprise customers may use per-customer encryption keys through AWS KMS.

Data is classified as confidential, internal, or public, and controls are applied based on classification. Retention schedules are enforced through policy and automated deletion where feasible.

4. Access Controls

MFA is required for all internal systems. Authorisation is role-based and follows least privilege. Privileged access is time-limited, logged, and reviewed.

Third-party access is strictly scoped, time-limited, and recorded in audit logs.

5. Audit Trail — CompliVibe Evidence Vault

Every automation run is logged with timestamp in UTC, input hash using SHA-256, output hash using SHA-256, user or system actor, duration, and status.

Logs are hash-chained so tampering breaks the chain. Evidence can be exported in PDF, JSON, and CSV. The Evidence Vault is powered by CompliVibe as GlideRun's compliance infrastructure partner.

6. Incident Response

• Detection: automated alerting with less than 1 hour MTTD target.
• Containment: isolation procedures with less than 4 hour containment target.
• Notification: GDPR and DPDP 72-hour notification workflows.
• Post-incident: root cause analysis and summary for affected customers.
• Contact: security@gliderun.ai.

7. Compliance Certifications

• ISO 42001: aligned via CompliVibe partnership.
• SOC 2 Type II: in progress, target Q4 2025.
• GDPR: compliant, DPA available.
• EU AI Act: Annex IV documentation available per deployment.
• India DPDP: compliant.
• 256-bit encryption: deployed.

8. Responsible Disclosure

Security researchers may report vulnerabilities to security@gliderun.ai. GlideRun responds within 5 business days.

GlideRun will not pursue legal action for good-faith disclosure that avoids privacy violations, service disruption, data destruction, or extortion. Significant findings may be recognised in a hall of fame with researcher consent.