Glossa
Information Security Policy

Last updated: January 2026

1. Purpose and Scope

This Information Security Policy establishes the security framework for Glossa AI ("Glossa" or "the Company") to protect customer data, intellectual property, and system integrity. This policy applies to all Glossa systems, services, employees, contractors, and third-party service providers involved in the delivery of the Glossa platform.

2. Security Governance

2.1 Roles and Responsibilities

Alison Meyer, COO, serves as Chief Information Security Officer (CISO) with the following responsibilities:

  • Oversight and implementation of all security controls

  • Security incident response coordination

  • Vendor and subprocessor security assessment

  • Compliance monitoring and reporting

  • Annual security policy review and updates

2.2 Policy Review

This policy is reviewed annually and updated as necessary to address evolving threats, regulatory requirements, and business needs. Updated versions of this policy are published on the Glossa website at glossapro.ai/security-policy.

3. Data Security

3.1 Data Classification

Glossa classifies data into the following categories:

  • Customer Personal Data: Personal information provided by customers including names, email addresses, and professional information

  • Customer Content: Project data, requirements, transcripts, documents, and other materials uploaded or generated through the platform

  • System Data: Usage data, logs, and analytics used for platform operation and improvement

  • Confidential Business Information: Proprietary source code, business plans, and internal documentation

3.2 Encryption Standards

  • Data at Rest: All customer data is encrypted using AES-256 encryption

  • Data in Transit: All data transmissions use TLS 1.2 or higher (TLS 1.3 preferred)

  • Application-Level Encryption: Sensitive fields receive additional encryption layers where applicable

3.3 Data Retention and Deletion

  • Customer data is retained only as long as necessary to provide services or as required by applicable law

  • Customers may request deletion of their data at any time by contacting support@glossapro.ai

  • Upon account termination, customer data is deleted within 60 days unless retention is required by law

  • Backup data is encrypted and automatically purged according to retention schedules

4. Access Control

4.1 Authentication

  • Single Sign-On (SSO) is implemented via WorkOS for centralized identity management

  • Multi-Factor Authentication (MFA) is available and can be required by enterprise customers

4.2 Role-Based Access Control (RBAC)

  • Access to systems and data is granted based on the principle of least privilege

  • User permissions are assigned according to job function and business need

4.3 Access Monitoring

  • All authentication events and system access are logged with timestamps

  • Audit logs track access to sensitive data and administrative functions

5. Infrastructure Security

5.1 Cloud Infrastructure

Glossa leverages enterprise-grade cloud infrastructure providers with robust security controls:

  • Google Cloud Platform: For storage, AI/ML services, and compute resources

  • Supabase: For PostgreSQL database with built-in security features

  • Vercel: For secure web hosting and deployment

5.2 Network Security

  • Network traffic is encrypted using industry-standard protocols

5.3 Backup and Disaster Recovery

  • Automated encrypted backups are performed regularly and stored in geographically redundant locations

  • Disaster recovery procedures include automated failover capabilities

5.4 Cloud Service Governance

Evaluation and Selection

  • Cloud services that will process customer data must be evaluated for security controls, compliance certifications, and data protection capabilities before adoption

  • Preference is given to providers with SOC 2, ISO 27001, or equivalent certifications

  • All cloud service providers must execute appropriate data processing or security agreements

Approved Services

  • The current list of approved cloud infrastructure and service providers is documented in Section 8.2 (Approved Subprocessors)

  • New cloud services must be reviewed and approved by the CISO before implementation

Data Protection Requirements

  • All cloud services handling customer data must support encryption at rest (AES-256) and in transit (TLS 1.2+)

  • Cloud services must provide audit logging and access controls

  • Data residency requirements must be evaluated for services processing personal data subject to GDPR or other regional regulations

Exit and Migration

  • Cloud service contracts must include provisions for data export and deletion upon termination

  • Customer data must be fully retrievable in standard formats

  • Upon exit from a cloud service, all customer data must be securely deleted or migrated to an approved alternative

6. Application Security

6.1 Secure Development Practices

  • Infrastructure is managed through Infrastructure as Code (IaC) with version control

  • Security best practices are followed throughout the software development lifecycle

6.2 Vulnerability Management

  • Security patches and updates are applied promptly based on risk assessment

  • Critical vulnerabilities are remediated as quickly as possible based on severity and exploitability

7. Security Monitoring and Incident Response

7.1 Event Logging and Monitoring

  • Security-relevant events including authentication attempts, privilege changes, and data access are logged

  • Logs are centralized, time-stamped, and protected against tampering

  • Continuous monitoring detects anomalies and potential security incidents

  • PostHog is used for product analytics with pseudonymized customer identifiers

7.2 Incident Response Procedures

In the event of a security incident:

  • Detection and Containment: Incidents are identified through monitoring systems and immediately contained to prevent further impact

  • Investigation: The CISO leads investigation to determine scope, root cause, and affected systems

  • Notification: Affected customers are notified within 72 hours when Personal Data is involved, in compliance with GDPR and applicable data protection laws

  • Remediation: Security controls are strengthened to prevent recurrence

  • Documentation: All incidents are documented with lessons learned and remediation actions

7.3 Contact Information

Security incidents should be reported immediately to: support@glossapro.ai

8. Third-Party Security

8.1 Subprocessor Requirements

All third-party service providers (subprocessors) that handle customer data must:

  • Maintain security controls appropriate to the sensitivity of data processed

  • Comply with applicable data protection laws including GDPR

  • Execute data processing agreements with appropriate security obligations

  • Notify Glossa of any security incidents affecting customer data

8.2 Approved Subprocessors

The current list of approved subprocessors includes:

Google/United States/Cloud storage and AI/ML services

Supabase/United States/Database services

WorkOS/United States/Identity and authentication

Vercel/United States/Web hosting and deployment

Trigger.dev/United Kingdom/Background job orchestration

Pipedream/United States/Integration platform

PostHog/United States/Product analytics and monitoring

9. Compliance

9.1 Regulatory Compliance

Glossa maintains compliance with applicable data protection regulations:

  • GDPR: EU General Data Protection Regulation for European customer data

  • CCPA/CPRA: California Consumer Privacy Act for California residents

9.2 Data Processing Agreements

Glossa executes Data Processing Agreements (DPAs) with customers processing personal data under GDPR, incorporating Standard Contractual Clauses for international data transfers.

10. Acceptable Use Policy

This Acceptable Use Policy defines the rules and responsibilities for accessing and using Glossa systems, infrastructure, and customer data.

10.1 Authorized Use

  • Access to Glossa systems and customer data is granted solely for business purposes related to providing and maintaining the Glossa platform

  • Users must only access systems and data for which they have been explicitly authorized

  • Credentials and access privileges are personal and must not be shared with others

  • Users must protect the confidentiality of their authentication credentials (passwords, API keys, access tokens)

10.2 Prohibited Activities

Users must not:

  • Access, use, or disclose customer data for any purpose other than providing the Glossa service

  • Attempt to access systems, accounts, or data for which they lack authorization

  • Share, transfer, or disclose authentication credentials to any other person

  • Disable, circumvent, or interfere with security controls or monitoring systems

  • Install unauthorized software or make unauthorized modifications to Glossa infrastructure

  • Use Glossa systems for illegal activities or in violation of applicable laws

  • Engage in activities that could compromise the security, integrity, or availability of Glossa systems

10.3 Data Handling Requirements

  • Customer data must be handled in accordance with our Data Processing Agreement and Privacy Policy

  • Customer data must not be downloaded to personal devices or systems unless required for authorized work and properly secured

  • Customer data must not be transmitted via unencrypted channels

  • Upon termination of employment or contract, all Glossa data and credentials must be returned or destroyed

10.4 Security Incident Reporting

Users must immediately report to support@glossapro.ai:

  • Suspected security incidents or data breaches

  • Lost or compromised credentials

  • Suspicious system activity or unauthorized access attempts

  • Any violation of this Acceptable Use Policy

10.5 Monitoring and Enforcement

  • Glossa reserves the right to monitor system access and usage to ensure compliance with this policy

  • Violations of this policy may result in immediate suspension of access, termination of employment or contract, and potential legal action

  • Glossa will cooperate with law enforcement in investigating any illegal activities

11. Policy Violations

Violations of this policy may result in disciplinary action up to and including termination of employment or contract. Suspected security violations should be reported immediately to support@glossapro.ai.