Glynto

Security at Glynto

Your financial data is sensitive. We implement enterprise-grade security measures to protect your information from unauthorized access, disclosure, alteration, or destruction.

Our Commitment to Security

At Glynto, security is not an afterthought, it's built into every aspect of our Service. We follow industry best practices to ensure your financial data remains safe and confidential.

This page provides transparency into our security measures, infrastructure, and practices. For security-related questions or concerns, contact us at security@glynto.com.

Encryption Everywhere
Encryption for data in transit and at rest
  • TLS 1.2+: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • AES-256: All data stored in our database is encrypted at rest using AES-256 encryption
  • End-to-End Security: Your data is encrypted from the moment it leaves your device until it reaches our secure database where it's also encrypted at-rest
Strong Authentication
Secure access controls and identity verification
  • JWT Authentication: Industry-standard JSON Web Tokens for secure session management with http-only cookies
  • Bcrypt Password Hashing: Passwords are hashed using bcrypt with salting (never stored in plain text)
  • Authentication: Enterprise-grade auth service with JWKS verification
  • Two-Factor Authentication: Additional security layer available for account protection (coming soon)
Secure Infrastructure
Enterprise-grade cloud infrastructure with multiple layers of protection
  • SOC 2 Compliant: Our infrastructure providers maintain SOC 2 Type II certification
  • Firewalls: Network-level firewalls protect against unauthorized access
  • DDoS Protection: Distributed denial-of-service attack mitigation
  • Intrusion Detection: Real-time monitoring for suspicious activity and security threats
Data Protection
Your data is yours—we never sell it or use it for advertising
  • Role-Based Access: Strict access controls limit system access on a need-to-know basis
  • Data Isolation: Your data is logically isolated from other users' data
  • Automated Backups: Daily encrypted backups with 90-day retention for disaster recovery
  • Data Deletion: Permanent deletion within 30 days when you delete your account
  • Data export: You are not locked in. You are free to export all your data anytime you want to
24/7 Monitoring
Continuous security monitoring and threat detection
  • Security Logs: Comprehensive logging of authentication attempts, access patterns, and system events
  • Anomaly Detection: Automated alerts for unusual activity or suspicious behavior
  • Regular Audits: Periodic security audits and vulnerability assessments
Compliance & Certifications
We comply with industry standards and data protection regulations
  • GDPR Compliant: European General Data Protection Regulation compliance
  • CCPA Compliant: California Consumer Privacy Act compliance
  • PCI-DSS: Payment Card Industry Data Security Standards (via Stripe)

Security Practices

1. Application Security

  • Secure Development: We follow secure coding practices and conduct code reviews
  • Dependency Management: Regular updates to third-party libraries and frameworks to patch security vulnerabilities
  • Input Validation: All user input is validated and sanitized to prevent injection attacks (SQL injection, XSS, CSRF)
  • Rate Limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks

2. Network Security

  • HTTPS Only: We enforce HTTPS (TLS 1.2+) for all connections—no unencrypted HTTP traffic
  • Security Headers: HTTP security headers (HSTS, CSP, X-Frame-Options) protect against common web vulnerabilities
  • Production Access: Administrative access to production systems requires multi-factor authentication and private keys
  • Network Segmentation: Database and application servers are isolated in separate network segments

3. Access Controls

  • Principle of Least Privilege: Users and systems have only the minimum permissions necessary
  • Multi-Factor Authentication: Required for all administrative access to all production systems
  • Session Management: Automatic session timeout after inactivity, secure cookie handling
  • Audit Trails:

4. Data Security

  • Encryption at Rest: All database records are encrypted using AES-256
  • Encryption in Transit: TLS 1.2+ for all network communications
  • Secure Deletion: Data is securely wiped (not just marked as deleted) when you request to delete your account
  • Backup Encryption: All backups are encrypted

Third-Party Security

Plaid (Bank Account Connections)

When you connect bank accounts via Plaid, Plaid handles your financial institution credentials using bank-level security:

  • Read-Only Access: Plaid uses read-only connections—they cannot move money or make transactions
  • Your Credentials: Plaid collects your bank login credentials. We never see or store them
  • MFA Support: Plaid supports multi-factor authentication for supported institutions
  • Compliance: Plaid is SOC 2 Type II certified and complies with data protection regulations
  • Security Details: See Plaid's Security & Trust page

Stripe (Payment Processing)

Stripe processes all payments and handles your payment card information:

  • PCI-DSS Level 1: Stripe is certified at the highest level of payment card industry security
  • Card Details: Stripe collects your credit card information. We never see or store them
  • Encryption: All payment data is encrypted in transit and at rest
  • Fraud Detection: Stripe's machine learning models detect and prevent fraudulent transactions
  • Security Details: See Stripe's Security documentation

Vulnerability Management

Security Audits

We conduct regular security assessments to identify and address vulnerabilities:

  • Automated Scanning: Daily vulnerability scans of our infrastructure and application code
  • Dependency Audits: Automated checks for known vulnerabilities in third-party libraries
  • Penetration Testing: Periodic manual penetration testing

Patch Management

  • Critical Patches: Security patches for critical vulnerabilities are applied within 24 hours

Incident Response

Security Incident Procedures

In the event of a security incident affecting user data, we follow a defined incident response process:

  • Detection: Automated monitoring and anomaly detection identify potential incidents
  • Containment: Immediate action to isolate and contain the incident
  • Investigation: Forensic analysis to determine scope, impact, and root cause
  • Remediation: Fix vulnerabilities and restore normal operations
  • Notification: Notify affected users and regulatory authorities as required by law
  • Post-Incident Review: Document lessons learned and improve processes

Data Breach Notification

If a data breach affects your personal information, we will:

  • Notify you via email within 72 hours of discovering the breach
  • Describe the nature of the breach and data affected
  • Explain steps we are taking to address the breach
  • Provide guidance on actions you can take to protect yourself
  • Notify relevant regulatory authorities as required by law (GDPR, CCPA, etc.)

Your Responsibility

While we implement strong security measures, you play a critical role in protecting your account:

Best Practices for Account Security

  • Strong Password: Use a unique password with at least 12 characters (mix of letters, numbers, symbols)
  • Password Manager: Consider using a password manager to generate and store strong passwords
  • No Password Sharing: Never share your Glynto password with anyone
  • Secure Email: Keep your email account secure (it's used for account recovery and notifications)
  • Log Out: Always log out when using shared or public devices
  • Phishing Awareness: Be cautious of emails asking for your password or login credentials (we will never ask for your password via email)
  • Monitor Activity: Regularly review your account activity for any unauthorized access
  • Report Suspicious Activity: Contact us immediately at security@glynto.com if you suspect unauthorized access

Reporting Security Issues

We appreciate the security research community's efforts to help keep Glynto secure. If you discover a security vulnerability, please report it responsibly:

Responsible Disclosure

  • Email: security@glynto.com
  • Subject Line: Include "Security Vulnerability Report" in the subject
  • Details: Provide detailed information about the vulnerability, steps to reproduce, and potential impact
  • Confidentiality: Please allow us reasonable time to investigate and address the issue before public disclosure

Please do not:

  • Access or modify other users' data
  • Disrupt service availability or performance
  • Publicly disclose the vulnerability before we've had a chance to fix it

Our Commitment

  • We will acknowledge your report within 48 hours
  • We will provide regular updates on our progress
  • We will not pursue legal action against researchers who follow responsible disclosure practices

Security Transparency

We believe in transparency about our security practices. This page will be updated as we enhance our security measures and achieve new compliance certifications.

Last updated: January 29, 2024

Questions?

For security-related questions, concerns, or reports, please contact our security team:

Security Contact

Email: security@glynto.com
Response Time: We aim to respond to security inquiries within 48 hours

For general privacy questions, see our Privacy Policy or contact privacy@glynto.com.