Security MEASURES & FAQ

Last updated: February 1, 2024

Gluetrail is a no-code tool for building form, combined with automation and interactions. Gluetrail provides UI web and form components (text inputs, dropdown, date pickers, widgets...), queries (connect easily to systems and databases), automations (upsert actions, send messages…) that can be connected together to build interactive and dynamic forms or UI features.   

Since Gluetrail is exposed to and handles customer data, the security and compliance of the platform is our utmost priority. 

General Considerations

The purpose of our security framework is to:

1. Protect the confidentiality, integrity, privacy, and security of personal/private information

2. Protect against any reasonably anticipated threats or hazards to the privacy, security, integrity, availability and confidentiality of such information; and

3. Protect against unauthorized access, disclosure to or use of such information in a manner that is non-compliant to the laws and regulations and standards that the Company is required to meet.

In our day to day, this means:

• Appointing an Information Security Coordinator (our CTO) who is responsible for implementing/revising policies, monitoring/testing, providing training to other employees on policies, procedures and good practices (for instance enforcing use of 2FA and password management softwares). He is also responsible for training around engineering security guidelines: secrets and credentials management, repository/versioning management, testing framework (unit testing, integration testing, load testing, end-to-end testing), logs and traceability

• Identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of personal/private information; and periodically review/update those risks

• Designing and implementing reasonable and appropriate measures, policies and procedures to minimize risks. We select security measures considering the size, complexity and capabilities for Gluetrail as a Company, their costs, and the probability/criticality of potential risks to data.

Our cloud operations are embedded in an established, large, secure cloud environment (Render Deploy), ensuring a solid foundation for security and reliability. 

We make use of available security features such as Secrets management, centralized and automated configuration management, enforcement of multi-factor authentication for all internal access.

Data Protection

Do you process personal data?

Gluetrail processes personal data as any data processed on the platform. But Gluetrail does not require personally identifiable information or personal data to work. Gluetrail customers have the flexibility to control what data is collected and processed. We can help your organization ensure that personal data is not processed on the Gluetrail platform and reduce your compliance processes and burden.

• Gluetrail does not store 3rd party data.

• Gluetrail is data-neutral – we do not know what data you choose to send to our platform. If our engine can process it, then it will, but there is no inspection or monitoring by Gluetrail of the underlying data payloads. Gluetrail does not make any data-based decisions other than following your instructions as you configure the platform to perform your desired operations.

• Gluetrail is also data-agnostic – Gluetrail will take no action based on the nature of any particular data or its classification. All incoming data is dealt with identically. 

• We do not process racial or ethnic origin, political opinions, religious or philosophical beliefs and Trade union membership unless explicitly provided.

What does Gluetrail connect to?

Gluetrail connects to business systems which it has built in connectors to. Gluetrail needs Read access to those systems it pulls information from. Gluetrail needs Write access to those systems it updates information from. In addition, it only needs access to the data the user wishes to leverage in Gluetrail (as detailed in the previous question). 

3rd party systems are added with a OAuth 2 authentication flow which allows users to revoke read and write access at any time through their own 3rd party application.

Who, at Gluetrail, has access to your data?

Role segregation ensures that only necessary personnel have access to sensitive data. Access to Customer Data is limited to functions with a business requirement to do so. Gluetrail has implemented layers of access controls for administrative roles and privileges. 

Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Gluetrail enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes.

Role segregation also ensures that only administrator personnel can authorize/grant/revoke access to company's system resources. Such action would be on a case by case basis, and logged consequently.

Recurring, role-based training, is used to maintain awareness of security within Gluetrail culture.

New user onboarding and access to Gluetrail

New users can create their account via a signup link provided by Gluetrail

To log into Gluetrail, Gluetrail enforces complex passwords which consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !. 

Due to inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords, we encourage all new users to sign up and login via the Login with Google button.

In addition, Gluetrail can provide optional 2FA for customers.

Data portability

Individuals can easily obtain, move, copy, transfer and reuse their data from Gluetrail (which would mostly consist of application logs and data transformation configurations, since Gluetrail does not store customer’s data it pulls from business systems), upon request via email to support@gluetrail.com. The data will be provided in a commonly used, machine-readable format.

Customer data retention

As of today, we keep all user activity logs indefinitely given the company size / customer base. We provide a 1 year data retention per default (except for internal activity logs). 

Gluetrail is using Render Postgres to store any data in a multi tenant architecture.

Infrastructure

Data center physical and environmental security

Physical Security of Gluetrail production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Gluetrail production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s.

Gluetrail solely uses Render as CSP today which has strict securities policies as stated in the following document: https://trust.render.com/

What logs do you collect?

We collect the following logs:

• Suspicious activities logs are collected with Cloudflare. We receive HTTP DDoS Attack Alert for DDoS attack from the Cloudflare Notification System. 

• User activity on Gluetrail is logged with an in-house logging system. The following user activities are logged (user id, timestamp, error/success for each):

  • Login/Logout attempt

  • Enabling/Disabling 2FA attempt

  • Reset Password

  • Invite User

  • Create/Update an app

  • View an app

As of today, we keep all user activity logs indefinitely given the company size / customer base. This may evolve in the future. 

What 3rd services do you use for your infrastructure?

We leverage the following services with corresponding security access measures:

• Render: Using Google Oauth 2.0

• Github: password + 2FA (Google authenticator)

• Google: Password + 2FA

• Slack: Using Google Oauth 2.0

• Cloudflare: Password + 2FA

Password complexity is determined by the services above.

Render contains databases containing Customer data. Render, our cloud provider, offers a host of compliance certifications https://trust.render.com.

Processing operations

Data submitted to the Gluetrail service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Gluetrail production service environment, except in limited circumstances such as in support of a customer request.

All data transmitted between Gluetrail and Gluetrail users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Gluetrail application is inaccessible.

Data encryption

Render encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage.

Certifications - Are you SOC 2 compliant?

We are an early stage startup and as a result are not SOC 2 compliant. Being SOC 2 compliant will be a priority in the end of 2024 timeframe.

Render, our cloud provider, offers a host of compliance certifications https://trust.render.com/

We realize that we need to go far beyond Render compliance certifications in order to satisfy the needs of our customers and it is something we will focus on as part of our SOC2 audit.

Service availability

While we have no formal SLA regarding service availability rate, we strive to operate at 99.9% availability rate. There are no penalties associated with an outage period.

Backup database

We use 1 postgres. Render creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. As of today, Database snapshots can be manually restored through the Render admin account.

Security breach notification process

Steps required in case of data breach:

• Identify and immediately stop the source or entity responsible for breach

• Carry out IT forensic investigation to gather evidence and determine course of events as well as identify electronic protected information compromised

• Identify and sequester pertinent records, metrics, processes, datapoints, files, and other documents (paper and electronic)

• Communicate with stakeholders via e-mail or telephone to inform and respond to the incident under 24 hours

• Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident

• Track incident response and mitigate the security breach incident

Internal, Steps required in case of data breach:

• Identify and immediately stop the source or entity responsible for breach

• Carry out IT forensic investigation to gather evidence and determine course of events as well as identify electronic protected information compromised

• Identify and sequester pertinent records, metrics, processes, datapoints, files, and other documents (paper and electronic)

• Communicate with stakeholders via e-mail or telephone to inform and respond to the incident under 24 hours

• Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident

• Track incident response and mitigate the security breach incident

Additional Links

Privacy policy: https://www.gluetrail.com/privacy

Terms of service: https://www.gluetrail.com/terms-of-service

Data processing addendum: https://www.gluetrail.com/data-processing-addendum