Security FAQ
Security FAQ
Gluetrail is a chrome extension that allows you to create support/training/marketing assets 10x faster, just from a screen and audio recording. From one single recording, Gluetrail leverages your screen+clicks+audio transcript, and AI, to:
automatically create articles with screenshots (step by step, blog post...)
create enhanced videos using our online video editor (remove filler words/background noise or add an AI voice from text, zoom ins, accelerate...)
publish the content on 3rd party platforms using our Notion, Confluence, Intercom,... integrations, on a Gluetrail public page or simply download it
Since Gluetrail is exposed to and handles customer data, the security and compliance of the platform is our utmost priority.
General considerations
The purpose of our security framework is to:
Protect the confidentiality, integrity, privacy, and security of personal/private information
Protect against any reasonably anticipated threats or hazards to the privacy, security, integrity, availability and confidentiality of such information; and
Protect against unauthorized access, disclosure to or use of such information in a manner that is non-compliant to the laws and regulations and standards that the Company is required to meet.
In our day to day, this means:
Appointing an Information Security Coordinator (our CTO) who is responsible for implementing/revising policies, monitoring/testing, providing training to other employees on policies, procedures and good practices (for instance enforcing use of 2FA and password management softwares). He is also responsible for training around engineering security guidelines: secrets and credentials management, repository/versioning management, testing framework (unit testing, integration testing, load testing, end-to-end testing), logs and traceability
Identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of personal/private information; and periodically review/update those risks
Designing and implementing reasonable and appropriate measures, policies and procedures to minimize risks. We select security measures considering the size, complexity and capabilities for Gluetrail as a Company, their costs, and the probability/criticality of potential risks to data.
Our cloud operations are embedded in an established, large, secure cloud environment (AWS, deployed via our cloud deployment solution Render), ensuring a solid foundation for security and reliability.
We make use of available security features such as Secrets management which uses strong encryption and key management features (logs, rotation), centralized and automated configuration management, enforcement of multi-factor authentication for all internal access.
Data Protection
Do you process personal data?
Gluetrail stores screen, audio and camera recordings created through a chrome extension and/or direct video upload.
Gluetrail processes personal data as any data processed on the platform. But Gluetrail does not require personally identifiable information or personal data to work. Gluetrail customers have the flexibility to control what data is collected and processed. We can help your organization ensure that personal data is not processed on the Gluetrail platform and reduce your compliance processes and burden.
Gluetrail is data-neutral – we do not know what data you choose to send to our platform. If our engine can process it, then it will, but there is no inspection or monitoring by Gluetrail of the underlying data payloads. Gluetrail does not make any data-based decisions other than following your instructions as you configure the platform to perform your desired operations.
Gluetrail is also data-agnostic – Gluetrail will take no action based on the nature of any particular data or its classification. All incoming data is dealt with identically.
We do not process racial or ethnic origin, political opinions, religious or philosophical beliefs and Trade union membership unless explicitly provided.
What does Gluetrail connect to?
Gluetrail connects to business systems which it has built in connectors to in order to publish content.Gluetrail needs Write access to those systems.
Who, at Gluetrail, has access to your data?
Role segregation ensures that only necessary personnel have access to sensitive data. Access to Customer Data is limited to functions with a business requirement to do so. Gluetrail has implemented layers of access controls for administrative roles and privileges.
Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Gluetrail enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes.
Role segregation also ensures that only administrator personnel can authorize/grant/revoke access to company's system resources. Such action would be on a case by case basis, and logged consequently.
Recurring, role-based training, is used to maintain awareness of security within Gluetrail culture.
Where is your data stored and how is it processed?
Data falls under 2 categories: permanent and non permanent.
1. Non permanent data exists upon video processing and is deleted after a video if processed. This data contains screen recordings, pictures and audio files, and audio transcript. Audio recordings and transcripts are automatically deleted after 7 days on our transcript provider: Gladia (Security).
2. Permanent data are audio and video as well as screenshots files created on Gluetrail and hosted on Gluetrail, on AWS’s Paris datacenter (eu-west-3).
New user onboarding and access to Gluetrail
New users can create their account via a signup link provided by Gluetrail
To log into Gluetrail, Gluetrail enforces complex passwords which consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !.
Due to inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords, we encourage all new users to sign up and login via the Login with Google button.
In addition, Gluetrail can provide optional 2FA for customers.
Data portability
Individuals can easily obtain, move, copy, transfer and reuse their data from Gluetrail, upon request via email to support@gluetrail.com. The data will be provided in a commonly used, machine-readable format.
Customer data retention
As of today, we keep all user activity logs indefinitely given the company size / customer base. We provide a 1 year data retention per default (except for internal activity logs).
Gluetrail is using AWS RDS Postgres to store any data. In each one of them we are partitioning data by tenant (customer) and schemas allowing us to support different access control and retention policies.
Infrastructure
Data center physical and environmental security
Physical Security of Gluetrail production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Gluetrail production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s.
Gluetrail solely uses Amazon Web Services as CSP today which states the below:
“Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.” https://aws.amazon.com/compliance/data-center/controls/
"AWS proactively prepares for potential environmental threats, like natural disasters and fire. Installing automatic sensors and responsive equipment are two ways we safeguard our data centers. Water-detecting devices can alert employees to problems as automatic pumps work to remove liquid and prevent damage. Similarly, automatic fire detection and suppression equipment reduces risk and can notify AWS employees and firefighters of a problem." https://aws.amazon.com/compliance/data-center/environmental-layer/
What logs do you collect?
We collect the following logs:
Suspicious activities logs are collected with Cloudflare. We receive HTTP DDoS Attack Alert for DDoS attack from the Cloudflare Notification System.
User activity on Gluetrail is logged with an in-house logging system. The following user activities are logged (user id, timestamp, error/success for each):
Login/Logout attempt
Enabling/Disabling 2FA attempt
Reset Password
Invite User
Create/Update an app
View an app
What 3rd services do you use for your infrastructure?
We leverage the following services with corresponding security access measures:
AWS: Password + MFA
Qovery: Using Github Oauth 2.0
Github: password + 2FA (Google authenticator)
Google: Password + 2FA
Slack: Using Google Oauth 2.0
Cloudflare: Password + 2FA
Password complexity is determined by the services above.
AWS contains S3 storage containing Customer data,. Amazon, our cloud provider, offers a host of compliance certifications https://aws.amazon.com/compliance/.
Processing Operations
Data submitted to the Gluetrail service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Gluetrail production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Gluetrail and Gluetrail users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Gluetrail application is inaccessible.
Data encryption
Tokens and API Credentials are stored via Render Secrets Manager which securely encrypt and centrally audit secrets such as database credentials and API keys.
Certifications - Are you SOC 2 compliant?
We are an early stage startup and as a result are not SOC 2 compliant. Being SOC 2 compliant will be a priority in the end of 2024 timeframe.
Render, our cloud provider, offers a host of compliance certifications: https://render.com/trust
We realize that we need to go far beyond our provider's compliance certifications in order to satisfy the needs of our customers and it is something we will focus on as part of our SOC2 audit.
Service availability
While we have no formal SLA regarding service availability rate, we strive to operate at 99.9% availability rate. There are no penalties associated with an outage period.
Backup database
Render automatically takes a complete backup of every paid database once per day. Backups are available to download for at least seven days after they're created.
Security breach notification process
Steps required in case of data breach:
Identify and immediately stop the source or entity responsible for breach
Carry out IT forensic investigation to gather evidence and determine course of events as well as identify electronic protected information compromised
Identify and sequester pertinent records, metrics, processes, datapoints, files, and other documents (paper and electronic)
Communicate with stakeholders via e-mail or telephone to inform and respond to the incident under 24 hours
Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident
Track incident response and mitigate the security breach incident
Internal, Steps required in case of data breach:
Identify and immediately stop the source or entity responsible for breach
Carry out IT forensic investigation to gather evidence and determine course of events as well as identify electronic protected information compromised
Identify and sequester pertinent records, metrics, processes, datapoints, files, and other documents (paper and electronic)
Communicate with stakeholders via e-mail or telephone to inform and respond to the incident under 24 hours
Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident
Track incident response and mitigate the security breach incident
Additional links
Privacy policy: https://www.gluetrail.com/privacy
Terms of service: https://www.gluetrail.com/terms-of-service
Data processing addendum: https://www.gluetrail.com/data-processing-addendum
