Security

Your data, protected like it's our own.

DPDP-compliant. India-hosted. End-to-end encrypted. Audit-logged. We take security as seriously as we take our product.

Encryption everywhere

All data in transit encrypted with TLS 1.3. Data at rest encrypted with AES-256. Secret keys managed by Supabase Vault (hardware-backed).

Data in India

Primary database hosted on AWS Mumbai (ap-south-1). Backups in same region. No data transferred outside India without your consent.

Access control

Row-Level Security (RLS) enforced at database level. Only you can see your data. Internal staff have zero access to customer business data without explicit permission.

Audit logging

Every action is logged with user, timestamp, and IP. Audit logs retained for 90 days. Suspicious activity triggers automatic alerts.

DPDP compliance

Full compliance with India's Digital Personal Data Protection Act 2023. Grievance Officer available. Breach notification within 72 hours.

Regular audits

Quarterly internal security reviews. Annual third-party penetration testing (VAPT). SOC 2 Type II certification in progress (target: Month 18).

Technical details

Infrastructure

  • Hosting: Vercel (global edge), Supabase (Mumbai database)
  • CDN: Cloudflare (DDoS protection + SSL)
  • Backups: Automatic daily backups, 7-day retention, same-region
  • Uptime target: 99.5% for Starter/Pro/Business; 99.9% for Enterprise (with SLA credits)

Authentication

  • Customer auth: Email OTP + optional Google OAuth (no passwords stored)
  • Session security: httpOnly cookies, SameSite=Lax, 30-day expiry
  • Google Business Profile access: OAuth 2.0, read-only + post-on-behalf scopes only. You can revoke anytime.
  • 2FA: Optional for all accounts, mandatory for Enterprise team admins

Data handling

  • What we store: Your business details, Google review content, Glowmap-generated replies, post schedules, audit logs
  • What we don't store: Your Google password, credit card details (Razorpay handles), customer PII beyond what's publicly on GBP
  • AI processing: Only public review text is sent to Anthropic (Claude). No PII, no medical/legal details, no contact info
  • Deletion: Account cancellation triggers 30-day grace period, then permanent deletion

Employee access

  • Internal staff cannot access customer business data unless you explicitly grant access (e.g., for a support issue)
  • All staff access is logged and audited
  • Background checks for all full-time staff
  • Offboarding removes all access within 1 hour of departure

Reporting security issues

Found a bug or security vulnerability? We want to know. Email support@glowonthemap.com with details. We typically respond within 24 hours. Responsible disclosure appreciated — we'll credit you publicly (with permission) and may offer bug bounties for valid issues.

Security roadmap

  • 🟢 Now: DPDP compliance, TLS 1.3, AES-256 at rest, RLS, audit logs
  • 🟡 Month 6: VAPT (third-party pen test)
  • 🟡 Month 12: SOC 2 Type I certification
  • 🔵 Month 18: SOC 2 Type II certification
  • 🔵 Month 24: ISO 27001 certification (Enterprise tier trigger)

Questions about security?

Enterprise customers can request our full Security Whitepaper, VAPT reports (when available), and sign a custom DPA.

Contact Security Team →