Compliance
DealGlass is undergoing an independent SOC 2 Type II examination and maintains GDPR readiness. Controls are continuously monitored through a third-party compliance platform, and the current status of every control is available in our Trust Center.
Encryption
- In transit. All traffic is served exclusively over TLS, with HTTP Strict Transport Security enforced.
- At rest. Backups and object storage are encrypted with AES-256 in Amazon S3, with cross-region replication.
- Migration of primary data stores to managed, encrypted-at-rest services is proceeding under our infrastructure roadmap.
Access control
- Application sessions are authenticated with signed tokens delivered in HttpOnly, Secure cookies; credentials are hashed with bcrypt.
- Multi-factor authentication (TOTP with recovery codes) is available to all users.
- Administrative access is granted on a least-privilege basis and subject to periodic review.
- Customer data is logically separated by workspace.
Application & infrastructure hardening
- Standard security response headers are enforced (HSTS, X-Content-Type-Options, X-Frame-Options).
- Rate limiting is applied to authentication and API endpoints.
- Privileged actions are recorded in append-only audit logs archived to immutable (WORM) storage.
- Error monitoring is configured to exclude personally identifiable information.
- Databases are not exposed to the public network; ingress terminates at a TLS reverse proxy.
Resilience
Database backups run on an automated schedule and are encrypted and cross-region replicated. We maintain documented disaster-recovery and incident-response procedures, and monitor production infrastructure for threats on a continuous basis.
Data & privacy
Our processing of personal data, and the subprocessors engaged to deliver the service, are described in our Privacy Policy, Cookie Policy, and the subprocessor register within our Trust Center.
Reporting a concern
Security researchers and customers may report vulnerabilities or security concerns to security@dealglass.com. We acknowledge good-faith reports, coordinate on remediation, and will not pursue legal action against researchers acting in good faith.