Partner Security at GlamFlow

Security is a foundational priority at GlamFlow. We invest continuously in protecting the data entrusted to us by our customers, their clients, and our partners. This document outlines our key security practices and controls.

GlamFlow's platform is hosted on leading cloud infrastructure providers with SOC 2 Type II and ISO 27001 certifications. Our infrastructure is deployed across multiple availability zones to ensure resilience.

We apply the principle of least privilege for all internal access, use network segmentation to isolate production environments, and maintain dedicated environments for development, staging, and production.

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 encryption. Encryption keys are managed using dedicated key management services with strict access controls.

Access to production systems is restricted to authorized personnel based on job function. We enforce multi-factor authentication (MFA) for all internal systems. Access is regularly reviewed and revoked upon role change or departure.

Customer data is logically isolated and cannot be accessed by other customers. Administrative access is logged and monitored.

Our software development lifecycle (SDLC) includes security at every stage: threat modelling during design, secure code review, automated static and dynamic analysis, and dependency vulnerability scanning.

We conduct annual third-party penetration tests and promptly remediate any findings. Critical patches are deployed within 24 hours of identification.

GlamFlow welcomes responsible disclosure of security vulnerabilities. If you believe you have found a security issue, please report it to [email protected]. We commit to: acknowledging your report within 2 business days; investigating and, if confirmed, remediating the issue in a timely manner; not pursuing legal action against researchers who report in good faith and in accordance with our disclosure policy.

GlamFlow maintains a documented incident response plan. In the event of a confirmed security incident affecting customer data, we will: contain and remediate the incident; notify affected customers without undue delay (and within legally required timeframes); provide guidance on steps customers can take to protect themselves.

GlamFlow maintains business continuity and disaster recovery plans that are tested regularly. We perform automated backups with geographic redundancy. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and reviewed annually.

GlamFlow operates in compliance with applicable privacy laws including PIPEDA (Canada), and we assist customers with their obligations under GDPR, HIPAA, and other applicable regulations through our Data Processing Addendum and security controls.

All GlamFlow employees complete security awareness training upon hire and annually thereafter. Background checks are conducted for roles with access to sensitive systems. Employees are bound by confidentiality obligations.

For security inquiries or to report a vulnerability, contact: [email protected].