Trust Report

Executive Summary

Glovair is committed to maintaining the highest standards of security, privacy, and transparency. This Trust Report outlines our security practices, compliance certifications, and commitment to protecting customer data. We believe trust is earned through transparency and consistent security practices.

1. Security Infrastructure

Data Encryption

• In Transit: TLS 1.3 encryption for all data transmitted over networks
• At Rest: AES-256 encryption for stored personal data
• Payment Data: PCI DSS Level 1 compliant through Stripe and PayPal
• Database Encryption: All databases use per-table encryption

Network Security

• Enterprise-grade firewalls and DDoS protection
• Web Application Firewall (WAF) with threat detection
• Intrusion Detection and Prevention Systems (IDS/IPS)
• Regular penetration testing by independent third parties
• Secure API endpoints with rate limiting and authentication

Access Control

• Multi-factor authentication (MFA) support for all accounts
• Role-based access control (RBAC) for staff
• Principle of least privilege for system access
• Regular access reviews and audit logs
• Session timeout and automatic logout mechanisms

2. Compliance Certifications

3. Data Privacy Practices

Collection & Use

• We only collect data necessary to provide our services
• Clear opt-in mechanisms for marketing communications
• Easy opt-out options in every marketing email
• Transparent privacy notices at data collection points
• Privacy by Design principles embedded in all new features

Data Sharing

• We do not sell personal data to third parties
• Limited sharing with trusted service providers under strict agreements
• All sub-processors are contractually bound to maintain security
• Full transparency about who we share data with
• Customers control their own data sharing preferences

Data Retention

• Personal data retained only as long as necessary
• Automatic deletion of inactive accounts after 2 years
• Secure deletion of all customer data upon account termination
• Legal data retained for 7 years in encrypted archives
• Customers can request data export or deletion anytime

4. Incident Response & Breach Notification

Incident Response Team

Glovair maintains a dedicated security team that operates 24/7 to monitor systems and respond to incidents:

• Real-time security monitoring and alerting systems
• Documented incident response procedures
• Regular incident simulations and tabletop exercises
• Vendor incident response support agreements
• Forensic analysis capabilities

Breach Notification Policy

In the event of a data breach affecting customer data:

1. Customers are notified within 72 hours of discovery
2. Detailed information about the breach is provided
3. Recommended protective actions are shared
4. Regulatory authorities are notified as required
5. Complete transparency about impact and remediation

Incident Reporting: [email protected]

5. Infrastructure & Uptime

Hosting & Infrastructure

• Multi-region cloud infrastructure for redundancy
• Automatic failover between data centers
• Geographic data replication for disaster recovery
• Load balancing across multiple servers
• 99.99% uptime SLA with transparent status page

Monitoring & Performance

• Real-time performance monitoring and alerting
• Automated system health checks every 60 seconds
• Capacity planning to prevent outages
• Database performance optimization
• CDN integration for fast global content delivery

Backup & Disaster Recovery

• Continuous backup of all customer data
• Multiple backup locations across different regions
• Regular restore testing to ensure backup integrity
• Recovery time objective (RTO) of 1 hour
• Recovery point objective (RPO) of 15 minutes

6. Security Testing & Vulnerability Management

Regular Testing

• Quarterly penetration testing by independent firms
• Monthly vulnerability scanning of all systems
• Annual security architecture review
• Automated vulnerability detection integrated in CI/CD pipeline
• Bug bounty program to incentivize responsible disclosure

Vulnerability Management

• CVSS severity-based prioritization
• Critical vulnerabilities patched within 24 hours
• High severity vulnerabilities patched within 7 days
• Medium and low severity patched within 30 days
• Transparent communication of security patches

Responsible Disclosure

We have a responsible vulnerability disclosure policy. Security researchers can report vulnerabilities to: [email protected]

7. Employee Security & Training

Access & Accountability

• Background checks for all employees with data access
• Signed confidentiality and security agreements
• Multi-factor authentication required for all staff systems
• Role-based access control with regular audits
• Automatic session logout after 15 minutes of inactivity

Training & Awareness

• Annual security awareness training for all employees
• Quarterly data privacy training
• Phishing simulation tests and awareness campaigns
• Security best practices documentation
• Incident response training for relevant staff

Offboarding

• Immediate access revocation upon termination
• Secure deletion of personal devices
• Return of all company equipment
• Final data access audit

8. Legal & Compliance

Data Processing Agreements

We maintain standard Data Processing Agreements (DPA) that comply with GDPR and other regulations. Customers can request modified DPAs for specific requirements.

Regulatory Cooperation

• Full cooperation with regulatory investigations
• Timely response to data subject access requests
• Support for regulatory audits
• Transparent disclosure of legal requests
• Compliance with international data protection laws

Legal Requests

We only disclose customer data in response to valid legal requests (subpoenas, warrants, court orders). We:

• Notify customers of legal requests when legally permitted
• Publish annual transparency reports
• Challenge overly broad requests
• Disclose only the minimum data necessary

9. Transparency & Reporting

Annual Trust Report

This report is updated annually and published on our website. We provide transparency about:

• Security incidents (if any)
• Compliance certifications and audit results
• Third-party penetration test findings
• Data protection improvements
• Regulatory requests received

Status Page

Real-time system status available at: status.glovair.com

• Current system uptime and performance metrics
• Historical uptime data
• Scheduled maintenance notifications
• Incident history and resolution details

Transparency Reports

We publish transparency reports on:

• Government data requests
• Legal process compliance
• Data breach incidents (if any)
• Security vulnerabilities discovered and patched

10. Third-Party Audits & Certifications

Glovair's security practices are validated by independent third parties:

11. Customer Security Recommendations

Best Practices

• Use Strong Passwords: Minimum 16 characters with mixed case, numbers, and symbols
• Enable 2FA: Activate two-factor authentication on your account
• Regular Updates: Keep your browser and OS updated
• Secure Connection: Always use HTTPS when accessing Glovair
• Privacy Settings: Review and adjust your privacy preferences regularly
• Monitor Activity: Check login history and connected devices
• Report Issues: Contact us immediately if you suspect unauthorized access

Phishing Prevention

• Be cautious of emails asking for passwords or account information
• Verify sender email addresses before clicking links
• Check URLs before entering credentials
• Report suspicious emails to us immediately
• Never share your password or recovery codes

12. Continuous Improvement

Security is an ongoing process. Glovair is committed to:

• Staying current with emerging security threats and best practices
• Investing in security infrastructure and tools
• Regular security audits and assessments
• Expanding compliance certifications (ISO 27001 in 2026)
• Implementing zero-trust security architecture
• Enhancing encryption and data protection measures
• Improving incident response capabilities
• Expanding transparency and public reporting

2026 Roadmap

• ISO 27001 certification
• Advanced threat detection and AI-based monitoring
• Enhanced encryption for at-rest data
• Expanded bug bounty program
• Public security dashboard
• Annual third-party penetration testing reports publication

Contact & Support

For security and privacy concerns: