Trust
Security at Glytos
A platform built on transparency has to be trustworthy underneath. Here is how we protect your account and your end users conversations.
Encryption everywhere
Strong authentication
Tenant isolation
Privacy controls
Your keys, protected
Abuse resistance
Data protection
Traffic to Glytos is encrypted with TLS. Sensitive secrets, such as the provider API keys you store, are encrypted at rest. Call recording is off by default and enabled only per agent; optional PII redaction strips emails, phone numbers, and card or ID-like numbers from stored transcripts when a call completes.
Access and isolation
Authentication is required on every state-changing request. Authorization is scoped to your organization, and each query is filtered by tenant so one customer can never read another customer data. Recording playback uses short-lived, unguessable links rather than public URLs.
Application security
The platform avoids the common high-impact classes: no dynamic code execution, parameterized database access only, output handling that prevents template injection, and an outbound request guard that blocks attempts to reach internal or private network addresses. A strict cross-origin policy is enforced in production.
Privacy and compliance controls
You decide what is retained and for how long. HIPAA mode forces transcript redaction and disables recording. For Turkey KVKK and GDPR, the dashboard offers a personal-data export.
Operational practices
Production runs with hardened configuration validated at startup, least-privilege access for our team, and audit logging of administrative actions. We keep dependencies current and review changes before they ship.
Responsible disclosure
If you believe you have found a security issue, please tell us before disclosing it publicly. We investigate every report, act in good faith, and will not pursue researchers who follow responsible disclosure.