Trust

Security at Glytos

A platform built on transparency has to be trustworthy underneath. Here is how we protect your account and your end users conversations.

Encryption everywhere

TLS for all traffic in transit; provider credentials encrypted at rest with authenticated encryption.

Strong authentication

Passwords stored as bcrypt hashes; sessions use signed, algorithm-pinned, expiring tokens.

Tenant isolation

Every record is scoped to its organization and checked on each request, so data never crosses tenants.

Privacy controls

Optional PII redaction on stored transcripts, and a HIPAA mode that forces redaction and disables recording.

Your keys, protected

Bring-your-own provider keys are encrypted at rest and used only to serve your own requests.

Abuse resistance

Per-IP, per-organization, and per-key rate limits, plus guards against requests to internal network targets.

Data protection

Traffic to Glytos is encrypted with TLS. Sensitive secrets, such as the provider API keys you store, are encrypted at rest. Call recording is off by default and enabled only per agent; optional PII redaction strips emails, phone numbers, and card or ID-like numbers from stored transcripts when a call completes.

Access and isolation

Authentication is required on every state-changing request. Authorization is scoped to your organization, and each query is filtered by tenant so one customer can never read another customer data. Recording playback uses short-lived, unguessable links rather than public URLs.

Application security

The platform avoids the common high-impact classes: no dynamic code execution, parameterized database access only, output handling that prevents template injection, and an outbound request guard that blocks attempts to reach internal or private network addresses. A strict cross-origin policy is enforced in production.

Privacy and compliance controls

You decide what is retained and for how long. HIPAA mode forces transcript redaction and disables recording. For Turkey KVKK and GDPR, the dashboard offers a personal-data export.

Operational practices

Production runs with hardened configuration validated at startup, least-privilege access for our team, and audit logging of administrative actions. We keep dependencies current and review changes before they ship.

Responsible disclosure

If you believe you have found a security issue, please tell us before disclosing it publicly. We investigate every report, act in good faith, and will not pursue researchers who follow responsible disclosure.

Security · Glytos