Security at SpyGlow
Last updated: February 2026
Overview
We build SpyGlow with a security-first mindset. This page describes how we protect your data, authenticate users, and handle AI processing. If you have questions, contact Click to show email.
Data Protection
- Encryption in transit: All communication between your browser and our servers uses TLS 1.2+ (HTTPS). API calls from the frontend are proxied through a secure backend layer.
- Encryption at rest: We use MongoDB for data storage, which encrypts all data at rest using AES-256 on the storage volume level.
- Secrets management: Application secrets (API keys, database credentials) are stored in environment variables on the server, never in client-side code or public repositories.
- Access control: Production server access is restricted to authorized personnel only.
Authentication & Sessions
- Authentication: SpyGlow uses email and password authentication with optional one-time password (OTP) verification. Sessions are managed via secure JSON Web Tokens (JWT).
- Rate limiting: Login attempts and API requests are rate-limited to prevent brute-force attacks and abuse.
- Input validation: All user inputs are validated and sanitized on both the frontend and backend before processing.
AI & Data Processing
- Data isolation: Each user's competitive intelligence data (competitor lists, monitoring history, AI-generated insights) is scoped to their account and cannot be accessed by other users.
- AI processing: When you use features like AskGlow, Content Gap Analysis, or Battle Cards, your queries and relevant data are sent to third-party AI providers for processing. These providers do not use your data to train their models.
- No model training: We do not use your private data, competitor lists, or generated insights to train any public AI models.
- Caching: To improve response times, AI context data may be temporarily cached (up to 20 minutes) and is automatically purged after expiration.
Infrastructure
- Hosting: SpyGlow runs on a virtual private server with process management and automatic restarts for high availability.
- Reverse proxy: All traffic is routed through Nginx, which handles TLS termination and request forwarding.
- Monitoring: We use centralized logging and automated health checks to detect and respond to issues. Sensitive customer data is not included in application logs.
Subprocessors
We work with the following third-party services to deliver SpyGlow:
| Provider | Purpose | Data shared |
|---|---|---|
| OpenAI | AI analysis, content generation, competitive intelligence | User queries, competitor data excerpts |
| Perplexity AI | Web search for real-time competitive data | Search queries |
| MongoDB | Database hosting | All application data |
| Dodo Payments | Subscription billing | Payment and billing info |
| Resend | Transactional email delivery | Email address, email content |
Vulnerability Disclosure
If you discover a security vulnerability, please report it to Click to show email. We will:
- Acknowledge receipt within 48 hours
- Investigate and provide an initial assessment within 5 business days
- Keep you updated on remediation progress
We ask that you give us reasonable time to address the issue before any public disclosure.
What We're Working On
We are continuously improving security. Planned enhancements include:
- Two-factor authentication (2FA)
- Enhanced security headers (CSP, HSTS)
- SOC 2 preparation
Contact
Security questions? Email Click to show email.