Security at SpyGlow

Overview

We design SpyGlow with a security-by-default mindset. This page describes how we protect data, authenticate users, and secure our AI agents. If you have questions or need a completed security questionnaire, contact Click to show email.

Data Protection

• Encryption in transit: All communication between client and server uses TLS (HTTPS).
• Encryption at rest: We use managed cloud services (MongoDB Atlas) where data is encrypted at rest on the storage volume level.
• Secrets management: Application secrets are stored in environment variables, never in client code or public repositories.
• Access control: Production access is limited to authorized personnel following least-privilege principles.

Agent & App Security

• Agent Isolation: Your AI agents operate in isolated environments. They cannot access monitoring data belonging to other users.
• Authentication: We use NextAuth with Google OAuth and passwordless email. Sessions are stored server-side; browser cookies are HTTP-only and secure.
• Defense-in-depth: We enforce rate limiting, CORS allowlists, input validation, and security headers (CSP, HSTS).

Infrastructure

• Cloud Infrastructure: SpyGlow runs on reputable cloud providers with network-level protections.
• Monitoring: Centralized logs and health checks ensure agents are performing correctly without logging sensitive customer data.

Subprocessors

We work with select subprocessors to deliver parts of the service:

• Payments: Dodo Payments (billing and subscription lifecycle)
• Email delivery: Resend (transactional email)
• AI processing: OpenAI (analysis features)
• Database: MongoDB Atlas (data storage)

We do not use your private data or competitor lists to train public AI models.

Vulnerability Disclosure

If you discover a vulnerability, please report it to Click to show email. We’ll acknowledge receipt and keep you updated on remediation.

Contact

Security questions? Email Click to show email.