SpyGlow Logo

Security at SpyGlow

Last updated: September 17, 2025

Overview

We design SpyGlow with a security-by-default mindset. This page describes how we protect data, authenticate users, and operate the platform. If you have questions or need a completed security questionnaire, contactsupport@spyglow.com.

Data Protection

  • Encryption in transit: All communication between client and server uses TLS (HTTPS).
  • Encryption at rest: We use managed cloud services that provide encrypted storage; database and disks are encrypted by the provider.
  • Secrets management: Application secrets are stored in environment variables, never in client code or public repositories.
  • Access control: Production access is limited to authorized personnel following least-privilege principles.

Application Security

  • Authentication: We use NextAuth with Google OAuth and passwordless email. Sessions are stored server-side; browser cookies are HTTP-only and secure in production.
  • API authentication: Frontend calls to our backend use short-lived JWTs signed server-side; backend verifies tokens before serving requests.
  • Defense-in-depth: We enforce rate limiting, CORS allowlists, input validation, and security headers (CSP, HSTS, X-Frame-Options, and more).
  • File handling: Uploads are validated by MIME type and size, and are served via authenticated endpoints.

Infrastructure & Operations

  • Cloud infrastructure: SpyGlow runs on reputable cloud providers with network-level protections and managed databases.
  • Monitoring & logging: Centralized logs and health checks; error handling without logging sensitive token content.
  • Change management: Code reviews, least-privilege service accounts, and staged rollouts where applicable.

Subprocessors

We work with select subprocessors to deliver parts of the service. These partners process limited data necessary for their function:

  • Payments & subscriptions: Dodo Payments (billing and subscription lifecycle)
  • Email delivery: Resend (transactional email)
  • AI processing: OpenAI (analysis features) and Tavily (research queries)
  • Analytics / Support (optional): Google Analytics, Tawk (if enabled)

The specific list may change as we improve the service. Contact us for the current list and data flow details.

Privacy & Compliance

  • Privacy: See our Privacy Policy for data collection and usage.
  • Data subject rights: We support data export and account deletion upon request.
  • Compliance roadmap: We align with industry best practices and are working toward formal attestations as we scale.

Vulnerability Disclosure

If you discover a vulnerability, please report it to support@spyglow.com. We’ll acknowledge receipt within a reasonable timeframe and keep you updated on status. Please do not publicly disclose issues until we’ve had an opportunity to remediate them.

Availability

We monitor the health of the application and critical jobs, and we aim for high availability. If you need historical uptime details or status, contact us and we’ll share current metrics.

Contact

Security questions? Email support@spyglow.com.