Glomiq

Security

Last Updated: 08-05-2026

Glomiq handles documents that contain client names, financial details, legal clauses, and confidential business information. We take that responsibility seriously. This page describes how we protect your data.

Encryption

Data in transit

All communication between your browser and Glomiq servers uses TLS 1.2 or higher. HTTP connections are automatically upgraded to HTTPS.

Data at rest

Stored documents, templates, and user data are encrypted at rest using AES-256 encryption on cloud storage infrastructure.

Access controls

  • Account isolation — Your templates, documents, and history are accessible only to your authenticated account. No other user can access your data.
  • Authentication — Glomiq supports Google OAuth and email/password login. Email verification is required for email-based accounts. We recommend using Google Sign-In for the strongest account security.
  • Session management — Sessions use secure, HTTP-only cookies and are invalidated on sign-out.
  • App route protection — All dashboard, template, document, and settings routes require authentication. These routes are also blocked from search engine indexing via robots.txt.

AI and data training

Your documents are never used to train AI models. Uploaded documents and the data you enter into generation forms are processed solely to produce your output. They are not shared with AI providers for training, fine-tuning, or model improvement purposes.

Glomiq uses third-party AI infrastructure to process document content (field detection, variable extraction). These providers operate under data processing agreements that restrict use of your data to the processing tasks we specify. See the Privacy Policy for a list of sub-processors.

Infrastructure and hosting

  • Hosting — Glomiq is hosted on Vercel (application layer) with cloud storage on industry-standard providers. All infrastructure is maintained by vendors with SOC 2 Type II certification.
  • Security headers — All pages are served with a Content-Security-Policy, Strict-Transport-Security (HSTS with preload), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a Permissions-Policy restricting camera, microphone, and geolocation.
  • Dependencies — Third-party packages are pinned to specific versions and reviewed regularly. High-severity vulnerabilities are patched on a priority basis.

What we do not do

  • We do not sell your data to third parties.
  • We do not use your documents for advertising targeting.
  • We do not share your client names, document contents, or field values with any external party except as required to process your generation request.
  • We do not retain uploaded documents beyond what is necessary to serve your account.

Reporting a security issue

If you discover a security vulnerability in Glomiq, please report it responsibly to support@glomiq.com with the subject line Security Report. Include a description of the vulnerability, steps to reproduce, and your assessment of impact.

We will acknowledge all valid reports within 2 business days and aim to resolve confirmed issues within 14 days depending on severity. We do not currently operate a bug bounty programme but we genuinely appreciate responsible disclosure.

Please do not publicly disclose vulnerabilities before we have had an opportunity to address them.

Questions

For security questions, data processing enquiries, or DPDP Act (India) related requests, contact us at support@glomiq.com.

Privacy Policy · Terms of Service · Documentation