Terms and Conditions

Effective 26 May 2026

Welcome to Glassbreak. These Terms and Conditions ("Terms") govern your access to and use of the Glassbreak platform, website, and related services (collectively, the "Service") operated by Glassbreak ("we", "us", "our"). By creating an account or using the Service, you agree to be bound by these Terms. If you do not agree, you must not use the Service.

1. Overview

Glassbreak is a break-glass emergency access platform for securely storing, encrypting, and distributing access to sensitive information including credentials, secrets, and crisis communications. Secrets are encrypted on your device using AES-256 encryption before transmission to our infrastructure. Neither Glassbreak nor any of our infrastructure providers has access to your unencrypted content.

2. Eligibility

You must be at least 16 years old to use Glassbreak. If you are using the Service on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to these Terms. By using the Service, you confirm that you meet these requirements.

3. Accounts and Security

To access the Service, you must create an account with a valid email address and a strong password. You are responsible for:

  • Maintaining the confidentiality of your account credentials and encryption keys
  • All activity that occurs under your account
  • Enabling and maintaining multi-factor authentication (MFA) where required by your organisation's policy
  • Promptly notifying us at security@glassbreak.io if you suspect unauthorised access to your account

We support TOTP authenticator apps, WebAuthn/FIDO2 hardware keys, and recovery codes as MFA methods. Your organisation administrator may require MFA for all members.

4. Teams and Organisations

Users can create or join organisations and teams. Teams manage shared access to encrypted secrets, contacts, and communications. Team administrators control membership, roles, and permissions. You are responsible for selecting trusted team members and managing access controls appropriately.

5. Service Plans and Pricing

Glassbreak offers the following service tiers:

  • Free — limited usage at no cost (1 team, 5 members, 10 secrets), no SLA
  • Standard — paid subscription billed via Stripe, with unlimited teams, secrets, and advanced features; no formal SLA, best-effort availability
  • Premium — custom-priced for enterprise needs, with a 99.9% uptime SLA measured against the multi-cloud aggregate Service, SSO/SAML, priority support, extended audit log retention, and an executed Data Processing Agreement

Charges for paid plans are billed in advance and are non-refundable once the billing period begins, except as required by applicable law (including mandatory consumer protection laws). We reserve the right to change pricing with 30 days' prior notice. Current pricing is available on our pricing page. Taxes (including VAT, GST, and sales tax) are added where applicable.

6. Infrastructure and Security

The Service operates across multiple independent cloud providers for resilience. A current, authoritative list of sub-processors is maintained at /legal/sub-processors. Encryption is handled on your device using AES-256 for secrets, RSA-4096 for key exchange, and Kyber1024 for post-quantum key encapsulation. We do not store decryption keys in any accessible form. All data is encrypted in transit (TLS) and at rest.

7. No Access to Secrets — Zero-Knowledge Architecture

Glassbreak operates a zero-knowledge architecture. We do not access, process, or store decrypted user secrets at any point. Encryption and decryption occur exclusively on your device. Our servers store only encrypted ciphertext and encrypted key material.

You are solely responsible for:

  • Safeguarding your encryption keys, passwords, and recovery codes
  • Managing access controls, team membership, and role-based permissions
  • Selecting and vetting trusted team members who receive access to shared secrets
  • Maintaining independent backups of critical information outside the Service

YOU ACKNOWLEDGE AND ACCEPT THAT IF YOU LOSE ACCESS TO YOUR ENCRYPTION KEYS, PASSWORDS, AND RECOVERY CODES, YOUR ENCRYPTED DATA WILL BE PERMANENTLY AND IRREVERSIBLY INACCESSIBLE. GLASSBREAK CANNOT RECOVER, RESET, OR RECONSTRUCT YOUR ENCRYPTION KEYS UNDER ANY CIRCUMSTANCES. This is a fundamental and intentional property of our security architecture. No Glassbreak employee, system, process, or infrastructure provider can decrypt your data on your behalf.

You expressly waive any claim against Glassbreak for data loss resulting from lost, forgotten, or compromised encryption keys or recovery codes. It is your responsibility to store recovery codes securely and separately from your primary credentials.

8. Acceptable Use

You agree not to use the Service to:

  • Store or transmit content that is illegal, harmful, threatening, defamatory, or infringing on third-party rights
  • Store, transmit, or distribute child sexual abuse material (CSAM) or any content depicting the exploitation or abuse of minors
  • Store or transmit content that promotes, incites, or facilitates terrorism, violent extremism, or radicalisation
  • Store or transmit stolen data, credentials, or personally identifiable information obtained without authorisation
  • Facilitate or engage in human trafficking, exploitation, or modern slavery
  • Store, distribute, or facilitate the sale of illegal drugs, weapons, or controlled substances
  • Use the Service to facilitate money laundering, terrorism financing, sanctions evasion, tax evasion, or other financial crimes
  • Circumvent, disable, or interfere with security features or access controls
  • Attempt to gain unauthorised access to the Service, other accounts, or connected systems
  • Reverse-engineer, decompile, or disassemble any part of the Service
  • Transmit viruses, malware, or other malicious code
  • Use automated systems (bots, scrapers) to access the Service without prior written consent
  • Resell, sublicense, or redistribute access to the Service without authorisation

9. Illegal Content and Reporting

Glassbreak has a zero-tolerance policy for illegal content. While we cannot inspect encrypted content stored on the Service, we will act on credible reports and legal orders.

If we receive a valid legal order, court order, or law enforcement request requiring action on an account, we will comply to the extent required by applicable law. This may include suspension or termination of accounts and disclosure of unencrypted account metadata (but not encrypted content, which we cannot decrypt).

If you become aware of illegal content or activity on the Service, report it to abuse@glassbreak.io. We will investigate and take appropriate action, which may include account suspension, termination, and referral to law enforcement.

Accounts found to be in violation of these provisions will be terminated immediately without notice or refund. We reserve the right to cooperate fully with law enforcement authorities and to comply with court orders requesting or directing disclosure of account information.

10. Intellectual Property

The Service, including its design, code, branding, documentation, and all related intellectual property, is owned by Glassbreak and protected by copyright, trademark, and other intellectual property laws. You are granted a limited, non-exclusive, non-transferable, revocable licence to use the Service in accordance with these Terms.

You retain ownership of all content you upload to the Service. By uploading content, you grant us only the technical permissions necessary to store and transmit your encrypted data as part of operating the Service.

11. AI and Automated Processing

Glassbreak does not use customer encrypted content, encrypted contacts, or encrypted messages to train, fine-tune, or evaluate artificial intelligence or machine learning models, and does not share that content with any third party for those purposes. Because the architecture is zero-knowledge, we could not do so even if we wished to. Operational telemetry (such as anonymised request counts and error rates) may be used to improve the Service.

12. Service Level Commitments

We strive to maintain high availability using geographically isolated, multi-cloud infrastructure. Service level commitments are as follows:

  • Free — best-effort availability, no SLA
  • Standard — best-effort availability, no formal SLA; service credits are not provided as of right but may be granted at our discretion for significant outages
  • Premium— 99.9% monthly uptime SLA measured against the multi-cloud aggregate Service (i.e. an outage is only credited if every independent vertical is unavailable to a given customer for the same period); details and exclusions in the customer's executed Service Level Agreement

Scheduled maintenance with reasonable advance notice, force majeure events, and customer-side connectivity or configuration failures are excluded from SLA calculations.

13. Sub-processors

We use the following categories of sub-processors to deliver the Service. None has access to your decrypted content; all are bound by written data processing terms consistent with our obligations to you.

  • Amazon Web Services (AWS) — AWS-vertical Lambda compute, S3 object storage in us-east-1
  • Scaleway — Scaleway-vertical Serverless Functions and Object Storage, Managed PostgreSQL and Serverless SQL in fr-par
  • Fly.io / GCP — additional break-glass compute vertical (planned)
  • Fastly — primary multi-origin CDN, request routing, and DNS
  • Neon — serverless PostgreSQL for the AWS vertical (aws-eu-central-1, Frankfurt)
  • Stripe — payment processing and subscription billing
  • Postmark — transactional email delivery
  • Plausible Analytics — privacy-respecting, cookie-free site analytics (EU-hosted)
  • GitHub — source code hosting and CI/CD
  • 1Password — internal secrets management (Glassbreak staff)

The authoritative, current sub-processor list — including legal entity, role, and processing location — is maintained at /legal/sub-processors. We will give at least 30 days' advance notice by email and via that page before onboarding a new sub-processor or materially changing the role of an existing one. Customers with an executed DPA may object to a proposed sub-processor on reasonable grounds during the notice period.

14. Data Processing Agreement (DPA)

For customers subject to the EU General Data Protection Regulation, the UK GDPR, the Swiss Federal Act on Data Protection, or equivalent regimes, our Data Processing Agreement is incorporated into these Terms by reference and is available at /legal/dpa. The DPA sets out, among other things, the subject matter and duration of processing, the nature and purpose of processing, the categories of data and data subjects, and the rights and obligations of controller and processor.

15. International Data Transfers

Your data may be processed in any region in which our sub-processors operate. Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that has not been the subject of an adequacy decision, we rely on:

  • the European Commission's Standard Contractual Clauses (SCCs), Module 2 (controller-to-processor), with the customer as controller and Glassbreak as processor;
  • the UK International Data Transfer Addendum to the SCCs (UK IDTA) for transfers subject to UK GDPR; and
  • the Swiss FADP addendum, where transfers originate in Switzerland.

Customers with strict data-residency requirements may choose to use the EU-pure glassbreak.cloud vertical, which routes compute and state through EU-only providers and regions.

16. Sanctions and Export Compliance

You represent and warrant that you, your organisation, and your end users are not (a) located, organised, or ordinarily resident in any country or region subject to comprehensive sanctions administered by the US Office of Foreign Assets Control (OFAC), the EU, the United Kingdom, or the Australian Department of Foreign Affairs and Trade (DFAT); or (b) listed on any applicable sanctions, denied-party, or restricted-party list (including the OFAC SDN List, the EU Consolidated List, the UK Sanctions List, and the DFAT Consolidated List). You must not use the Service to violate any applicable sanctions or export-control laws. We may suspend or terminate accounts to comply with these requirements.

17. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

Without limiting the foregoing, we do not warrant that:

  • The Service will meet your specific requirements
  • The Service will be uninterrupted, timely, secure, or error-free
  • Any errors in the Service will be corrected
  • The Service will be compatible with any particular hardware or software

18. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL GLASSBREAK, ITS DIRECTORS, EMPLOYEES, PARTNERS, AGENTS, SUPPLIERS, OR AFFILIATES BE LIABLE FOR:

  • Any indirect, incidental, special, consequential, or punitive damages
  • Any loss of profits, revenue, data, goodwill, or business opportunity
  • Any damages arising from your use of or inability to use the Service
  • Any data loss due to loss of encryption keys, mismanagement of team permissions, or failure to maintain backups
  • Any outages or performance degradation due to third-party provider failures
  • Any unauthorised access resulting from your failure to secure your credentials

OUR TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATED TO THE SERVICE SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID US IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) USD $100.

Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable law, including liability for fraud, death, or personal injury caused by negligence, rights you have under the Australian Consumer Law, mandatory rights under EU and UK consumer protection law, or non-waivable rights under US state law.

19. Indemnification

You agree to indemnify, defend, and hold harmless Glassbreak and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to:

  • Your use of the Service or any activity under your account
  • Your breach of these Terms or any applicable law or regulation
  • Your violation of any third-party rights, including intellectual property or privacy rights
  • Content you store, transmit, or make available through the Service
  • Your failure to maintain adequate security of your account credentials, encryption keys, or recovery codes
  • Claims by your team members, employees, or end users arising from your use of the Service

This indemnification obligation survives termination of your account and these Terms.

20. Service Failure Remedies

In the event of a failure, outage, or data loss attributable solely to Glassbreak's negligence or wilful misconduct (and not to third-party provider failures, force majeure events, or user error):

  • Free tier users— Glassbreak's sole obligation shall be to use commercially reasonable efforts to restore the Service. No financial compensation is provided.
  • Standard tier users— Glassbreak may, at its discretion, provide a pro-rata service credit for the period of unavailability, applied to future invoices. Total credits in any 12-month period shall not exceed one month's subscription fees.
  • Premium tier users — remedies are governed by the applicable Service Level Agreement (SLA) executed between the parties, which may include enhanced credits, response time commitments, and escalation procedures.

In all cases, Glassbreak's liability for service failures is subject to the limitations set out in section 18 (Limitation of Liability). Service credits are your sole and exclusive remedy for downtime or service degradation unless a separate SLA provides otherwise.

21. Termination and Data Return

By you: You may terminate your account at any time from your account settings.

By us: We reserve the right to suspend or terminate your account immediately and without prior notice for material breach of these Terms, activity that threatens the security or integrity of the Service, unlawful use or suspected fraud, or non-payment of applicable fees after reasonable notice.

Data export and return: For paid plans, on termination we will make your data available for export for a period of 30 days, in a structured, machine-readable format, via the Service's export functionality or on written request to legal@glassbreak.io. After that window, account data will be deleted in accordance with the retention schedule in the Privacy Policy. For Free plans, deletion may occur sooner; you should export data before termination. We cannot return decrypted content (we never had access to it). Sections 9, 10, 11, 14, 15, 16, 17, 18, 19, 24, and 25 survive termination.

22. Force Majeure

Neither party shall be liable for any failure or delay in performance resulting from causes beyond its reasonable control, including but not limited to: acts of God, natural disasters, pandemic, war, terrorism, government actions, power failures, internet or telecommunications failures, cyberattacks, or failures of third-party cloud infrastructure providers. During any such event, the affected party's obligations are suspended for the duration of the event.

23. Changes to These Terms

We may modify these Terms from time to time. Materialchanges will be communicated by email to the account's primary contact and via a prominent in-product notice at least 30 days before they take effect. Non-material changes (typographical, clarifying, or required by law) may take effect immediately on posting. If you do not agree to the updated Terms, you must stop using the Service and close your account before the changes take effect. Continued use after the effective date constitutes acceptance.

24. Dispute Resolution

The parties will first attempt to resolve any dispute arising from or relating to these Terms or the Service in good faith through informal negotiation for a period of at least 30 days. If the dispute cannot be resolved informally, the following applies:

  • International disputes (where either party is located outside the governing-law jurisdiction in section 25) shall be finally resolved by binding arbitration seated in London, England, under the LCIA Rules then in force, conducted in English by a single arbitrator. Either party may seek interim or injunctive relief from a court of competent jurisdiction without waiving this arbitration clause.
  • Domestic disputes (where both parties are located in the governing-law jurisdiction) may be brought in the courts identified in section 25.

Nothing in this section limits non-waivable consumer rights to bring proceedings in your country of residence under local mandatory law.

25. Governing Law and Jurisdiction

These Terms are governed by and construed in accordance with the laws of England and Wales, without regard to conflict-of-laws principles. Subject to the dispute resolution process in section 24, the courts of England and Wales shall have exclusive jurisdiction, except as set out in the following multi-jurisdiction clause:

  • Customers in the United States — the laws of the State of New York apply, and the federal and state courts located in the Southern District of New York have exclusive jurisdiction, in lieu of the laws of England and Wales.
  • Customers in Australia or New Zealand — the laws of New South Wales, Australia apply, and the courts of New South Wales have exclusive jurisdiction, in lieu of the laws of England and Wales.
  • All other customers — the laws of England and Wales apply as set out above.

Nothing in this section limits your rights under the Australian Consumer Law, EU or UK consumer protection law, or any other mandatory consumer protection legislation in your country of residence.

26. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

27. Entire Agreement

These Terms, together with the Privacy Policy, the Data Processing Agreement (where applicable), the Sub-processor List, and any executed Service Level Agreement, constitute the entire agreement between you and Glassbreak regarding the Service. These Terms supersede all prior agreements, understandings, and representations, whether written or oral.

28. Contact

For legal inquiries or support:
Legal: legal@glassbreak.io
Privacy: privacy@glassbreak.io
Security: security@glassbreak.io
General support: support@glassbreak.io

By using Glassbreak, you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions.

This document is provided for transparency and does not constitute legal advice.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.