Trust & Security

Verified attestations · refreshed daily · No verification yet

The list below describes security controls Glassbreak commits to and that our automated probes verify every day. We publish a control only when it has been measured green for at least 30 consecutive days. If a control ever falls out of compliance, it is removed from this page until it is green again.

For the full cryptographic write-up, see the security & cryptography page. For our coordinated disclosure policy, see trust/disclosure or send a report to security@glassbreak.io.

The live attestation feed is currently unavailable. This page is regenerated daily. Please check back shortly, or contact security@glassbreak.io if you believe this is an extended outage.

Compliance assessments

Detailed, candid gap assessments against the standards procurement teams ask about most often. Each page describes our current posture, what we have, what we don't, and the criteria that would cause us to start (or finish) certification work.

  • SOC 2 Type II — in flight. Trust Service Criteria gap assessment and current phase on the page.
  • ISO/IEC 27001:2022 — not pursuing in 2026. ISMS clause and Annex A coverage with trigger criteria for starting.
  • ISO 22301:2019 — not pursuing in 2026. Business Continuity Management System clauses, our RTO/RPO commitments per surface, and the multi-cloud evidence behind them.
  • PCI DSS (SAQ-A) — card data never touches Glassbreak infrastructure; Stripe handles all of it. Annual SAQ-A self-assessment and the controls that still apply to us as a merchant.
  • NIS2 & UK NIS — not directly in scope but supplier to in-scope critical-infra customers. Article 21 risk-management coverage and the incident-reporting cascade we align to.
  • DORA — ICT third-party service-provider posture for EU financial-services customers. Article 30 contract terms + CTPP designation analysis + Register of Information inputs.
  • Cyber Essentials — UK government scheme. Coverage of the five technical control themes and our position on certifying for UK public-sector procurement.
  • CCPA / CPRA — California privacy. Service-provider obligations, consumer-rights support paths, and the threshold analysis for direct business-level applicability.
  • HIPAA & HITRUST — BAA not currently offered. Honest assessment of where the platform sits and what would change for healthcare customers.
  • FedRAMP Moderate — not pursued. NIST SP 800-53 family-by-family coverage and the business case threshold.
  • SIG Lite & CAIQ v4 pre-fill — answers to the 25 most-asked procurement questions, plus how to get the populated spreadsheets within one business day.
  • DPIA vendor response — pre-filled response aligned to the ICO and EDPB (April 2026) DPIA templates, designed to drop directly into the controller's DPIA workbook.
  • Browser & device compatibility — live checker for the cryptographic primitives, secure context, and storage APIs the Glassbreak web client depends on. Runs locally in your browser.

Compliance commitments in place today

  • GDPR (EU 2016/679) — data export and erasure are available from the in-product settings. Our DPA is at /legal/dpa; the subprocessor list is at /legal/sub-processors.
  • Data residency— EU users' data is stored in EU regions. See the architecture summary on the security page.
  • Published policies— Information Security, Incident Response, Business Continuity & DR, Onboarding, Offboarding, and Sanctions policies at /policies, reviewed annually with a named owner.

What is not on this page

We deliberately do not publish version numbers, specific cipher suites, infrastructure topology details, or exact rotation timestamps on this page. That information is reconnaissance for an attacker without meaningfully increasing your trust. If you are an enterprise buyer or auditor and need this detail under NDA, contact security@glassbreak.io.

How this page is generated

Each attestation above corresponds to an automated daily probe. The probe either confirms a runtime fact (e.g. "the database rejects unencrypted connections") or a code-state fact (e.g. "the password hashing module imports argon2id"). The full set of probes is in our open codebase. The filter that decides what is safe to publish — stripping evidence fields, version numbers, IP addresses, and vendor names below the well-known level — is itself tested against a denylist sweep.

Snapshot identifier: unavailable

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.