Glean is trusted by over 500 US Higher Education institutions
Table of contents
- Where and How an End User's Content is Stored
- HECVAT (Higher Education Community Vendor Assessment Toolkit)
- SOC 2 Type I Compliance
- Independent Review by GreyCastle Security
- Penetration Testing
- Glean Platform Data Diagram
- List of Current Subcontractors
- Glean Data Security Policy
- Useful Links
- Contact Us
Where and How an End User's Content is Stored
Content created by a Glean user, like audio recordings and electronic notes, are stored locally on the user's device and then uploaded to Glean's cloud storage. The data is saved locally so that a user is able to record and edit their content while offline. Providing users with the ability to work offline was critical to the design of the Glean platform; we understand that notetaking shouldn't be dependent on having an internet connection.
Secure local storage:
Data saved locally is stored on hard disk in a Glean-readable format.
Secure cloud storage:
Data is uploaded to Glean's cloud storage, which is hosted across Amazon Web Services (AWS) and Google Cloud platforms in UK data centers. At this time, Glean does not provide data storage in any other territory.
More important stuff:
- Audio data is stored encrypted at rest and is only transmitted over encrypted channels between the browser and Glean's cloud servers.
- When online, the browser uploads data to the cloud. An end user's audio data is sent directly to AWS S3 servers and all other data (such as electronic notes and audio visualization data) is sent to Glean's database via the backend.
- All data is uploaded using a secure connection (HTTPS), and is saved in IndexedDB (a database built into the browser) so that Glean works offline.
- Audio files are captured in binary long objects, or blobs as we call them, and are encrypted and stored on AWS S3. The blobs are decrypted on retrieval and reassembled on the end user's browser.
- Communication between the browser and AWS S3 (for upload and download) is done via pre-signed URLs. The URLs are only valid for the upload of a particular blob (they are only valid for a single destination address in AWS S3), and are valid for a limited time.
HECVAT (Higher Education Community Vendor Assessment Toolkit)
What is it?
The higher education information security community, EDUCAUSE, Internet2, and the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC) created the Higher Education Cloud Vendor Assessment Toolkit (HECVAT), a questionnaire framework specifically designed for the higher education sector to measure vendor risk. The HECVAT aims to standardize InfoSec and data protection requirements around service providers.
Glean has completed a HECVAT Full version 2.11 self-assessment for Glean Web and Glean Notes mobile app, which you can view below. The aim of the assessment is to show our compliance with industry standards and explain the security and privacy protocols that we have built into our infrastructure.
Glean's HECVAT is a living document that we update regularly. Please click the button below to view the current version.
SOC 2 Type I Compliance
What is it?
A SOC (Service Organization Controls) 2 Type I audit evaluates an organization’s information security systems relevant to security, availability, confidentiality, and privacy at a single point in time. It assesses whether the internal controls put in place by the organization to safeguard its data are sufficient and designed correctly. SOC 2 is based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC).
Glean underwent a SOC 2 Type I audit in April 2021, which was carried out by US financial advisory company Boulay Group. The attestation report, published August 2021, can be downloaded by clicking the button below.
Independent Review by GreyCastle Security
Who is GreyCastle?
GreyCastle Security is a US-based service provider dedicated exclusively to cybersecurity and the practical management of cybersecurity risks. GreyCastle provides Risk Assessment, Awareness, Vulnerability Assessment, Penetration Testing, ISO and Incident Response services to businesses throughout North America and beyond. The team comprises solely of certified professionals and former security officers.
About the review
During May and June 2022, GreyCastle carried out a Vendor Risk Assessment (VRA) based on Glean's internal policies relating to data security, the HECVAT, and SOC 2 Type I report. Members of Glean's InfoSec team were interviewed as part of the review process.
You can download the full VRA report by clicking on the button below.
What is it?
Penetration testing is a method for gaining assurance in the security of an organization's IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might.
The Glean web app and Glean Notes mobile app are penetration tested at a minimum of once per year by a UK-based provider, Digital Interruption. You can download our 2022 attestation report below.
Glean holds the following types of insurance on a worldwide basis:
- Professional Liability (Indemnity)
- Cyber and Privacy Liability
- Public and Products Liability
- Employers' Liability
Our insurance provider is CFC. Our cover is renewed automatically on an annual basis.
You can download our 2021-2022 letter of coverage by clicking the button below.
Glean Data Security Policy
Who is this policy for?
- Any individual who pays for or trials access to Glean's services and is the end user of the services. Or, any individual who is considering using Glean's services in the future.
- Any organization that pays for or trials access to Glean's services for use by individuals within that organization. Or, any organization that is considering using Glean's services in the future.
For ease, Glean will refer to an individual and organization as "you" in this policy.
What are the aims of this policy?
- To provide you with assurance that the information systems and software services provided by Glean will be managed effectively, securely, and responsibly.
- To provide you with assurance that all data assets held by Glean will be protected against all internal, external, deliberate, and accidental threats.
What does this policy cover?
This policy applies to all data that Glean receives during the course of business. It also applies to all information systems, networks, applications, infrastructure, services, and locations of Glean technology including any that is supplied under contract to Glean.
4. Policy Compliance
Some aspects of data security are governed by legislation, the most notable UK Acts and European legislation are:
EU General Data Protection Regulation 2016/679
- UK General Data Protection Regulation
The Data Protection Act (2018)
Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC)
Privacy and Electronic Communications Regulations 2003 (SI 2003/2426)
Copyright, Designs and Patents Act (1988)
Computer Misuse Act (1990)
The most notable US Acts and legislation are:
California Consumer Privacy Act (2018)
California Online Protection Privacy Act (2004)
- Family Educational Rights and Privacy Act (1974)
5. Registration with the UK Information Commissioner's Office (ICO)
Glean is registered with the UK's Information Commissioner’s Office, and renews annually. The ICO is the UK’s independent body set up to uphold information rights. It provides guidance and advice on data protection, including how organizations should respond to a data breach, and outlines best practices for handling personal data in accordance with UK and EU legislation.
6. Key Persons and InfoSec team
Key persons responsible for data security at Glean are:
- Chief Operating Officer / VP of Glean
- Head of Data and Systems
- Head of Engineering
- IT Infrastructure Manager
- Legal and Compliance Manager
Glean's Board of Directors is accountable for data security at Glean.
7. Responsibilities of Glean colleagues and security training
All Glean colleagues will comply with Glean's data security policies, procedures, and protocols, which includes the maintenance of data confidentiality and data integrity at all times. Failure to comply with this may result in disciplinary action.
Each colleague is responsible for the operational security of the information systems they use at Glean. Glean recognizes that colleagues are an important part of the first line of defence against security threats, which is why Glean provides mandatory security awareness training to all colleagues at least once per year.
8. Data classification
Data processed by Glean will receive one of the following classifications:
- Unrestricted - data will be classified Unrestricted when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to Glean and its affiliates.
- Confidential - by default, all data that is not explicitly classified Restricted or Unrestricted will be treated as Confidential.
- Restricted - data that is protected by legislation and/or confidentiality agreements will be classified Restricted. The highest level of security controls will be applied.
A classification of a data item may change over time.
9. Authority and Access Control
Glean follows the The Principle of Least Privilege, which means access to customer and end user data is restricted to authorized persons who have a legitimate business need to access it, in line with their job role. Where possible, access is further limited to the specific data set needed to complete a task.
The Chief Operating Officer, Head of Engineering, Head of Data and Systems, and IT Operations Manager are accountable for the authorization of access to customer and end user data. Access can be changed or removed at any time by these individuals, or, by a delegated member of senior management. For example, when a colleague changes role, their access to a specific system may be removed because it is no longer required for their day-to-day work.
The IT and Engineering teams maintain a list of all applications and databases that hold customer and end user data and their corresponding internal owner.
Resource Access Logs
Glean maintains logs of all interactions between systems (human and other software) within its infrastructure and architecture. This includes, but is not limited to:
- Successful and unsuccessful login attempts to external public-facing systems
- Internal authorization attempts between internal and third party systems
- Activities performed by users (administrators and users)
Logs are retained for 90 days and then expire. User audit logs may be retained for a longer period of time in line with Glean's internal Data Retention Policy and/or legal requirements.
Reporting Access Violations
The Engineering team maintains a process for providing reports and alerts for unexpected or malicious behaviour, such as multiple failed login attempts for a single account, which may be evidence of a systemic attack on services within Glean's infrastructure. Where Glean identifies this kind of behaviour, Glean will contact the impacted user(s) and/or customer as soon as possible and will communicate the steps that it's taking to address the issue.
Glean follows password management industry best practices. All Glean colleagues use a company-approved password manager to ensure credentials are secure. All Glean devices, applications, and systems are secured with strong passwords, and where applicable, use two-factor authentication. When a colleague leaves Glean, all of their company passwords are deleted, systems access revoked, and accounts disabled.
10. Physical and Environmental Security
Glean's offices have the following physical safeguards in place:
- No Access to Unauthorized Personnel Policy
- Visitor Sign-in
- Lockable filing cabinets and cupboards housing company devices and other equipment
- Lockable personal storage
- Fire suppression system
- Building Security (operating 07:00 - 19:00, Monday to Friday)
- Building alarm system
11. Data Support and Operations
Glean's externally-hosted systems (cloud based) that are used to store customer and end user data are protected in accordance with Glean's internal security policies and industry best practices.
Best practices include but not are limited to:
All data encrypted at rest and only transmitted over encrypted channels
All systems secured with role-based secure APIs
All software and operating systems patched regularly; frequency will increase if security advisories indicate there is a vulnerability
Backups of customer and end user data to cloud storage are performed daily according to an automated schedule. Glean uses cloud storage provided by Amazon Web Services (AWS) and Google Cloud. Backups are automated and encrypted and are stored for up to one year.
Glean will never transfer data in an insecure format. While every effort is made to protect data, Glean can't guarantee that transmitting data over the internet, or, storing data electronically in the cloud, is 100% secure or error-free.
12. Retention and Secure Deletion of Data
Glean will only keep data for as long as necessary to fulfil the purposes it was collected for; including for the purposes of satisfying any legal, accounting, or reporting requirements. Glean considers the following when determining retention periods:
The amount, nature, and sensitivity of the data
The potential risk of harm from unauthorized use or disclosure
The purposes for which it processes the data
Whether Glean can achieve those purposes through other means, and any applicable legal requirements
Full details of the personal data that Glean processes and how it handles personal data, be found at: https://glean.co/privacy-policy.
In some circumstances, Glean pseudo-anonymises personal data to safeguard an individual's privacy. Glean may also completely anonymise personal data for research or statistical purposes; in which case Glean may use the data indefinitely without further notice to the individual.
13. Security Incident Response Plan
Glean's Security Incident Response Plan details the procedural steps Glean follows in the event of a suspected or confirmed security breach of its systems or infrastructure, including third party services used by Glean. When a security incident is identified, Glean will:
Respond: assemble the internal incident response team
Validate: qualify the existence of the incident
Scope: assess the impact
Contain: limit the impact and potential damage and preserve evidence
- Determine if regulatory or contractual reporting is required based on the nature of the incident. If reporting is required, Glean will make sure all relevant parties are notified within 72 hours of identifying the incident. Glean will always notify affected individuals in the event of a security incident that may compromise their data
- If Glean decides that reporting isn't required, Glean will make sure it documents its reasoning appropriately
Recover: restore normal service while continuing to analyse the incident, understanding any and all legal implications
Improve: perform root cause analysis, determine lessons learned, and implement strategic remediation
14. Testing and Risk Monitoring
Glean regularly tests key aspects of its information security management system to make sure that it's implemented properly and functioning effectively. Potential and existing information security threats, risks and vulnerabilities are identified, mitigated and managed as part of Glean's wider risk management programme.
An independent third party provider performs penetration testing at least once per year (and more frequently as needed), based on the results of risk assessments and continuous monitoring of Glean's threat landscape. Examples of the ways Glean monitors its systems, logs, and events include:
- Continuous monitoring of changes affecting systems handling authorization and authentication;
- Engaging independent third parties to perform vulnerability assessments and/or penetration testing;
- Reviewing privileged access to Glean's production systems