Security

GLAB AI runs on Vercel's global edge network with auto-scaling and DDoS protection. The primary database is MongoDB Atlas hosted on AWS Mumbai (ap-south-1) with continuous backups and point-in-time recovery enabled.

All production traffic uses TLS 1.2 or higher with HSTS enforced. Internal service-to-service calls use mutual authentication.

In transit: all data flowing between your browser and GLAB AI, and between GLAB AI and model providers, is encrypted with TLS 1.2+.

At rest: MongoDB Atlas encrypts all data at rest using AES-256. Database backups are encrypted with the same standard.

Secrets: API keys for upstream model providers are stored as Vercel environment variables, encrypted at rest, and never exposed to the browser or logged.

Sign-in uses Google OAuth 2.0 or email magic links delivered via Resend. We do not store passwords. Session tokens are HTTP-only cookies with the Secure and SameSite flags enabled. Sessions expire after 30 days of inactivity.

When you select a model, your prompt is forwarded only to that provider's API. We do not log full prompt contents in shared analytics systems. Prompts and responses are stored against your user account only, never aggregated for training or shared with other customers.

Credit top-ups are processed by NowPayments. GLAB AI never sees, stores, or processes payment credentials or wallet keys. Transactions are verified via signed webhooks from NowPayments before credits are added to your account.

Production system access is limited to the founder and authorized engineers. All access requires multi-factor authentication. Database access is logged. Production changes are deployed via GitHub-Vercel CI/CD with audit history.

Customer-support staff (when applicable) cannot read your prompts or outputs without your explicit, time-limited consent for the duration of the support case.

We monitor for security events around the clock via automated alerting. In the event of a confirmed breach involving personal data, affected customers will be notified within 72 hours per GDPR Article 33 requirements. Post-incident reports are published for material incidents.

Found a security issue? Please email ceo@gaurilabs.com with details. We commit to acknowledging within 48 hours and to not pursuing legal action against researchers acting in good faith under coordinated disclosure.

A formal bug bounty program is on the roadmap for late 2026.

We are currently working toward SOC 2 Type II and ISO 27001 certification. Target completion: Q4 2026. Until then, this Security page documents our operational practices.

For enterprise customers requiring vendor security questionnaires (CAIQ, VSA), please contact ceo@gaurilabs.com.