Security

As a small team building Glass, we understand the trust you place in us to protect your photos and personal information. Security is fundamental to everything we build, and we've implemented comprehensive measures to safeguard your data.

Infrastructure Security

Glass is built on Amazon Web Services (AWS), leveraging their industry-leading security infrastructure. We use infrastructure-as-code to ensure consistent and secure deployments, allowing us to maintain a robust security foundation while we focus on building Glass.

All user data, including photos and databases, is hosted in AWS's US East (Virginia) region. While our content delivery network caches photos globally to ensure fast access for users worldwide (as is standard for modern web applications), all primary data storage remains in Virginia.

Our infrastructure implements multiple security controls:

  • Multiple layers of network security controls and private networking
  • Least-privilege access principles for all system components
  • Continuous security monitoring and automated alerts
  • Regular security patches and updates
  • Comprehensive audit logging
  • Multi-region content delivery for performance and reliability

Network Security

Security begins at the network level. All traffic is encrypted using modern TLS protocols, and we employ web application firewalls to protect against common exploits. Our content delivery network includes DDoS protection and continuous monitoring for suspicious activity. We maintain compliance with U.S. sanctions laws through geo-restrictions.

Data Protection

Your photos and data are protected by industry-standard encryption. We use strong encryption for all stored data and implement strict access controls. To enhance privacy, we automatically remove EXIF metadata from all photos that are displayed and shared, while preserving original files to maintain image quality for future processing.

Our data protection strategy includes:

  • Encryption at-rest and in-transit
  • Secure content delivery
  • Security monitoring
  • Comprehensive backup systems

We maintain multiple layers of data protection through regular automated backups, point-in-time recovery capabilities, high-availability infrastructure, and disaster recovery procedures. All backup systems undergo regular verification to ensure reliability.

Application Security

Security is integrated throughout Glass's architecture. We implement secure authentication with strong access controls to ensure appropriate data access across the platform. Our infrastructure is continuously monitored to prevent unauthorized access to user data.

We securely store all passwords using industry-standard encryption. While we recommend using strong, unique passwords for your account, we believe in giving users control over their password choices.

Our APIs implement multiple layers of protection. All endpoints require HTTPS, include request validation, and employ rate limiting to prevent abuse. We maintain security headers including Strict Transport Security, Content Security Policy, and other standard security headers.

We implement secure error handling throughout our infrastructure, including secure error pages, protected error logging, graceful service degradation, and automated error monitoring.

Monitoring and Response

We maintain comprehensive security monitoring across our infrastructure:

  • Automated threat detection
  • API activity logging
  • System monitoring and alerts
  • Attack prevention systems
  • Access logging
  • Performance monitoring

Our team maintains clear incident response procedures and can act quickly when needed.

Privacy and Data Control

We take data privacy seriously and implement data protection measures. We do not share user data with third parties, with the sole exception of essential service providers (payment processing) who receive only the minimal required information. For analytics, we use a privacy-friendly solution that doesn't track individual users.

Users have full control over their data through self-service features in their account settings, including complete photo export capabilities and account deletion with full data removal.

Data Collection and Usage

We collect only essential information needed to provide our service: your name, email address (which is never publicly displayed), username, and optionally, your pronouns. We use cookies solely for technical purposes to keep the service running smoothly, not for tracking. Your photos are used only for display on Glass - we never use them for training AI models or any other purposes.

Photo Privacy and Control

You control who can see your photos through your profile settings. You can choose between making your profile visible to anyone or restricting it to active Glass members only. If your profile is public, search engines may index your photos. For privacy protection, we remove location data from all displayed photos, and your original, unmodified photos are never accessible to other users.

Account Management

If you ever forget your password, you can easily request a reset. Should you decide to delete your account, we implement a 1-week cooling-off period during which you can change your mind. After this period, we permanently delete all your data without any possibility of recovery.

Data Sharing

We maintain a strict policy against sharing your data for marketing or tracking purposes. The only data sharing we do is with essential service providers, and even then, we share only the minimal information required for the service to function. We've specifically chosen privacy-respecting solutions for our infrastructure to ensure your data remains protected.

Security Updates

We maintain a proactive approach to security updates. Our small team structure enables quick response times for security patches and improvements. We use automated tools to monitor our dependencies for known vulnerabilities and regularly update our software dependencies to ensure we're running secure versions.

Security Research

While we welcome security researchers who want to help improve Glass's security, we do not operate a bug bounty program and cannot offer monetary compensation for vulnerability reports. Please note that we will not make any exceptions to this policy. We do appreciate responsible disclosure of vulnerabilities and will acknowledge researchers' contributions (with permission) when they help improve our security.

Research Guidelines

Our security research scope encompasses the Glass ecosystem, including our main web application (glass.photo), official mobile apps (iOS, iPadOS, Android), desktop apps (Windows), and associated APIs and infrastructure components.

When conducting security research, we ask that you use your own account and test manually without automated scanning tools. Your testing should focus on substantive security issues that could impact user data or system integrity. We expect researchers to respect user privacy and avoid any testing that could affect other users or service availability. Social engineering attacks against our team are not permitted.

We cannot accept reports about theoretical vulnerabilities without demonstrated impact, automated scanning results, or generic security misconfigurations. Testing of third-party services (including payment systems), denial of service attempts, automated enumeration, and physical infrastructure are outside our scope. Any activity that could impact other users will not be considered.

We value detailed reports that demonstrate clear security impact through proof of concept, identify specific risks to user data or privacy, and show creative thinking about security implications. Quality is more important than quantity.

Our commitment to researchers includes prompt investigation of legitimate reports, collaborative work to understand and validate findings, timely addressing of confirmed vulnerabilities, and proper acknowledgment of contributions when desired.

Team Security

Our team implements several security measures to protect our infrastructure:

  • Multi-factor authentication required for all team services
  • Password manager usage for secure credential management
  • Regular access review
  • Security-first development

Third-Party Security

We carefully evaluate all third-party services and require them to meet our security standards. All external access is monitored and controlled.

Contact and Reporting

For security-related inquiries or to report a security vulnerability, please contact us at security@glass.photo. We investigate all security reports promptly.

Last updated: Feb 14 2025