Organizational Security Practices
Last Updated: August 3rd, 2013
We take your security and privacy very seriously. Part of our efforts include informing you about Gliph can and cannot provide so that you can make good decisions.
We maintain a Responsible Disclosure program and appreciate your participation.
At Gliph, we limit access to all servers that handle user data to the absolute minimum. At the time of writing, only two members of the Gliph team are authorized for access. All employees with access adhere to the following requirements:
- Two-factor authentication for email
- Two-factor authentication for server access (SSH)
- Hard drive encryption
- PIN access for phones and other portable devices
- Devices automatically lock (screensaver and/or sleep)
- Manually lock any device when not physically present for any time
An incomplete list of some of the steps we take to ensure your privacy and security:
- bcrypt for password verification
- PBKDF2 for key generation
- SSL for all connections (with perfect forward security on supported browsers)
- RSA 2048 (PKCS #1 OAEP) for initial key exchange between Gliph users
- AES-256-CBC with random IV for facet and message encryption
No single security or privacy tool is perfect. If you need proven security for your own safety, there are other tools out there. Look at solutions that use PGP and OTR.
Gliph is a closed-source (at least for now), centralized, unaudited tool. We work very hard to ensure your privacy and security and we believe we have found a great balance between usability and security. There are some compromises on both sides in order to make that happen.
Cryptography is done server-side (at least for now), messages are not signed, and the Gliph apps work with centralized servers. Gliph is a US-based company with some servers located in the US.