Security at SpyGlow
Last updated: April 1, 2026
Overview
We build SpyGlow with a security-first mindset. This page describes how we protect your data, authenticate users, and handle AI processing. If you have questions, contact Click to show email.
Data Protection
- Encryption in transit: All communication between your browser and our servers uses TLS 1.2+ (HTTPS). API calls from the frontend are proxied through a secure backend layer.
- Data storage: Application data is stored in MongoDB on infrastructure with restricted access. Encryption at rest is a planned enhancement.
- Secrets management: Application secrets (API keys, database credentials) are stored in environment variables on the server, never in client-side code or public repositories.
- Access control: Production server access is restricted to authorized personnel only.
Authentication & Sessions
- Authentication: SpyGlow supports Google OAuth, email magic-link, and email/password sign-in. Sessions are managed via JSON Web Tokens (JWT) issued by NextAuth.
- Rate limiting: Login attempts and API requests are rate-limited to prevent brute-force attacks and abuse.
- Input validation: All user inputs are validated and sanitized on both the frontend and backend before processing.
AI & Data Processing
- Data isolation: Each user's competitive intelligence data (competitor lists, monitoring history, AI-generated insights) is scoped to their account and cannot be accessed by other users.
- AI processing: When you use features like AskGlow, Content Gap Analysis, or Battle Cards, your queries and relevant data are sent to third-party AI providers for processing. These providers do not use your data to train their models.
- No model training: We do not use your private data, competitor lists, or generated insights to train any public AI models.
- Caching: AI context data may be temporarily cached in memory to improve performance and is cleared when the session ends or the cache reaches capacity.
Competitor Data Handling
- Public data only: SpyGlow monitors publicly accessible competitor web pages. We do not access password-protected or private content.
- Per-account isolation: Scraped content, screenshots, and monitoring history are scoped to your account and cannot be accessed by other users.
- Retention: Page snapshots and change history are retained while your account is active and deleted within 30 days of account deletion.
Infrastructure
- Hosting: SpyGlow runs on a virtual private server with process management and automatic restarts for high availability.
- Reverse proxy: All traffic is routed through Nginx, which handles TLS termination and request forwarding.
- Monitoring: We use centralized logging and automated health checks to detect and respond to issues. Sensitive customer data is not included in application logs.
Subprocessors
We work with the following third-party services to deliver SpyGlow:
| Provider | Purpose | Data shared |
|---|---|---|
| OpenAI | AI analysis, content generation, competitive intelligence | User queries, competitor data excerpts |
| Perplexity AI | Web search for real-time competitive data | Search queries |
| Google (Gemini) | AI visibility scanning | Brand names, competitor names, search queries |
| Google (OAuth) | Authentication | Email, name, profile picture |
| MongoDB | Database | All application data |
| Redis | Job queue and caching | Monitoring job data, temporary cache |
| Dodo Payments | Subscription billing | Payment and billing info |
| Resend | Transactional email delivery | Email address, email content |
Vulnerability Disclosure
If you discover a security vulnerability, please report it to Click to show email. We will:
- Acknowledge receipt within 48 hours
- Investigate and provide an initial assessment within 5 business days
- Keep you updated on remediation progress
We ask that you give us reasonable time to address the issue before any public disclosure.
What We're Working On
We are continuously improving security. Planned enhancements include:
- Two-factor authentication (2FA)
- Encryption at rest for all stored data
- Enhanced security headers (CSP, HSTS)
- SOC 2 preparation
Contact
Security questions? Email Click to show email.