Security

How we protect your code, secrets, and running services.

Infrastructure

  • Hosting. Glinr Cloud runs on Hetzner (EU, Germany) and Microsoft Azure (US). Both providers maintain SOC 2 and ISO 27001 certifications.
  • Container isolation. Each account's services run in separate Docker networks. Containers cannot reach each other across accounts.
  • No privileged containers. User containers never run with Docker's --privileged flag. Resource limits (CPU, memory, PIDs) are enforced per container.

Data protection

  • Encryption in transit. All connections use TLS 1.3. WebSocket connections between the agent and API are encrypted.
  • Encryption at rest. Environment variables are encrypted with AES-256 before being stored in the database.
  • Authentication. Sessions use httpOnly cookies. Tokens are never exposed to client-side JavaScript. Passwords are hashed with bcrypt.
  • No plaintext secrets. Environment variables are masked in the dashboard and API responses. The raw values are only injected into containers at deploy time.

Build pipeline

  • Source code. Repos are cloned at build time and deleted after the image is built. We don't store your source code permanently.
  • Build isolation. Each build runs in its own temporary directory. Build artifacts are cleaned up after the Docker image is created.
  • Nixpacks. We use Nixpacks (open source, MIT) to generate Dockerfiles. No custom build scripts run with elevated privileges.

Agent (Connected Cloud)

  • Open source. The Glinr agent is Apache 2.0 licensed. You can audit the code at github.com/glinr/glinr-agent.
  • Outbound only. The agent initiates a WebSocket connection to the API. No inbound ports need to be opened on your server (besides 80/443 for Caddy).
  • Minimal footprint. The agent is a single Go binary (~15MB). It uses less than 25MB of RAM at idle.

Reporting a vulnerability

If you find a security issue, email [email protected]. We'll acknowledge within 24 hours and aim to resolve confirmed issues within 72 hours. We don't have a formal bug bounty program yet, but we'll credit researchers who report responsibly.

Privacy PolicyAcceptable UseBack to home