Processes and security
      Back to home
      1. Help Center
      2. Processes and security

      Security principles

      Integration Glue uses trusted subprocessors, follows strict security standards, ensures data privacy with stateless processing and encryption, and is working towards SOC2 compliance.

      List of SubProcessors:

      • Google LLC (Main cloud hosting provider and email provider)

      • HubSpot (CRM)

      • Microsoft (Sharepoint for the Microsoft related microapps only)

      • Cloudflare (DNS, CDN, Internet Security)

      • Slack (Internal Messaging app)

      • Stripe (Payment processing)

      • Auth0 / Okta (Authentication on our platform)

      Data Protection

      • All our processing is located in the Google Cloud 'us-central1' by default. It is possible for us to customise this for Enterprise clients and use any Google Cloud region, https://cloud.google.com/compute/docs/regions-zones.
        We plan on having Europe and Australia as possible default locations.

      • Most of our integrations are stateless (The DocuSign one is 100% stateless, for example). We do not store any data and all the processing is done in memory.

      • Data caching if required for performance reasons is limited to 10 minutes

      • Data storage if any is following google cloud security standard using EAS encryption

      • We use serverless computing technology, which automatically shuts down after 10 minutes of inactivity, clearing any cached data.

      • We remove data if we have any at the end of the contract automatically after 3 months. We can delete it earlier if requested

      • Clients keep ownership of any data that transit through our systems

      • We do not share or train AI with your data

      Security Standards that are in place by Integration Glue

      • Bi-Ennial external penetration testing

      • Bi-Ennial external permissions/access control to Google Cloud/workspace review

      • Static Code analysis part of the CI/CD process

      • Approval is required by multiple team members for every production release (part of the CI/CD process)

      • New developer security training and best practices during onboarding

      • Yearly team security training

      • Use of secure and maintained libraries

        • We use Python as our main programming language

        • Every library addition goes through an approval process

        • Libraries are updated as soon as possible in case of critical CVE

        • Integrations are going through a maintenance/upgrade process every 3 months.

      • Usage of web security best practice

        • Following the OWASP recommendations

        • Use of Security Headers, HMAC verification over HTTPS

        • Use of JWT tokens for stateless authentication

      • We do have a security incident response plan that we can share with you if required

      • We are aiming to become SOC2 compliant and are using this framework as a baseline for all our organisation guidelines

      • The email address for security incidents is security@integrationglue.com

      Is Integration Glue GDPR Compliant?

      Yes, Integration Glue is committed to complying with the General Data Protection Regulation (GDPR) when handling data from users in the European Union (EU) and European Economic Area (EEA). Our compliance approach is based on two key factors: our location in a country recognized by the EU for adequate data protection, and our use of GDPR-compliant data processing infrastructure.

      1. Our New Zealand Base & EU Adequacy Decision

      • Integration Glue is a company based in New Zealand.
      • Crucially, the European Commission has formally recognized New Zealand as providing an adequate level of data protection (pursuant to GDPR Article 45).
      • This "adequacy decision" means that the EU considers New Zealand's data privacy laws to be essentially equivalent to those within the EU.
      • As a result, personal data can be lawfully transferred from the EU/EEA to Integration Glue in New Zealand without requiring additional transfer mechanisms often needed for international data flows.
      • https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#related-links

      2. Secure Data Processing via Google Cloud Platform

      • To operate our services, Integration Glue utilises the Google Cloud Platform (GCP) for data processing.
      • This processing only occurs within GCP's secure infrastructure, which is located in the United States (us-central1). (Soon in Europe and Australia)
      • Google Cloud maintains robust compliance with GDPR regulations and is certified under the EU-US Data Privacy Framework.
      • This Framework is an adequacy mechanism recognized by the European Commission, ensuring that data transfers to participating US companies (like Google) meet the stringent data protection requirements mandated by GDPR.
      • Therefore, the environment where your data is processed adheres to EU standards for security and privacy.
      • https://cloud.google.com/privacy/gdpr?hl=en

      Conclusion: Our Commitment

      Integration Glue ensures compliance with GDPR principles through the combination of New Zealand's EU-recognized adequacy status and our reliance on Google Cloud's secure, GDPR-compliant infrastructure operating under the EU-US Data Privacy Framework. We are dedicated to protecting the privacy and security of all our users' data.

      Link to The full Data Processing Agreement (DPA) 

      Can Integration Glue be used in the The UK GDPR?

      New Zealand is in the list of Adequacy Regulation https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/
      Integration Glue is registered with the ICO https://ico.org.uk/ESDWebPages/Entry/ZB872707