Skip to content
English
Contact support Your tickets Sign in
  • There are no suggestions because the search field is empty.

Security principles

Integration Glue uses trusted subprocessors, follows strict security standards, ensures data privacy with stateless processing and encryption, and is working towards SOC2 compliance.

List of SubProcessors:

  • Google LLC (Main cloud hosting provider and email provider)

  • HubSpot (CRM)

  • Microsoft (Sharepoint for the Microsoft related microapps only)

  • Cloudflare (DNS, CDN, Internet Security)

  • Slack (Internal Messaging app)

  • Stripe (Payment processing)

  • Auth0 / Okta (Authentication on our platform)

Data Protection

  • Regional Hosting: All processing is located in the Google Cloud 'us-central1' by default. We can customize this for Enterprise clients to any supported Google Cloud region. We plan to add Europe and Australia as default locations for Public Apps in the future.

  • Stateless Architecture: Most of our integrations are 100% stateless. We do not store transit data; all processing is performed in volatile memory.

  • Performance Caching: Data caching required for performance is strictly limited to a 10-minute window.

  • Encryption: Any temporary data storage follows industry-standard AES-256 encryption at rest offered by our Cloud Provider. All data is encrypted while in transit, including the connection between HubSpot and Integration Glue.

  • Automated Clearing: We use serverless technology that automatically shuts down after 10 minutes of inactivity, clearing any cached or disk data 

  • Data Retention: We automatically remove any residual data 3 months after a contract ends, or earlier upon request.

  • Data Ownership: Clients retain full ownership of any data that transits through our systems.

  • AI Policy: We do not share or train AI models with your data.

 

Software Development Life Cycle (SDLC)

Integration Glue operates under a formalized SDLC that ensures security is a functional requirement of every feature.

  • Security by Design: Every new integration undergoes a security review during the design phase to ensure it adheres to our stateless processing requirements.

  • Standardized Development: We use isolated development environments that mirror production to ensure consistent behavior of our security and memory-clearing logic.

  • Automated Quality Gates: Our deployment pipeline automatically executes a suite of tests and security scans. 

  • Mandatory Peer Review: No code enters the production environment without approval from at least two  team members. This review focuses specifically on secure data handling and robust error management.

  • Secret Management: Sensitive credentials and API keys are stored in dedicated, encrypted vaults with strict access controls, ensuring they are never exposed in the source code.

  • Error Monitoring & Zero-Error Policy: We maintain a proactive monitoring posture using real-time error tracking and diagnostic tools to identify and resolve software bugs immediately upon occurrence. We operate under a strict "Zero Error" policy, where any production exception is treated as a high-priority event, ensuring that the platform remains stable, predictable, and secure for all users.

Security Standards that are in place by Integration Glue

  • External Testing: Bi-ennial external penetration testing and cloud permission reviews.

  • CI/CD Security: Static code analysis is a mandatory part of the deployment process, and releases require multi-person approval.

  • Team Training: New developers receive security onboarding, followed by yearly security training for the entire team.

  • Vulnerability Management: Use of secure and maintained libraries

    • We use Python as our main programming language

    • Every library addition goes through an approval process

    • Libraries are updated as soon as possible in case of critical CVE

    • Integrations are going through a maintenance/upgrade process every 3 months.

  • Operational Security: We follow OWASP recommendations, utilize secure HTTPS headers, and use JWT tokens for stateless authentication. MFA (Multi-Factor Authentication) is required for all internal systems as part of our security policy.

  • Disaster Recovery & Business Continuity:  Our IT Disaster Recovery and Business Continuity plans explicitly include all systems used to process or store client data

  • Compliance: We are aiming for SOC2 compliance and use that framework as our baseline for organizational guidelines.

  • Security Incident:  We do have a security incident response plan that we can share with you if required.  The email address for reporting security incidents is security@integrationglue.com

  • Client Notification: Our incident response plan includes guidelines with a commitment to notify affected parties within 24 hours of a confirmed incident. 

Is Integration Glue GDPR Compliant?

Yes, Integration Glue is committed to complying with the General Data Protection Regulation (GDPR) when handling data from users in the European Union (EU) and European Economic Area (EEA). Our compliance approach is based on two key factors: our location in a country recognized by the EU for adequate data protection, and our use of GDPR-compliant data processing infrastructure.

1. Our New Zealand Base & EU Adequacy Decision

  • Integration Glue is a company based in New Zealand.
  • Crucially, the European Commission has formally recognized New Zealand as providing an adequate level of data protection (pursuant to GDPR Article 45).
  • This "adequacy decision" means that the EU considers New Zealand's data privacy laws to be essentially equivalent to those within the EU.
  • As a result, personal data can be lawfully transferred from the EU/EEA to Integration Glue in New Zealand without requiring additional transfer mechanisms often needed for international data flows.
  • https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#related-links

2. Secure Data Processing via Google Cloud Platform

  • To operate our services, Integration Glue utilises the Google Cloud Platform (GCP) for data processing.
  • This processing only occurs within GCP's secure infrastructure, which is located in the United States (us-central1). (Soon in Europe and Australia)
  • Google Cloud maintains robust compliance with GDPR regulations and is certified under the EU-US Data Privacy Framework.
  • This Framework is an adequacy mechanism recognized by the European Commission, ensuring that data transfers to participating US companies (like Google) meet the stringent data protection requirements mandated by GDPR.
  • Therefore, the environment where your data is processed adheres to EU standards for security and privacy.
  • https://cloud.google.com/privacy/gdpr?hl=en

Conclusion: Our Commitment

Integration Glue ensures compliance with GDPR principles through the combination of New Zealand's EU-recognized adequacy status and our reliance on Google Cloud's secure, GDPR-compliant infrastructure operating under the EU-US Data Privacy Framework. We are dedicated to protecting the privacy and security of all our users' data.

Link to The full Data Processing Agreement (DPA) 

Can Integration Glue be used in the The UK GDPR?

New Zealand is in the list of Adequacy Regulation https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/
Integration Glue is registered with the ICO https://ico.org.uk/ESDWebPages/Entry/ZB872707