Skip to content
← Back to home

Security Policy

The technical measures protecting your data across the desktop app, cloud relay, and web portal — encryption, auth, and threat model.

Effective date: February 19, 2026

Security is foundational to Glueprint's architecture. This document describes the technical measures we employ to protect your data across the desktop application, cloud relay, and web portal.

1. Encryption Architecture

All data transmitted through the Glueprint cloud relay is encrypted using AES-256-GCM (Galois/Counter Mode), an authenticated encryption algorithm that provides both confidentiality and integrity.

  • Key derivation: Encryption keys are derived from your password using PBKDF2 with a high iteration count, ensuring resistance to brute-force attacks
  • Per-session keys: A unique Data Encryption Key (DEK) is generated for each session
  • Authenticated encryption: AES-256-GCM provides built-in tamper detection — any modification to ciphertext is detected during decryption
  • Unique nonces: Every encrypted envelope uses a unique nonce to prevent replay attacks

2. Zero-Knowledge Cloud Relay

The Glueprint relay server operates on a zero-knowledge principle. Encryption and decryption happen exclusively on the client (desktop app or web portal). The relay server:

  • Never receives encryption keys or passwords
  • Only processes encrypted ciphertext and routing metadata (timestamps, sequence numbers, session IDs)
  • Cannot decrypt session content under any circumstances
  • Cannot comply with data disclosure requests for plaintext because it does not possess decryption capability

Sequence numbers and a gap-fill mechanism ensure reliable, ordered event delivery without exposing content.

3. Desktop Security

The Glueprint desktop application is built with Tauri + Rust, providing significant security advantages over Electron-based alternatives:

  • No Node.js backend: The backend runs native Rust compiled code, eliminating an entire class of Node.js/npm supply chain vulnerabilities
  • Sandboxed WebView: The frontend renders in the OS-native WebView (WebKit on macOS, WebView2 on Windows), isolated from the backend
  • Memory safety: Rust's ownership model prevents buffer overflows, use-after-free, and other memory corruption vulnerabilities
  • IPC boundary: All communication between the frontend and backend passes through a typed, validated IPC interface
  • Atomic file writes: Data is written to temporary files and atomically renamed, preventing corruption from crashes or interruptions

4. Authentication

  • PKCE OAuth: The desktop application uses Proof Key for Code Exchange (PKCE) for secure OAuth authentication, preventing authorization code interception attacks
  • Keychain storage: API keys and tokens are stored in the operating system's secure keychain (macOS Keychain, Windows Credential Manager), not in plaintext files
  • JWT + API key auth: The cloud relay supports JWT for human users and API key authentication for agent connections, each with appropriate scope restrictions

5. Data at Rest

Local data is stored in the ~/.glueprint/ directory:

  • Session logs are stored as JSONL (JSON Lines) files
  • Work item configurations use YAML format
  • Atomic writes: All file operations use a write-to-temp-then-rename pattern to prevent data corruption
  • Local only: This data is never transmitted to Glueprint servers unless you explicitly enable the cloud relay

6. Infrastructure Security

The cloud relay server infrastructure is secured with the following measures:

  • TLS everywhere: All connections to the relay server are encrypted in transit via TLS 1.2+
  • WebSocket security: The relay uses authenticated WebSocket connections with heartbeat monitoring
  • Database: PostgreSQL with encrypted connections and role-based access controls
  • Redis: Used for presence tracking and pub/sub routing with authenticated connections
  • Rate limiting: Connection and message rate limits protect against abuse

7. Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us privately:

Email: security@glueprint.ai

Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof-of-concept code

We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days. We ask that you give us reasonable time to address the issue before public disclosure.

8. Incident Response

In the event of a security incident affecting user data, we will:

  • Investigate and contain the incident promptly
  • Notify affected users within 72 hours of confirmation
  • Provide clear information about what data was affected and what steps users should take
  • Publish a post-incident report with root cause analysis and remediation steps

Due to our zero-knowledge encryption architecture, a server-side breach cannot expose the plaintext content of your sessions.

9. Contact Us

For security questions or concerns, contact us at:

Email: security@glueprint.ai