Security and Compliance

At Glass Pay, protecting our users’ data and ensuring the integrity of our payment platform are top priorities. We understand that our customers – including businesses, individuals, and public sector entities – need to trust that Glass Pay operates with the highest security standards and complies with relevant regulations. This Security & Compliance page provides an overview of our security practices, infrastructure, and the compliance measures we and our partners take to keep your information safe. While Glass Pay is a growing platform (and we are in the process of obtaining our own certifications), we leverage industry-leading technology and partners who are already certified and compliant with strict standards.

Platform Security Overview

Encryption & Data Protection: All sensitive data on Glass Pay is encrypted both in transit and at rest. We enforce HTTPS/TLS 1.2+ for all communications, meaning that any data you send to our platform (like login credentials or payment information) is encrypted while traveling over the internet. Our databases employ encryption (using strong algorithms such as AES-256) to secure personal and financial information stored on disk. For example, passwords are stored hashed and salted (not in plaintext), and bank account numbers or Social Security Numbers are encrypted at the database level with tightly controlled access. We also utilize tokenization for payment details where possible – for instance, card numbers are represented by tokens provided by our payment processors, so our systems rarely handle raw card data.

Access Control & Authentication: Glass Pay uses role-based access controls to ensure that both external access (users) and internal access (by our team) are limited to the minimum necessary. Users can only see data associated with their own accounts or the accounts they manage. Internally, only authorized personnel (who have undergone background checks and training) can access production systems, and even then, they can only do so for legitimate business purposes. All access to sensitive systems requires multi-factor authentication and is logged for audit purposes. We also support multi-factor authentication (MFA/2FA) for user accounts as an extra layer of protection (and we recommend enabling it when available). Our system monitors login attempts and will lock accounts or prompt additional verification if suspicious activity is detected, guarding against unauthorized access.

Network & Infrastructure Security: Our platform is built on a secure cloud infrastructure provided by Google Cloud Platform (GCP). We benefit from Google Cloud’s robust security features and isolation. Our servers are behind firewalls and are regularly updated with security patches. We employ intrusion detection and prevention systems to guard against attacks. Vulnerability scans are run frequently, and penetration tests are conducted at least annually by independent security experts to probe our defenses. Any critical findings are addressed promptly as part of our commitment to continuous improvement. Glass Pay also uses secure development practices; our engineering team follows OWASP guidelines for web security to prevent issues like SQL injection, XSS, CSRF, and other common vulnerabilities. Code changes undergo peer review and automated testing, including security testing, before deployment.

Operational Security: We maintain detailed security policies and conduct regular staff training on security and privacy. Employees are educated on the importance of data protection, phishing awareness, and proper handling of user data. We have an incident response plan in place to quickly address any security incidents. This includes defined procedures for containment, mitigation, user notification, and post-incident review. To date, Glass Pay has had no security breaches, and we remain vigilant and proactive to keep it that way. In the event of a data breach or security issue, we will inform affected users and authorities as required, and work swiftly to remediate the situation.

Compliance and Standards

Glass Pay is committed to meeting high industry standards for security and compliance. While Glass Pay itself is a newer platform and we are working towards our own certifications (such as a SOC 2 Type II audit), we ensure that our services are built on compliant foundations. We also align our internal controls with those required by major frameworks, meaning we operate to the spirit of SOC 2 even prior to formal certification. Below we outline key compliance measures and how our trusted partners contribute to our compliance profile:

  • SOC 2 and SOC 1 (System and Organization Controls): We strive to adhere to the Trust Services Criteria defined for SOC 2 (Security, Availability, Confidentiality, Processing Integrity, and Privacy). Glass Pay is in the process of preparing for a SOC 2 Type II audit. In the interim, we leverage partners who are SOC 2 audited to support our operations. For instance, Google Cloud Platform undergoes regular third-party audits and has SOC 1, SOC 2, and SOC 3 reports covering its infrastructure services. Likewise, Stripe (one of our payment processors) has annual SOC 1 and SOC 2 Type II reports, and even provides a public SOC 3 summary report​. Veem also conducts annual SOC 2 audits to attest to their security controls. By building on services from these SOC-audited companies, Glass Pay ensures that key aspects of our system inherit those high standards of control. We plan to undergo our own independent SOC 2 Type II audit and will share the results with clients once available.
  • PCI DSS (Payment Card Industry Data Security Standard): Glass Pay does not directly process or store full cardholder data on our systems – we hand off that responsibility to our certified payment processors. Stripe and Finix are both certified PCI DSSLevel 1 Service Providers​, meaning they meet the most stringent requirements in the payments industry for handling credit card data. Veem is also PCI-DSS compliant for any card data it might handle​. This means that whenever you or your payees enter card information via Glass Pay, the data is sent directly to a PCI-compliant environment (Stripe or Finix) for processing. Glass Pay’s integration with these providers has been designed such that we qualify for the simplest PCI compliance scope (often SAQ A or similar), because we do not store or see the sensitive card numbers in plaintext. We still enforce strong security around any element of the system that touches payment flows and we conduct annual PCI self-assessments to ensure ongoing compliance.
  • Privacy Regulations (GDPR, CCPA, etc.): We comply with applicable data protection laws and have implemented processes to support rights under regulations like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). For example, we can assist with data access or deletion requests and have data processing agreements (DPAs) in place with our service providers. Our privacy practices are outlined in detail in our Privacy Policy. We conduct periodic reviews of our data handling to ensure compliance with evolving privacy laws globally. For public sector clients, we are also attentive to regulations like HIPAA (if healthcare data were ever involved, though currently Glass Pay is not meant for personal health info) and FERPA (for any educational payments) as applicable. At this time, Glass Pay does not collect special categories of personal data beyond identification and financial info, but if that changes, we will institute necessary measures.
  • Federal and Public Sector Compliance: For our U.S. government clients and partners, we acknowledge requirements such as FedRAMP for cloud services and FISMA for federal data security. While Glass Pay as a platform is not yet individually FedRAMP certified, our infrastructure provider (Google Cloud) maintains FedRAMP Moderate authorization for its cloud services​, which means our underlying hosting environment meets those government standards. We also implement many FedRAMP/NIST 800-53 controls in our own policies (access control, incident response, continuous monitoring, etc.). We are open to working with government security assessors to provide information about our controls, and we can support security addendums or agreements to address specific public sector requirements. Additionally, we comply with U.S. Treasury sanctions (OFAC) and perform watchlist screening via our payment partners to ensure we do not facilitate prohibited transactions.
  • Audit and Reporting: We maintain detailed logs and records of system activity, administrative access, and financial transactions. These records support our internal audits and can be made available (with proper authorization) for external audits or examinations as needed. If you are an enterprise or public sector client that requires audit rights (to verify our security controls, for example), we can accommodate those requests contractually and coordinate in a secure manner. Our goal is transparency: we can provide copies of certifications or third-party audit attestations from our key partners upon request.
  • Brex and Bank Partner Compliance: Glass Pay’s use of Brex’s services and Bank of America means we align with banking standards as well. Brex works with FDIC-insured partner banks and complies with banking regulations for the services it provides (such as Treasury or cash management). They implement strong security on their platform and have likely undergone audits relevant to fintech and financial institutions (Brex, for example, is known to follow SOC 2 and other industry standards; they also comply with FINRA/SEC rules for their securities-related offerings). Bank of America, a regulated bank, is subject to rigorous federal oversight, cybersecurity examinations, and compliance requirements like the Gramm-Leach-Bliley Act (GLBA) for financial data privacy. When Glass Pay holds customer funds in an FBO (For Benefit Of) account at a bank or processes via a bank API, those processes are within the bank’s secure environment and regulatory scope. This means funds are handled according to banking-grade security, and sensitive data like account numbers are protected by the bank’s systems as well. Additionally, any funds held in U.S. bank accounts are FDIC insured up to applicable limits, adding a layer of financial security for our users’ money.

Ongoing Commitment

Even if Glass Pay is not yet formally certified in some areas (like SOC 2 Type II), we treat our security and compliance program as if we were. We are continuously improving our processes, investing in new security tools, and preparing documentation for future audits. Our roadmap includes achieving independent certifications and attestations as we scale, to provide additional assurance to our customers.

User Responsibility: Security is a shared responsibility. We encourage our users to also follow best practices: keep your account credentials confidential, enable two-factor authentication, and regularly review your account for any unauthorized activity. We provide guidance and support for security features, and our support team is available to answer questions about securing your Glass Pay usage.

Incident Reporting: If you discover any security vulnerabilities or have security concerns, we have a process to handle them (including a possible “bug bounty” or responsible disclosure program). Please reach out to [email protected] with details. We appreciate help from the security community and treat all reports seriously.

Glass Pay is dedicated to safeguarding your data and maintaining a secure, compliant platform for all your payment needs. We leverage top-tier partners with proven security track records and adhere to industry standards to provide a service you can trust. As we grow, we will continue to uphold and exceed these standards, so you can have peace of mind when using Glass Pay.