Security practices

This page summarizes how Gleap protects customer data. The contractually binding version of these commitments is the technical and organizational measures annex (Annex 6.1) of our Data Processing Addendum. Gleap is SOC 2 Type II audited — request the current report via privacy@gleap.io.

Infrastructure & hosting

  • Gleap’s primary infrastructure runs in the European Union (Frankfurt) on DigitalOcean, our main cloud provider, with additional workloads on Microsoft Azure (Frankfurt, Germany) and AWS (EU, Luxembourg).
  • US data residency is available on the Enterprise plan.
  • Cloudflare provides DNS and content delivery (CDN) in front of our infrastructure, and hosts object storage (Cloudflare R2) for files uploaded through the Gleap widget and dashboard — such as screenshots and attachments, which may contain personal data. Cloudflare is a sub-processor; see our sub-processors page.
  • Current availability and incident updates are published on our status page.

Encryption & data protection

Per our DPA’s technical and organizational measures (Art. 32 GDPR):

  • Encryption and pseudonymization of personal data.
  • Data is encrypted in transit (TLS) between your users, our SDKs, and our infrastructure.
  • Separation control: data collected for different purposes is processed separately; customer workspaces are logically isolated.

Access & organizational controls

  • Access controls on data processing systems: no unauthorized access, no unauthorized system use, and no unauthorized reading, copying, modification, or removal within the system.
  • Transfer and input controls: no unauthorized access during electronic transmission, and traceability of whether and by whom personal data was entered, modified, or removed.
  • All personnel are bound to confidentiality; data protection responsibilities are anchored with Gleap’s data protection officer (Lukas Böhler, privacy@gleap.io).
  • A data protection management system provides regular review, assessment, and evaluation of the effectiveness of these measures, alongside privacy-friendly default settings.

Availability, resilience & recoverability

  • Availability control: protection against accidental or deliberate destruction or loss.
  • Resilience: systems are designed to tolerate and compensate for disruptions.
  • Recoverability: procedures ensure personal data and access to it can be restored.

Incident response & breach notification

  • Gleap operates an incident response management process for preparing, identifying, and reporting security incidents.
  • Personal data breaches are reported to affected customers immediately upon becoming aware (per our DPA, §9), with a description of the breach, affected data categories, a point of contact, and the measures taken — so customers can meet their own regulatory notification deadlines (GDPR, DORA, and similar regimes).
  • Breach reporting contact: privacy@gleap.io. Service incidents are additionally published on the status page.

Product privacy controls

Gleap’s SDKs are built so you can minimize the data that reaches us in the first place:

  • Session replay masking: all inputs are masked by default (maskAllInputs), passwords are always masked, and any element can be excluded with the rr-mask class. See suppressing personal data in our docs.
  • Content Security Policy guidance for embedding the widget is documented here.
  • AI features are optional and can be fully disabled; the AI providers involved are listed on the sub-processors page.

Reporting a vulnerability

If you believe you’ve found a security vulnerability in Gleap, email privacy@gleap.io. Reports go directly to the team responsible for security at Gleap, and we’ll respond as quickly as possible.