Security
Controls built for review.
A rundown of the controls GlacialBooks runs today and the operating practices behind them, in plain words and exact policy language.
Current controls
Practical safeguards for identity, tenant data, infrastructure, and audit history.
Encryption
Application traffic uses TLS 1.2 or better, customer data is encrypted at rest in Azure managed services, and production secrets are stored in Azure Key Vault.
Identity and access
Role based access controls, MFA, signed session validation, 90-day access reviews, and managed identity patterns keep production access narrow and auditable.
Cloud operations
GlacialBooks runs on Microsoft Azure with environment isolation, production database backups retained for 35 days, production telemetry retained for 90 days, and controlled deployment pipelines.
Tenant isolation
Organization data is scoped by tenant across the application, with server-side checks designed to prevent cross-organization access.
Audit trail
Every important action is logged. Journal entries cannot be edited after posting, so corrections are handled through reversals instead.
Security reviews
Dependency scanning, static security checks, code review, deployment validation, and incident response deadlines are part of the operating model.
Responsible Disclosure
We take security reports seriously and welcome responsible disclosure from researchers. If you discover a vulnerability, report it to [email protected]. We acknowledge security reports within 2 business days and share a remediation path once triage is complete.
We ask that you avoid public disclosure until we have investigated and addressed the issue. Critical exploitable production issues are contained within 24 hours and high severity issues are remediated within 7 calendar days. We do not pursue legal action against researchers acting in good faith.