Voluntary Security Practices
Last updated: March 23, 2026
1. Introduction
Glimm voluntarily aligns with internationally recognised security and data protection standards. We hold no formal certifications (no ISO 27001 certificate, no SOC 2 audit, no comparable third-party assessments). The measures outlined below describe what we have actually implemented.
Security researchers and individuals wishing to report vulnerabilities can find our contact details at /.well-known/security.txt (RFC 9116).
2. DSGVO (GDPR) Compliance
As a company based in Austria, we are subject to the Datenschutz-Grundverordnung (DSGVO / GDPR). The following measures are implemented:
- Art. 5 (Principles) — Data minimisation, encryption of all personal data, documented purpose limitation, automatic purging of expired data.
- Art. 6 (Legal Bases) — Every processing activity has a documented legal basis: performance of contract, consent, or legitimate interest.
- Art. 7 (Consent) — Terms of Service versioning with mandatory re-consent upon changes.
- Art. 13/14 (Information Obligations) — Full disclosure of all data processors in the Privacy Policy.
- Art. 15–22 (Data Subject Rights) — Access, rectification, erasure, restriction, data portability (JSON export), objection.
- Art. 25 (Privacy by Design) — Encryption from day one, pseudonymised email storage, minimal data retention.
- Art. 28 (Data Processing) — Data Processing Agreements (AVV/DPA) in place with all processors.
- Art. 30 (Records of Processing) — Internal records of processing activities maintained. Automated tax reports for EU OSS filings.
- Art. 32 (Security) — Encryption of all personal data, secure password hashing, HTTPS/TLS, security headers, access restrictions, audit logging.
- Art. 33/34 (Breach Notification) — Documented procedures for detection and notification of data breaches within the statutory 72-hour period.
- Art. 35 (Impact Assessment) — Internal risk assessment conducted for the processing of therapeutic content.
3. German & Austrian Law
BGB — Bürgerliches Gesetzbuch (German Civil Code)
- §312k BGB (Cancellation Button) — Cancellation option directly in the settings, maximum 2 clicks. Confirmation by email.
- §355 BGB (Right of Withdrawal) — 14-day withdrawal period documented and implemented.
TMG / DDG — Imprint Obligation
- Complete imprint available at /impressum. Physical address included in all transactional emails.
TTDSG — Cookies
- Strictly necessary session cookies only. No tracking or analytics cookies.
PAngV — Preisangabenverordnung (Price Indication Regulation)
- All prices displayed inclusive of VAT. Total price clearly visible before purchase completion.
ODR Regulation
- Link to EU dispute resolution platform: ec.europa.eu/consumers/odr
EU-OSS (One-Stop-Shop)
- Automated VAT collection per EU country. Monthly and quarterly reports for the recapitulative statement.
4. Regulatory Classification
Glimm is a pure documentation tool. It does not perform any content analysis, algorithmic assessment, crisis detection, or diagnostic evaluation of user content. This results in the following regulatory classification:
- Not a medical device (EU MDR 2017/745) — Glimm does not make clinical decisions, support diagnoses, or provide therapeutic recommendations. It therefore does not fall under the EU Medical Device Regulation.
- Not a DiGA (SGB V § 33a) — Glimm does not analyse health data and does not demonstrate a proven healthcare effect. BfArM listing is not required.
- Not practising Heilkunde (HeilprG § 1) — Glimm does not assess mental health status or initiate therapeutic measures. It does not constitute the practice of healing arts under the German Heilpraktikergesetz.
- Not practising psychotherapy (AT PthG § 1, Psychologengesetz 2013) — Crisis intervention, clinical-psychological diagnostics, and treatment are the exclusive responsibility of the supervising professional. Glimm does not intervene in the therapeutic process.
- No processing of special category data for analytical purposes (GDPR Art. 9) — User content is stored encrypted and is neither read, classified, nor algorithmically processed. There is no profiling within the meaning of Art. 22 GDPR.
All clinical responsibility — including identification of crisis situations, duty of care, crisis intervention, and referral to emergency services — remains with the registered professional in accordance with applicable professional regulations (in particular Austrian PthG, German PsychThG, HeilprG).
5. Security Standards (Voluntary Alignment)
Glimm voluntarily aligns with the principles of ISO 27001 and the SOC 2 Trust Service Criteria. No formal certifications or external audits have been conducted.
Our security measures include:
- Encryption: All personal data is encrypted at rest using AES-256. Data in transit is protected by TLS.
- Access Control: Role-based access control with strict data ownership validation. Multi-factor authentication for administrative access.
- Secure Authentication: Passwords are stored using industry-standard adaptive hashing algorithms. Cryptographically secure CSRF tokens protect all state-changing endpoints.
- Monitoring: Comprehensive audit logging of security-relevant events. Automated detection and filtering of suspicious access.
- Secure Development: Parameterised database queries, server-side input validation, context-aware output encoding, comprehensive security headers.
- File Uploads: Type and size validation, secure file names, directory isolation.
- Bot Protection: Automated detection and filtering of bot access on sensitive forms.
Detailed security information is available upon request under NDA.
6. Infrastructure & Data Processors
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Hosting | Hostinger | Web Server, Database | EU |
| CDN & Security | Cloudflare | CDN, WAF, DDoS, Turnstile | USA (DPF) |
| File Storage | Cloudflare R2 | Media Storage (Photos, Voice Messages) | EU |
| Payments | Stripe | Payment Processing (PCI DSS L1) | USA (DPF) |
| AWS SES | Transactional Emails | EU (Stockholm) | |
| OAuth | Optional Login | USA (DPF) |
DPF = EU-US Data Privacy Framework certified
No Tracking: Glimm does not use any analytics or tracking cookies. No data is transmitted to Google Analytics, Facebook, or comparable services.
7. Data Storage & Retention
| Data Type | Retention | Legal Basis |
|---|---|---|
| Audit Logs | 180 Days | Art. 6(1)(f) Legitimate Interest |
| Deleted Accounts | 30-Day Grace Period | Art. 6(1)(b) Performance of Contract |
| Invoices | 7 Years (statutory) | Art. 6(1)(c) §132 BAO / §147 AO |
| Tax Reports | 7 Years (statutory) | Art. 6(1)(c) §132 BAO / §147 AO |
8. Incident Response
In the event of a security breach or data protection incident, documented procedures are in place for detection, containment, notification, and remediation — in accordance with Art. 33 DSGVO (GDPR) (72-hour notification period).
Security Incident Contact
- Email: security@glimm.app
- Privacy: privacy@glimm.app
- Vulnerability Disclosure: /.well-known/security.txt
9. Contact
For questions regarding security, privacy, or compliance:
Eliana dos Santos Pereira
Email: privacy@glimm.app
Security: security@glimm.app
Transparency Notice: This page describes exclusively measures that have actually been implemented. Glimm holds no formal certifications (ISO 27001, SOC 2, or similar). The alignment with these standards is voluntary and has not been verified by external audits. Detailed security documentation is available upon request under NDA.