Glass CRM
Security & compliance

Built in Europe. Designed for trust.

Sales data is sensitive. It contains customer conversations, deal economics, and strategic intent. We treat it accordingly — not as a liability to manage, but as a commitment we made when we started building.

Everything below reflects how Glass CRM works today, not a roadmap. If your security team has questions not answered here, contact us directly.

EU-hosted infrastructure

Glass CRM was built in the European Union and runs entirely on European servers. Your data never leaves the EU — not for processing, not for storage, not for AI inference.

  • All infrastructure hosted in EU data centres
  • No data transferred to US or third-country servers
  • Enterprise-grade encryption in transit and at rest

GDPR & EU AI Act compliance

We designed for compliance from day one, not as an afterthought. Our data handling practices are aligned with GDPR and the EU AI Act — the two most rigorous data protection frameworks in the world.

  • Full GDPR compliance — lawful basis, data minimisation, retention limits
  • EU AI Act compliant — no high-risk AI classification applied to personal data
  • Right to access, rectification, erasure, and portability honoured on request

Data isolation per workspace

Every customer workspace is fully isolated. Your methodology configuration, your CRM data, your Field Notes — none of it is shared across tenants or accessible to other customers.

  • Strict multi-tenant isolation at the database level
  • No cross-tenant data access under any circumstances
  • Workspace data deleted on account closure upon request

Your data never trains AI models

This is a hard line. Your sales data, your methodology, your client conversations — none of it is used to train public AI models, fine-tune foundation models, or improve any system outside your workspace.

  • AI processing uses enterprise API boundaries with no training data retention
  • Your Playbook configuration is never shared or benchmarked externally
  • Raw Field Notes and audio are processed and discarded — not stored long-term

Human approval before CRM writes

Glass CRM never writes to your Salesforce org without a human in the loop. Field Notes structures and classifies data first — the rep reviews, edits, and approves before anything is pushed.

  • No automated CRM writes — every sync requires explicit rep approval
  • Draft data visible only to the rep until committed
  • Full audit trail of what was changed and when

Salesforce OAuth — read-only by default

The Salesforce connection uses OAuth 2.0. We read live CRM data to surface context — we do not store a copy of your Salesforce records, and write permissions are scoped only to what Field Notes needs.

  • OAuth 2.0 — no passwords stored, tokens scoped and revocable
  • CRM records read live, never cached or duplicated in our database
  • Write scope limited to fields explicitly mapped in your Playbook

Questions for your security team?

We are happy to complete security questionnaires, provide additional documentation, or arrange a technical call with your IT or legal team. We would rather answer every question up front than have security be a reason a good deal stalls.

Contact usRead our privacy notice