Docs Blog About Pricing
Sign up

Security and Privacy

Last updated: April 15, 2026

This page describes exactly what the Glassmkr agent collects, what it does not collect, and where the data goes. If you are evaluating Glassmkr for production use, this is the page to read.

For the operational details (how passwords are hashed, how API keys are stored, how backups are encrypted, what the audit log records, and what we don't have in place yet), see the Security posture page in the Dashboard docs.

1. What Glassmkr Collects

CPU. Per-core and aggregate utilization (user, system, iowait, idle), load averages, steal time.

Memory. Total, used, and available RAM. Swap usage if configured. No per-process breakdown.

Disks. Mount points, filesystem types, space and inode usage percentages. No file names, no file contents, no directory listings.

SMART. Drive health status, model, temperature, power-on hours, reallocated and pending sector counts, NVMe wear level. Read via smartctl against each physical drive.

Network. Interface names, negotiated speeds, byte and packet counters, error and drop counters. Bond membership and slave link state. No packet content, no flow data, no deep packet inspection.

RAID. mdadm array status, failed or degraded member list.

IPMI. Sensor readings (temperature, fan speed, voltage, power), ECC error counts, recent SEL entries. Read via ipmitool against the BMC.

Security posture. The sshd_config values for PermitRootLogin and PasswordAuthentication. The firewall active/inactive state (ufw, firewalld, nftables). The count of pending security updates. Kernel vulnerability mitigation status from /sys/devices/system/cpu/vulnerabilities/. The /var/run/reboot-required flag. The unattended-upgrades service state.

ZFS. Pool health state, scrub status, scrub error count. No dataset contents.

I/O. Disk I/O error counts grep'd from dmesg. Per-device I/O latency and IOPS from /proc/diskstats deltas.

Conntrack. Connection tracking table count and maximum. Not the contents of the table.

Systemd. The list of failed unit names. Not their logs or exit codes.

NTP. Whether the kernel clock is synchronized, which daemon is running, clock offset in seconds.

File descriptors. System-wide allocated and maximum file descriptor counts from /proc/sys/fs/file-nr.

OS metadata. Hostname, OS name and version, kernel version, uptime, CPU core count.

2. What Glassmkr Does NOT Collect

This matters more than the list above. None of the following are collected, transmitted, or stored:

No file contents, no directory listings, no user-level data.

No process command lines, no environment variables, no memory dumps.

No network traffic content, no packet payloads, no flow logs, no DNS queries.

No passwords, API keys, tokens, or any credentials from your system.

No container contents, no container logs, no application-level data.

No browser history, user activity, or session data.

No telemetry about the agent's own usage. It does not phone home to report version, uptime, or any analytics separate from the snapshot pushed to your Glassmkr account.

3. Data Transmission

All data is sent over HTTPS with TLS 1.2 or higher to Glassmkr's servers. Authentication uses a collector key with the gmk_cru_live_ prefix, generated when you register a server in your Glassmkr account.

Snapshots are sent at the configured collection interval, default 5 minutes. The agent initiates all connections outbound. It does not open any inbound ports.

No data is sent to any third party. Glassmkr does not sell, share, or monetize customer data.

4. Data Storage

Server metadata (account, server name, API key hash) is stored in PostgreSQL on EU-based infrastructure.

Time-series snapshots are stored in ClickHouse on EU-based infrastructure. Retention is 7 days on the Free plan and 90 days on Pro. After the retention period, data is permanently deleted.

AI health analysis is processed by a self-hosted Gemma 4 model on Glassmkr's own NVIDIA L4 GPU. Your server data is never sent to OpenAI, Anthropic, Google, or any external AI provider.

Account deletion removes all associated server data within 30 days.

5. Infrastructure

All Glassmkr infrastructure runs on dedicated servers in EU data centers. No public cloud provider services (AWS, GCP, Azure) are used for data processing or storage.

AI inference runs on a self-hosted GPU. Internal communication between Glassmkr's dashboard and the AI server uses a WireGuard VPN.

6. AI Processing and Trend Analysis

Glassmkr processes your server's historical metrics to detect degradation trends that precede hardware failures. This processing is entirely automatic, runs on Glassmkr's infrastructure, and uses no external AI providers.

Deterministic trend detection (thresholds, first-differences, correlation rules) runs on Glassmkr's dashboard backend in the EU. Standard database queries and arithmetic, no ML.

Drive failure ranking model: a small LightGBM classifier trained offline on Backblaze's public drive failure dataset. Runs on Glassmkr's backend via ONNX Runtime. It never sees your data during training, only evaluates your per-drive metrics at runtime to adjust warning confidence. It is retrained quarterly on Backblaze's updated public dataset only.

AI narration of warnings: Gemma 4 (Google's open-weights model) runs on a Glassmkr-owned NVIDIA L4 GPU in our Amsterdam location. Your metric data is sent to this GPU only to generate plain-English descriptions of warnings that the deterministic system has already identified. The model does not decide whether to warn; it only describes warnings the deterministic system has triggered.

What we don't send externally:

  • No monitoring data is sent to OpenAI, Anthropic, Google, AWS, or any third-party AI service.
  • No monitoring data leaves EU infrastructure for AI processing.
  • The drive failure model is not trained on your data.

Data retention for trend warnings: Warning records (the fact that a warning fired, its evidence, and your feedback) are retained for the life of your subscription and deleted within 30 days of cancellation. Free-tier accounts receive only disk-space trend warnings (which work on 7-day retention); full trend warnings require the 90-day Pro retention.

7. Open Source Verification

Glassmkr's agent (published as @glassmkr/crucible on npm) is MIT-licensed and publicly auditable at github.com/glassmkr/crucible. Every npm release is published with provenance attestation via npm Trusted Publishing, which cryptographically links the published tarball to the exact GitHub commit and workflow that built it.

The agent collects exactly what the source code shows. There is no hidden data collection.

8. Your Rights

EU data subjects can request data export or deletion at any time via [email protected]. This is a GDPR right and we process such requests within 30 days.

You can inspect every byte the agent sends by running it with verbose logging. The JSON snapshot payload is logged before transmission.

You can disable specific collection modules in /etc/glassmkr/collector.yaml.

You can self-host your own monitoring backend using only the open-source agent. The ingest API is documented at app.glassmkr.com/docs/api (login required).

Reporting Vulnerabilities

If you discover a security vulnerability in any Glassmkr component, please report it responsibly:

Email: [email protected]

We will acknowledge receipt within 48 hours and provide a timeline for resolution. We do not currently run a bug bounty program.

Verifying Agent Downloads

Agent releases are signed with the Glassmkr GPG key. Verify downloads to ensure they have not been tampered with.

Import the signing key (one-time):

curl -sL https://glassmkr.com/security/glassmkr-release-signing-key.asc | gpg --import

Verify a release:

# Download release files
wget https://github.com/glassmkr/crucible/releases/download/v0.6.5/SHA256SUMS
wget https://github.com/glassmkr/crucible/releases/download/v0.6.5/SHA256SUMS.asc

# Verify signature (proves checksums came from Glassmkr)
gpg --verify SHA256SUMS.asc SHA256SUMS

# Verify file integrity
sha256sum -c SHA256SUMS

npm Package Integrity

npm packages (@glassmkr/crucible, @glassmkr/bench-*) are published with provenance attestation via npm Trusted Publishing. Every version can be verified back to the exact GitHub commit and workflow run.

GPG Key Fingerprint

D3B8 E544 E88C 8547 2C0E 9D12 3AB4 BFA5 9CF9 6E82

Key: Glassmkr Security <[email protected]>
Type: RSA 4096-bit, expires 2028-04-10

Public key: /security/glassmkr-release-signing-key.asc

We use a single authentication cookie. No tracking, no analytics. Privacy policy