Glean
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 93 out of 100. Key evidence includes confirmed SOC 2 and ISO 27001 certifications available via the vendor's trust portal. A recent change involves the addition of Fireworks.ai, Inc. as a new sub-processor, meaning a new third party may now process your data. Buyers should check this against their Data Processing Agreement's approved sub-processor list and their notification rights.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 10 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://trust.glean.com/ |
| GDPR | Stated by vendor | https://www.glean.com/privacy |
| HIPAA | Stated by vendor | https://trust.glean.com/ |
| ISO 27001 | Stated by vendor | https://trust.glean.com/ |
| SOC 2 | Stated by vendor | https://www.glean.com/security |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Retention key clause |
as long as necessary to fulfill legitimate business purposes or as required by legal/business obligations
“We retain Personal Information only as long as necessary to fulfill the legitimate business purposes for which it was collected, or as required to meet legal, accounting, reporting or other business obligations; resolve disputes; protect assets; and enforce agreements.”vendor's exact wording |
https://www.glean.com/privacy |
| Trains on Customer Data key clause | see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.glean.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.glean.com/ |
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| PEN TEST | Claimed — not independently verified | https://trust.glean.com |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Aup | https://www.glean.com/legal/aup |
| Baa | https://www.glean.com/legal/baa |
| Dpa | https://www.glean.com/legal/dpa |
| Privacy | https://glean.com/privacy |
| Security | https://www.glean.com/security |
| Sla | https://glean.com/legal/sla |
| Subprocessors | https://www.glean.com/legal/subprocessors |
| Tos | https://www.glean.com/terms |
| Trust | https://trust.glean.com/ |
| Vuln Mgmt | https://glean.com/.well-known/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-06-11. 3 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-07-01 | Sub-processor Change |
1 sub-processor(s) removed: Glean Search Technologies India Private Limited.
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
|
| 2026-06-27 | Sub-processor Change |
2 new sub-processor(s) added: Baseten Labs, Inc., Modal Labs, Inc..
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
|
| 2026-06-18 | Sub-processor Change |
1 new sub-processor(s) added: Fireworks.ai, Inc..
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
|
Search the Legal Documents verbatim · cited
Search Glean's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Glean — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Glean changes something that affects your risk. Built for procurement & security teams.