Overview

Glide delivers documents from account opening and loan application workflows directly to your institution's SFTP server. This article explains the security controls built into that delivery pipeline and answers common questions about how your data is protected in transit and at rest.

SFTP (SSH File Transfer Protocol) is a cryptographically authenticated and encrypted protocol by design. Glide's standard configuration adds additional network-layer controls on top of that foundation to create a layered security posture consistent with FFIEC and NCUA guidance for regulated financial institutions.

Standard Security Controls

Every Glide SFTP integration includes the following controls by default. No additional configuration is required to enable them.

1.  Source-IP Allowlisting

Glide's firewall restricts all inbound SFTP connections to Glide's static outbound IP addresses. This means your SFTP server will only accept connection attempts originating from Glide's known infrastructure, materially reducing exposure to unsolicited or unauthorized access attempts.

2.  SSH-Encrypted Transport

The entire SFTP session, including authentication credentials and file contents, is encrypted end-to-end using SSH. No data is transmitted in cleartext over the network at any point.

3.  SSH Key-Based Authentication

Glide supports and recommends SSH key-based authentication, which is more secure than password-based access. If password authentication is used instead, it remains fully protected within the encrypted SSH session.

4.  Scoped User Permissions

The SFTP user Glide connects with is restricted to the designated delivery directory only. Access is limited in scope so that no other parts of your server are reachable through this connection.

5.  Monitoring and Logging

Glide monitors and logs all file delivery activity on its side of the connection. This provides an audit trail for troubleshooting and compliance purposes,

Optional: PGP File-Level Encryption

For institutions that want an additional layer of protection beyond the standard configuration, Glide offers optional PGP encryption.

When PGP is enabled, every document is encrypted with your institution's public key before it leaves Glide's systems. Files arrive on your SFTP server already encrypted at rest. Even a party with direct access to the SFTP server cannot read the files without your private key.

PGP encryption is not required. The standard configuration described above already provides strong protection for this workflow. However, if your institution's risk posture or compliance requirements call for file-level encryption at rest, Glide can enable this at your request. Contact your Glide implementation contact to discuss setup.

Read more: https://help.meetglide.com/articles/2861813870-pgp-sftp-encryption-configuration

Controls at a Glance

The table below summarizes the available security controls and their default status.

Common Security Questions

Can an attacker spoof Glide's IP address to gain access?

IP spoofing is not a realistic attack vector for an SFTP session. Establishing an SSH connection requires completing a full TCP handshake and then negotiating an SSH key exchange, both of which require receiving return traffic from the server. An attacker cannot do this while spoofing a source IP. IP allowlisting is an additional network-layer control that sits on top of SSH's cryptographic authentication, not a substitute for it.

Is the SFTP port publicly accessible?

The SFTP port is restricted at the firewall to Glide's static outbound IPs. While the port must be reachable from Glide's infrastructure for delivery to work, the IP restriction ensures that connection attempts from any other source are blocked. This is a meaningful reduction in attack surface, even though it is not the same as full network isolation.

Are credentials or file contents ever sent in cleartext?

No. SFTP/SSH encrypts the entire session from the moment the connection is established, including the authentication handshake. Neither credentials nor file contents are transmitted in cleartext over the network at any point.

Does Glide support VPN tunnels for SFTP delivery?

Glide's document delivery pipeline is a separately operated service from core banking integrations (such as TrustGrid VPN connections). It has its own scheduling and monitoring infrastructure and is built to connect directly to FI-hosted SFTP endpoints. Glide does not currently support routing this service through customer VPN tunnels, as the two systems are architecturally distinct. The standard SFTP configuration provides a secure, risk-based control posture without a VPN.

Is this configuration compliant with FFIEC and NCUA requirements?

The controls Glide applies, including source-IP allowlisting, SSH-encrypted transport, strong authentication, scoped access, and optional file-level encryption, are consistent with a risk-based, layered-security approach commonly used in regulated environments operating under FFIEC and NCUA guidance. Your institution should assess these controls against your own compliance and risk management requirements.