Our users trust us to keep their data safe and secure, a responsibility we take seriously.
Our data processing agreement (“DPA”) is incorporated in our Terms of Use.
Read our DPAIf you would like to report a vulnerability or security concern regarding any Glede.app product, please contact compliance@glede.app. We will verify the report and take corrective action as soon as possible.
GDPR
Glede.app is GDPR-compliant, and we handle our customers' personal data with great care and respect, as outlined in our Terms of Use and Privacy Policy. We use industry best practices for security and privacy, and have vetted all third-party processors we employ for compliance as well.
PCI DSS
EML Money DAC, authorized by the Central Bank of Ireland under the European Union (Payment Services) Regulations 2018 (Ref C95957), handles everything related to the creation and operation of payment cards for users receiving gifts. EML has the highest industry standards of security of their technology including Tier 1 PCI-DSS level 1 and soc1/ssae-18.
All credit card and payment information for sending gifts is handled by our payment processor, Stripe. They have been audited by an independent PCI Qualified Security Assessor and certified as a PCI Service Provider level 1, the most stringent certification available in the payments industry.
Infrastructure
Google Cloud Platform (GCP) and Firebase host the Glede platform. GCP undergoes regular independent audits for a range of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, HIPAA, and PCI DSS. All Firebase services have successfully completed the ISO 27001, SOC 1, SOC 2 and SOC 3 evaluation process. We are using Cloud Firestore, Cloud Functions, Cloud Storage and Authentication, which have also completed the ISO 27017 and ISO 27018 certification process.
Encryption
All of our GCP and Firebase services encrypt data in transit using HTTPS and data is also encrypted at rest.
Access Control
All employees are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employees access central resources using two-factor authentication, and only have access to the systems required for their role.
Geographic Location
Customer data stored in Cloud Storage and Cloud Firestore is stored within the EU. All of our cloud functions are running in Europe, except functions for authorizing and notifying payment card transactions through EML. Firebase Authentication is processing data in the United States. GCP and Firebase have moved to rely on Standard Contractual Clauses (SCCs) for data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. Google Cloud’s approach to the new EU SCCs is described here.
Sub-processors
We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors. A list of our Authorized Sub-processors can be found here.
We want to ensure you that you can use our product with confidence, knowing that we are committed to keep your data safe and secure. So don’t worry, just be happy — and enjoy using our amazing product. If you have any questions, let us know.