Our users trust us to keep their data safe and secure, a responsibility we take seriously.
If you would like to report a vulnerability or security concern regarding any Glede.app product, please contact firstname.lastname@example.org. We will verify the report and take corrective action as soon as possible.
EML Money DAC, authorized by the Central Bank of Ireland under the European Union (Payment Services) Regulations 2018 (Ref C95957), handles everything related to the creation and operation of payment cards for users receiving gifts. EML has the highest industry standards of security of their technology including Tier 1 PCI-DSS level 1 and soc1/ssae-18.
All credit card and payment information for sending gifts is handled by our payment processor, Stripe. They have been audited by an independent PCI Qualified Security Assessor and certified as a PCI Service Provider level 1, the most stringent certification available in the payments industry.
Google Cloud Platform (GCP) and Firebase host the Glede platform. GCP undergoes regular independent audits for a range of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, HIPAA, and PCI DSS. All Firebase services have successfully completed the ISO 27001, SOC 1, SOC 2 and SOC 3 evaluation process. We are using Cloud Firestore, Cloud Functions, Cloud Storage and Authentication, which have also completed the ISO 27017 and ISO 27018 certification process.
All of our GCP and Firebase services encrypt data in transit using HTTPS and data is also encrypted at rest.
All employees are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employees access central resources using two-factor authentication, and only have access to the systems required for their role.
Customer data stored in Cloud Storage and Cloud Firestore is stored within the EU. All of our cloud functions are running in Europe, except functions for authorizing and notifying payment card transactions through EML. Firebase Authentication is processing data in the United States. GCP and Firebase have moved to rely on Standard Contractual Clauses (SCCs) for data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. Google Cloud’s approach to the new EU SCCs is described here.
We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors. A list of our Authorized Sub-processors can be found here.
We want to ensure you that you can use our product with confidence, knowing that we are committed to keep your data safe and secure. So don’t worry, just be happy — and enjoy using our amazing product. If you have any questions, let us know.