Security & Compliance

Our users trust us to keep their data safe and secure, a responsibility we take seriously. If you have any questions or concerns about this, please contact us at security@glede.app.

Vulnerability Disclosure

If you would like to report a vulnerability or security concern regarding any Glede.app product, please contact support@glede.app. We will verify the report and take corrective action as soon as possible.

Compliance

General Data Protection Regulation (GDPR)

Glede.app is GDPR-compliant, and we handle our customers' personal data with great care and respect, as outlined in our terms of service, privacy policy, and throughout this document. We use industry best practices for security and privacy, and have vetted all third-party processors we employ for compliance as well. 

PCI DSS

EML Money DAC, authorized by the Central Bank of Ireland under the European Union (Payment Services) Regulations 2018 (Ref C95957), handles everything related to the creation and operation of payment cards for users receiving gifts. EML has the highest industry standards of security of their technology including Tier 1 PCI-DSS level 1 and soc1/ssae-18.

All credit card payments for sending gifts is handled by our payment processor, Stripe. They have been audited by an independent PCI Qualified Security Assessor and certified as a PCI Service Provider level 1, the most stringent certification available in the payments industry.

Infrastructure

Google Cloud Platform (GCP) and Firebase host the Glede platform. GCP undergoes regular independent audits for a range of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, HIPAA, and PCI DSS. All Firebase services have successfully completed the ISO 27001, SOC 1, SOC 2 and SOC 3 evaluation process. We are using Firestore, Functions, Storage and Authentication, which have also completed the ISO 27017 and ISO 27018 certification process.

Data Security and Privacy

Encryption

All of our GCP and Firebase services encrypt data in transit using HTTPS and data is also encrypted at rest.

Access Control

Employees access central resources using two-factor authentication, and they  have only access to the systems required for their role.

Geographic Location

Customer data stored in Cloud Storage and Cloud Firestore is stored within the EU. All of our cloud functions are running in Europe, except functions for authorizing and notifying payment card transactions through EML. Firebase Authentication is processing data in the United States. GCP and Firebase have moved to rely on Standard Contractual Clauses (SCCs) for data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. Google Cloud’s approach to the new EU SCCs is described here.