Security & Compliance
Our users trust us to keep their data safe and secure, a responsibility we take seriously. If you have any questions or concerns about this, please contact us at email@example.com.
If you would like to report a vulnerability or security concern regarding any Glede.app product, please contact firstname.lastname@example.org. We will verify the report and take corrective action as soon as possible.
General Data Protection Regulation (GDPR)
EML Money DAC, authorized by the Central Bank of Ireland under the European Union (Payment Services) Regulations 2018 (Ref C95957), handles everything related to the creation and operation of payment cards for users receiving gifts. EML has the highest industry standards of security of their technology including Tier 1 PCI-DSS level 1 and soc1/ssae-18.
All credit card payments for sending gifts is handled by our payment processor, Stripe. They have been audited by an independent PCI Qualified Security Assessor and certified as a PCI Service Provider level 1, the most stringent certification available in the payments industry.
Google Cloud Platform (GCP) and Firebase host the Glede platform. GCP undergoes regular independent audits for a range of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, HIPAA, and PCI DSS. All Firebase services have successfully completed the ISO 27001, SOC 1, SOC 2 and SOC 3 evaluation process. We are using Firestore, Functions, Storage and Authentication, which have also completed the ISO 27017 and ISO 27018 certification process.
Data Security and Privacy
All of our GCP and Firebase services encrypt data in transit using HTTPS and data is also encrypted at rest.
Employees access central resources using two-factor authentication, and they have only access to the systems required for their role.
Customer data stored in Cloud Storage and Cloud Firestore is stored within the EU. All of our cloud functions are running in Europe, except functions for authorizing and notifying payment card transactions through EML. Firebase Authentication is processing data in the United States. GCP and Firebase have moved to rely on Standard Contractual Clauses (SCCs) for data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. Google Cloud’s approach to the new EU SCCs is described here.