Security and Trust

Enterprise-grade Security for Your Interactive Content Experiences

Designed to Empower Your Best Conversations

As an integral solution used by many global brands to create and share interactive content experiences, Tiled understands the sensitivity of confidentiality, data integrity and availability required of our platform and we work hard to deliver on that promise. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems and processes to meet the growing demands and challenges of security.

Tiled hosts its software on Amazon Web Services (AWS).

Amazon provides an extensive list of compliance and regulatory assurances, including SOC 3, and ISO 27001. See Amazon's compliance and security documents for more detailed information.

Tiled has a SOC 2 Type 1 attestation.  

We have undergone examination of our security controls against the AICPA defined standards.

Tiled is committed to ensuring compliance with the General Data Protection Regulation (GDPR).

With Tiled’s GDPR compliance framework, your interactive content experiences can be enabled to inform end-users as well as obtain their agreement in engaging with your content.

Date updated: 3/10/21

SECTION 1: COMPLIANCE & CERTIFICATIONS

SOC2 Type 1 Tiled has certified its systems to AICPA SOC2 Type 1 level, successfully auditing the operational and security processes of our service and company.

General Data Protection Regulation (GDPR)

What personal data does Tiled collect and how is it used?

Tiled collects personal data in order to provide you with the best user experience of our product and services. We also use the data to communicate with you. For example, if we need to contact you regarding your account, new products or services available, customer support, security, safety and other types of communications and marketing efforts. Although Tiled does not store IP or geo data, we do perform an IP address to city mapping in order to provide you with the best user experience of our product and services.

What are some of Tiled’s key GDPR compliance initiatives?

Tiled includes (but is not exclusive to) the following:

  • Appointing a Data Protection Officer (DPO) (Article 37) (within compliance): Tiled has designated an appropriate resource to be the DPO, who can be reached for Subject Access Requests (SARs), questions or concerns. Via email: support@tiled.co. Via post: Tiled Attn: Data Protection Officer 11848 Bernardo Plaza Ct. Ste 110 San Diego CA 92128. Should you need or have any requests or concerns regarding how, where, and who has access to your Tiled data, review our Indemnification Insurance, our DPO will provide the necessary information to you within the required timeframe, as designated by GDPR requirements.
  • International Data Transfers (Articles 45 & 46) (within compliance): Tiled collects a minimal amount of personal data, which is transferred and processed for the purpose of responding to customer support requests, product analytics, development remediation of technical and security issues, and other obligations in fulfilling our service agreement. Tiled’s privacy and security controls extend to third parties involved in processing confidential and restricted data. In order to communicate, provide support and resolve requests, we collect and store the contact information from our customers who have given us authorization to collect, store and use that data. For example, we store email addresses so we can efficiently communicate and notify our customers about new product feature releases. We, however, never sell or rent any collected data from customers to other parties. Additionally, Tiled retains personal data for as long as necessary to provide our services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing agreements. If you have any questions or concerns about Tiled retaining of your data, please contact our DPO.
  • Privacy Policy (Article 28(3)) (within compliance) and Privacy Training (Articles 39 & 47) (within compliance): Tiled has updated our Privacy Policy to reflect our duties as Processors of our customers’ data, as it relates to delivering terms of service. Additionally, we will make available a defined process to enable Subject Access Requests (SARs). Due to the accuracy and details of the data mapped, as required by the Privacy Impact Assessment (PIA), we will be able to better facilitate SARs from individuals when requested. Tiled has created role-based privacy training, which will be required to be completed by employees by the end of Q3 (September) 2020. These trainings will be facilitated through our LMS (Learning Management System) and completion metrics will be tracked as part of corporate compliance. Personal data collected by Tiled may be stored and processed in your region, in the United States or in any other country where Tiled or its affiliates, subsidiaries or service providers maintain facilities. However, Tiled maintains major data centres in the United States. Please be advised that Tiled may modify or update our Privacy Policy when necessary to reflect customer feedback and changes in our product and service; we encourage you to regularly review our Privacy Policy to learn more how we are using and protecting your information and you continued use of Tiled after any modification will constitute acceptance of the modification and updates.
  • Breach Notification Changes (Article 33) (within compliance): Tiled will notify impacted customer(s), prior to notifying the appropriate DPA. We take the partnership with our customers as a foundational guide based on trust and open communication; and as such, we will communicate any instances of compromised personal data to our customers prior to other sources. Tiled will notify impacted customers via existing communication channels, typically via email or a dedicated Customer Success Manager, if applicable.
  • Right to Erasure (Article 17): Once a request for removal of personal data has been made by an individual, Tiled will comply with the request, within the timeframe as stipulated by GDPR regulations. However, please be advised that removal of the personal data will affect your usage of the Tiled product and our ability to service and support your account. Tiled retains personal data for as long as necessary to provide services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing our agreements.To request removal of personal data, please email us at support@tiled.co
  • Application “cookies" : We may use cookies and similar technologies to remember your preferences, understand how users are using our website or app, and help customize our marketing offerings. By visiting our website or using our app, you agree to the use of cookies and similar technologies for the purposes described in this Statement. A 'cookie' is a small data file containing a string of characters that is sent to your computer when you visit a website that allows that site to recognise your browser when you return. We may use third party or analytics cookies. Third party cookies may be used on our website to provide more relevant advertising and we use analytics cookies, like those offered by Google Analytics, to help us understand things like how long a visitor stays on our website, what pages they find most useful, and how they arrived at tiled.co. To learn more about Google Analytics and your data, visit this Google webpage. Most web browsers allow you to control cookies through their settings preferences, however, you may impact your overall user experience. Below you can learn about how to control cookie settings on popular web browsers:Google Chrome // Internet Explorer // Safari // Firefox // Edge

SECTION 2: ARCHITECTURE

Secure data centers: Tiled hosts its software on Amazon Web Services (AWS) and leverages Amazon facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 3, and ISO 27001. Because of their stringent security measures, Tiled is able to address compliance with their certifications and third-party attestations:

  • SAS70 Type II audits
  • Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS)
  • ISO 27001 certification
  • U.S. General Services Administration FISMA-Moderate level operation authorization

Network uptime: We quantify our reliability by offering a 99.5% uptime guarantee to enterprise customers. This guarantee ensures the constant deployment of our services, 24 hours a day, 7 days a week, 365 days a year. While Tiled strives to keep our systems up at all times, we also make intermittent upgrades or improvements from time to time. Any downtime will be communicated to customers beforehand with sufficient notice.

Encryption: Because Tiled stores your valuable data and in some cases, Personal Identifiable Information (PII) (e.g. name and email), Tiled endeavors to encrypt data wherever possible. As such, we abide by two sets of encryption principles: encryption in transit (https) and encryption at REST. For the former, we aim for all data passing over the wire to be encrypted using standard HTTPS connections. For the latter, data is securely encrypted while stored in our databases. You can find more information on how data is secured here.


SECTION 3: CONTENT SECURITY

Password authentication: Tiled supports sign-on with a unique username and password. Only salted one-way hashes of passwords are stored by our servers, never the passwords themselves. Individual user identity is authenticated and re-verified with each transaction, using a unique token created at login.

Permission controls: We follow security best practices by using least privilege access principles to protect your data. Role-based permissions system is available to Tiled user administrators. Administrators may:

  • Seize control of a user account if that user’s employment has ended
  • Set permissions for each user, including view-only, edit, and document ownership

Data ownership: Tiled claims no ownership over any documents created through our services. Users retain copyright and any other rights, including all intellectual property rights, on created documents and included content. We respect your privacy and will never make your documents publicly available without permission.

Continuous monitoring: Tiled performs regular internal security design reviews. Our live systems are continuously monitored and supported; any issue will be reported and fixed as soon as possible.