Enterprise-grade Security for Your Interactive Content Experiences
Designed to Empower Your Best Conversations
As an integral solution used by many global brands to create and share interactive content experiences, Tiled understands the sensitivity of confidentiality, data integrity and availability required of our platform and we work hard to deliver on that promise. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems and processes to meet the growing demands and challenges of security.
Tiled hosts its software on Amazon Web Services (AWS).
Amazon provides an extensive list of compliance and regulatory assurances, including SOC 3, and ISO 27001. See Amazon's compliance and security documents for more detailed information.
Tiled has a SOC 2 Type 1 attestation.
We have undergone examination of our security controls against the AICPA defined standards.
Tiled is committed to ensuring compliance with the General Data Protection Regulation (GDPR).
With Tiled’s GDPR compliance framework, your interactive content experiences can be enabled to inform end-users as well as obtain their agreement in engaging with your content.
Date updated: 3/10/21
SECTION 1: COMPLIANCE & CERTIFICATIONS
SOC2 Type 1 Tiled has certified its systems to AICPA SOC2 Type 1 level, successfully auditing the operational and security processes of our service and company.
General Data Protection Regulation (GDPR)
What personal data does Tiled collect and how is it used?
Tiled collects personal data in order to provide you with the best user experience of our product and services. We also use the data to communicate with you. For example, if we need to contact you regarding your account, new products or services available, customer support, security, safety and other types of communications and marketing efforts. Although Tiled does not store IP or geo data, we do perform an IP address to city mapping in order to provide you with the best user experience of our product and services.
What are some of Tiled’s key GDPR compliance initiatives?
Tiled includes (but is not exclusive to) the following:
- Appointing a Data Protection Officer (DPO) (Article 37) (within compliance): Tiled has designated an appropriate resource to be the DPO, who can be reached for Subject Access Requests (SARs), questions or concerns. Via email: firstname.lastname@example.org. Via post: Tiled Attn: Data Protection Officer 11848 Bernardo Plaza Ct. Ste 110 San Diego CA 92128. Should you need or have any requests or concerns regarding how, where, and who has access to your Tiled data, review our Indemnification Insurance, our DPO will provide the necessary information to you within the required timeframe, as designated by GDPR requirements.
- International Data Transfers (Articles 45 & 46) (within compliance): Tiled collects a minimal amount of personal data, which is transferred and processed for the purpose of responding to customer support requests, product analytics, development remediation of technical and security issues, and other obligations in fulfilling our service agreement. Tiled’s privacy and security controls extend to third parties involved in processing confidential and restricted data. In order to communicate, provide support and resolve requests, we collect and store the contact information from our customers who have given us authorization to collect, store and use that data. For example, we store email addresses so we can efficiently communicate and notify our customers about new product feature releases. We, however, never sell or rent any collected data from customers to other parties. Additionally, Tiled retains personal data for as long as necessary to provide our services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing agreements. If you have any questions or concerns about Tiled retaining of your data, please contact our DPO.
- Breach Notification Changes (Article 33) (within compliance): Tiled will notify impacted customer(s), prior to notifying the appropriate DPA. We take the partnership with our customers as a foundational guide based on trust and open communication; and as such, we will communicate any instances of compromised personal data to our customers prior to other sources. Tiled will notify impacted customers via existing communication channels, typically via email or a dedicated Customer Success Manager, if applicable.
- Right to Erasure (Article 17): Once a request for removal of personal data has been made by an individual, Tiled will comply with the request, within the timeframe as stipulated by GDPR regulations. However, please be advised that removal of the personal data will affect your usage of the Tiled product and our ability to service and support your account. Tiled retains personal data for as long as necessary to provide services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing our agreements.To request removal of personal data, please email us at email@example.com
SECTION 2: ARCHITECTURE
Secure data centers: Tiled hosts its software on Amazon Web Services (AWS) and leverages Amazon facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 3, and ISO 27001. Because of their stringent security measures, Tiled is able to address compliance with their certifications and third-party attestations:
- SAS70 Type II audits
- Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS)
- ISO 27001 certification
- U.S. General Services Administration FISMA-Moderate level operation authorization
Network uptime: We quantify our reliability by offering a 99.5% uptime guarantee to enterprise customers. This guarantee ensures the constant deployment of our services, 24 hours a day, 7 days a week, 365 days a year. While Tiled strives to keep our systems up at all times, we also make intermittent upgrades or improvements from time to time. Any downtime will be communicated to customers beforehand with sufficient notice.
Encryption: Because Tiled stores your valuable data and in some cases, Personal Identifiable Information (PII) (e.g. name and email), Tiled endeavors to encrypt data wherever possible. As such, we abide by two sets of encryption principles: encryption in transit (https) and encryption at REST. For the former, we aim for all data passing over the wire to be encrypted using standard HTTPS connections. For the latter, data is securely encrypted while stored in our databases. You can find more information on how data is secured here.
SECTION 3: CONTENT SECURITY
Password authentication: Tiled supports sign-on with a unique username and password. Only salted one-way hashes of passwords are stored by our servers, never the passwords themselves. Individual user identity is authenticated and re-verified with each transaction, using a unique token created at login.
Permission controls: We follow security best practices by using least privilege access principles to protect your data. Role-based permissions system is available to Tiled user administrators. Administrators may:
- Seize control of a user account if that user’s employment has ended
- Set permissions for each user, including view-only, edit, and document ownership
Data ownership: Tiled claims no ownership over any documents created through our services. Users retain copyright and any other rights, including all intellectual property rights, on created documents and included content. We respect your privacy and will never make your documents publicly available without permission.
Continuous monitoring: Tiled performs regular internal security design reviews. Our live systems are continuously monitored and supported; any issue will be reported and fixed as soon as possible.