Security Policy

Last Updated: 2019-9-03

Tiled understands that the confidentiality, integrity and availability of our customer’s information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems and processes to meet the growing demands and challenges of security.

 

SYSTEM ARCHITECTURE

Network uptime
We quantify our reliability by offering a 99.5% uptime guarantee to enterprise customers. This guarantee ensures the constant deployment of our services, 24 hours a day, 7 days a week, 365 days a year. While Tiled strives to keep our systems up at all times, we also make intermittent upgrades or improvements from time to time. Any downtime will be communicated to customers beforehand with sufficient notice.
Secure data centers
Amazon Web Services (AWS) and Digital Ocean (DO) power the server requirements for thousands of high-profile companies and government entities. We have partnered with both to provide our web and data services because of their stringent security measures, which include compliance with the following certifications and third-party attestations:
• SAS70 Type II audits
• Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS)
• ISO 27001 certification
• U.S. General Services Administration FISMA-Moderate level operation authorization
To learn more about the security procedures employed by AWS and DO, please review their documentation.
Encryption
Because Tiled stores your valuable data and in some cases, Personal Identifiable Information (PII) (e.g. name and email), Tiled endeavors to encrypt data wherever possible. As such, we abide by two sets of encryption principles: encryption in transit (https) and encryption at REST. For the former, we aim for all data passing over the wire to be encrypted using standard HTTPS connections. For the latter, we rely on MongoDB Atlas to provide data storage, encryption and security. You can find more information on how data is secured here.

CONTENT SECURITY

Password authentication
Tiled supports sign-on with a unique username and password. Only salted one-way hashes of passwords are stored by our servers, never the passwords themselves. Individual user identity is authenticated and re-verified with each transaction, using a unique token created at login.
Permission controls
We follow security best practices by using least privilege access principles to protect your data. Role-based permissions system is available to Tiled user administrators.
Administrators may:
• Seize control of a user account if that user’s employment has ended
• Set pemissions for each user, including view-only, edit, and document ownership
Data ownership
Tiled claims no ownership over any documents created through our services. Users retain copyright and any other rights, including all intellectual property rights, on created documents and included content. We respect your privacy and will never make your documents publicly available without permission.
Continuous monitoring
Tiled performs regular internal security design reviews. Our live systems are continuously monitored and supported; any issue will be reported and fixed as soon as possible.

What personal data does Tiled collect and how is it used?

Tiled collects personal data in order to provide you with the best user experience of our product and services. We also use the data to communicate with you. For example, if we need to contact you regarding your account, new products or services available, customer support, security, safety and other types of communications and marketing efforts. Although Tiled does not store IP or geo data, we do perform an IP address to city mapping in order to provide you with the best user experience of our product and services.
What are some of Tiled’s key GDPR compliance initiatives?
Tiled includes (but is not exclusive to) the following:
GDPR REQUIREMENT
TILED COMPLIANCE
HOW THIS HELPS YOU

Appointing a Data Protection Officer (DPO)
(Article 37)
(within compliance)

Tiled has designated an appropriate resource to be the DPO, who can be reached for Subject Access Requests (SARs), questions or concerns.

Via email: support@tiled.co

Via post: 
Tiled Attn: Data Protection Officer
11848 Bernardo Plaza Ct. Ste 110 San Diego CA 92128

Should you need or have any requests or concerns regarding how, where, and who has access to your Tiled data, review our Indemnification Insurance, our DPO will provide the necessary information to you within the required timeframe, as designated by GDPR requirements.

International Data Transfers
(Articles 45 & 46)
(within compliance)

Tiled collects a minimal amount of personal data, which is transferred and processed for the purpose of responding to customer support requests, product analytics, development remediation of technical and security issues, and other obligations in fulfilling our service agreement. Tiled’s privacy and security controls extend to third parties involved in processing confidential and restricted data.

In order to communicate, provide support and resolve requests, we collect and store the contact information from our customers who have given us authorization to collect, store and use that data. For example, we store email addresses so we can efficiently communicate and notify our customers about new product feature releases. We, however, never sell or rent any collected data from customers to other parties.

Additionally, Tiled retains personal data for as long as necessary to provide our services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing agreements. If you have any questions or concerns aboutTiled retaining of your data, please contact our DPO.

Privacy Policy (Article 28(3))
(within compliance)

Privacy Training
(Articles 39 & 47)
(within compliance)

Tiled has updated our Privacy Policy to reflect our duties as Processors of our customers’ data, as it relates to delivering terms of service. Additionally, we will make available a defined process to enable Subject Access Requests (SARs). Due to the accuracy and details of the data mapped, as required by the Privacy Impact Assessment (PIA), we will be able to better facilitate SARs from individuals when requested. 

Tiled has created role-based privacy training, which will be required to be completed by employees by the end of Q3 (September) 2020. These trainings will be facilitated through our LMS (Learning Management System) and completion metrics will be tracked as part of corporate compliance.

Personal data collected by Tiled may be stored and processed in your region, in the United States or in any other country where Tiled or its affiliates, subsidiaries or service providers maintain facilities. However, Tiled maintains major data centres in the United States. Please be advised that Tiled may modify or update our Privacy Policy when necessary to reflect customer feedback and changes in our product and service; we encourage you to regularly review our Privacy Policy to learn more how we are using and protecting your information and you continued use of Tiled after any modification will constitute acceptance of the modification and updates.

Breach Notification Changes
(Article 33)
(within compliance)

Tiled will notify impacted customer(s), prior to notifying the appropriate DPA. We take the partnership with our customers as a foundational guide based on trust and open communication; and as such, we will communicate any instances of compromised personal data to our customers prior to other sources.

Tiled will notify impacted customers via existing communication channels, typically via email or a dedicated Customer Success Manager, if applicable.

Right to Erasure
(Article 17)

Once a request for removal of personal data has been made by an individual, Tiled will comply with the request, within the timeframe as stipulated by GDPR regulations. However, please be advised that removal of the personal data will affect your usage of the Tiled product and our ability to service and support your account.

Tiled retains personal data for as long as necessary to provide services, support our product or for other essential purposes such as complying with our legal obligations, and resolving disputes and enforcing our agreements.

To request removal of personal data, please email us at support@tiled.co

Application “cookies”

We may use cookies and similar technologies to remember your preferences, understand how users are using our website or app, and help customize our marketing offerings. By visiting our website or using our app, you agree to the use of cookies and similar technologies for the purposes described in this Statement.

A ‘cookie’ is a small data file containing a string of characters that is sent to your computer when you visit a website that allows that site to recognise your browser when you return. We may use third party or analytics cookies. Third party cookies may be used on our website to provide more relevant advertising and we use analytics cookies, like those offered by Google Analytics, to help us understand things like how long a visitor stays on our website, what pages they find most useful, and how they arrived at tiled.co. To learn more about Google Analytics and your data, visit this Google webpage.

Most web browsers allow you to control cookies through their settings preferences, however, you may impact your overall user experience. Below you can learn about how to control cookie settings on popular web browsers:

Google Chrome // Internet Explorer // Safari // Firefox // Internet Explorer