Last updated: January 25, 2021
This Security Policy outlines how Glass Canvas Media Inc. (“we” or “us”) collects and uses our user’s (“you” or “your”) personal information, which we gather from our websites, services, and desktop and mobile applications (collectively referred to as “Tilma” or “Tilma Platform”). Terms used in this Security Policy have the same meanings as in our Terms of Use.
We do not access or interact with customers’ data as part of normal operations. There are cases where we need to access customer data in order to troubleshoot a support issue, to generate customer requested reports, or where required by law, however, all data is access-controlled.
The security of your data is important to us and we strive to ensure that any personal data we collect about you will be held and processed strictly in accordance with applicable data protection legislation, as set out in our Privacy Policy. Below, we'll outline both the physical and technical procedures we use to ensure your data is kept safe.
The Payment Card Industry Data Security Standards (PCI DSS, or more commonly, PCI) are a set of standards set forth by the four major card associations to protect cardholder data. All merchants and processors need to have physical, electronic, and procedural controls in place to ensure that cardholder data is stored and handled securely at all times.
Tilma uses "PCI DSS Level 1 Service Provider" gateways and our payment processor is also a certified "PCI DSS Level 1 Service Provider" payment processor.
The Tilma platform uses industry-standard HTTPS SSL encrypted connections for all websites to secure data sent back and forth between users and our servers, and our databases utilize encryption at rest. This is the same standard used for transferring credit card data. This protects against malicious actions such as “man-in-the-middle” attacks where an individual attempts to intercept the message. An encrypted connection means that only the correct recipient is able to read the data.
We limit brute force attacks with rate limiting, and all passwords are filtered from all our logs and are one-way encrypted using industry-standard bcrypt.
Tilma operates on a custom system administration environment that is hosted by DigitalOcean and Amazon AWS, premier commercial cloud hosting providers, certified to the ISO/IEC 27001:2013 compliance standard for information security management systems. We continuously synchronize our databases and files between each hosting provider to ensure maximum redundancy, data safety, and integrity. Backups are created daily and stored at the respective data center.
All of our hosting providers operate multiple data centers which each employ high-speed internet connections through multiple ISPs (Internet Service Providers) for redundancy. Our system administrators actively monitor our servers and traffic loads at each data center and use load balancing tools to route users to the most efficient server. This ensures that everyone accessing a Tilma site has the best experience possible.
The Tilma platform is specifically designed to have multiple admin user accounts, each having their own set of permissions, ensuring that each user only has access to what they require. Common scenarios for this are restricting which admin users are able to view donation information of other user accounts, or preventing certain users from editing or deleting people. All admin accounts require a password to be set to enable logging in, and these passwords are encrypted so they cannot be viewed by any other users.
We use standard authentication conventions which means that your account password is securely stored and managed within our systems.
Parishioners/Individuals can easily register to create an online account where they will be able to securely edit their membership information and manage online giving, among other activities. Just like admin accounts, all user accounts require a password to be set to enable logging in, and these passwords are encrypted so they cannot be viewed by any other users. Strict access controls for each member account ensure that a member's personal and financial information is stored securely and that no unauthorized access takes place by other users across the entire Tilma platform.
We use standard authentication conventions which means that your account password is securely stored and managed within our systems.
Credit card data is extremely sensitive, and we work hard to ensure it is stored securely. We don't store full card numbers on our servers nor do we have access to them. Instead, that data is securely stored by our payment orchestration partner and accessed via encrypted tokens.
Tilma is a multi-tenant platform with strict access controls between each instance. This ensures that site and user data can not be accessed between instances by admin users who don't have the correct permissions. Every data request must pass a security test based on which "orgs" (or sites) a user has access to; this ensures data security for all users.
We have integrated the Tilma platform with Cloudflare, which specializes in protecting websites and applications, as well as increasing speed and reliability for everyday users through a network of dozens of data centers around the world. This brings the Tilma platform closer to users so it runs fast, while simultaneously protecting the platform from malicious attacks and unnecessary server requests.
Many of us who work at Glass Canvas are also users of our Tilma software. Our personal data is in the same database as our customers. We've entered personal information about our children at our own parishes; we've donated to our parishes using Tilma Giving. We protect your data like it’s our data because it is our data.
We may periodically revise and update this Policy at our sole discretion. All changes are effective immediately when we post them, and apply to all access to and use of Tilma thereafter. Your continued use of Tilma, following the posting of the revised Security Policy, means that you accept and agree to the changes. You are expected to check this page from time to time so you are aware of any changes.
Any questions about this Privacy Policy should be addressed to our support team at [email protected]