System Description

Overview

Tilia is a registered money services business and licensed money transmitter. Tilia enables publishers of video games and virtual worlds to create in-world economies and monetize user interaction.

Tilia system diagram

Tilia uses security tools to scan our network, cloud infrastructure, and services. We also engage professional security vendors to perform penetration tests and audits of our environment on an annual basis, while internal system scans are performed quarterly.

Access to Customer Data

A subset of Tilia’s Personnel has access to customer data as necessary to support the platform and provide the service. Individual access is granted based on individual role and job responsibilities. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.

Secure Data Handling and Destruction

Our solution is hosted on one or more cloud-based Infrastructure-as-a-Service platforms. These cloud providers are responsible for the security of the underlying cloud infrastructure and Tilia takes the responsibility of securing workloads we deploy inside the cloud infrastructure. We select cloud providers that monitor and audit computing environments continuously, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Any device storing any data is subjected to data-at-rest encryption. The service makes use of code-level logic and permissions to segregate customer data.

Customer Responsibilities

As a user of the Tilia platform, customers should be proactive in recognizing the value and sensitivity of the information provided by the service as well as the need to safeguard such data appropriately. This document details a Tilia customer’s responsibilities as they relate to use of the Tilia software and services. It is the responsibility of Tilia customers to familiarize themselves with the information and procedures set forth below and comply with them.

Safeguarding of Assets and Information

To safeguard information assets and policy enforcement capabilities available in Tilia, the customer’s IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Tilia account credentials, including API credentials. Access to Tilia requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization uses the Tilia service, it is the customer’s responsibility to manage which users should be given access to the service. Customers should also define when access should be removed. For example, removing access upon termination of employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Tilia service; users should not share authentication credentials.

The Tilia service should be considered sensitive and confidential by users of the service. Users should follow information security best practices to ensure that access to their account credentials is appropriately limited, and the information and functionality provided by the Tilia service is protected from unauthorized use. Tilia customers are responsible for maintaining the security and confidentiality of their user credentials (e.g. Login ID and Password) and API credentials, and are responsible for all activities and uses performed under their account credentials whether authorized by the customer or not. By establishing user credentials and accessing the platform, users of the Tilia service agree to comply with these requirements to safeguard assets and account information

Password Management

The Tilia service is accessible via the Internet. As a result, appropriate care must be exercised by Tilia users in protecting all Tilia accounts against unauthorized access and use of their credentials. By establishing user credentials and accessing the service, users agree to proactively protect the security and confidentiality of user credentials and never share account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their Tilia accounts. Any loss of control of passwords or user identifications could result in financial loss or the loss or disclosure of confidential information, and the responsible account owner(s) may be liable for the actions taken under their account credentials whether they authorized the activity or not. Additionally, when establishing Tilia account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be guessable.

Reporting Operational Issues

All Tilia services are monitored 24×7 to meet our service commitments. All planned maintenance will be performed in accordance with Tilia’s maintenance plan. If there is a need to perform emergency maintenance for a vulnerability or bug fix, we will notify customers prior to the work being performed. On the occasion that Tilia customers observe performance issues, problems or service outages, they can contact tilia-support@tilia.io or open a support ticket to report such issues.

Incidents and Breaches

By establishing Tilia account credentials or accessing its service, customers agree to notify Tilia immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to log out or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Tilia customers should also notify Tilia immediately if they observe any activity or communications in other forums that may indicate that other Tilia customers have had their accounts compromised. Lastly, Tilia encourages users to practice responsible disclosure by notifying Tilia of any potential or confirmed security vulnerabilities. Tilia is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported. Furthermore, Tilia will prioritize and fix security vulnerabilities in accordance with the risk that they pose.

Compliance Issues

Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Tilia users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.

Responsible Disclosure Policy

Tilia is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you believe you have discovered a security flaw in the Tilia service or the underlying infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Tilia. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not already known to us. When reporting the security vulnerability to our Security team, please refrain from disclosing the vulnerability details to the public outside of this process while we work to address the reported issue. Please provide the complete details necessary for reproducing the issue. We determine the risk of each vulnerability by assessing the ease of exploitation and business impact associated with the vulnerability.

Response

As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Tilia commits to:

  • acknowledge the receipt of the reported security vulnerability in a timely fashion
  • notify you when the vulnerability is remediated
  • extend our gratitude by providing a token of appreciation in supporting us to make our customers safer and more secure

Please report security issues to: security@tilia.io.

Data Retention

For information on Tilia’s data retention policy, refer to the Privacy Policy.

Changes to our Privacy Policy

The Privacy Policy in effect at the time you use the Tilia service governs how we may use your information. Our business may change from time-to-time. As a result, at times it may be necessary for Tilia to make changes to the Privacy Policy. Tilia reserves the right to update or modify the Privacy Policy at any time. If we make material changes we will post the updated policy on this page with an updated Effective Date. Please review our Privacy Policy periodically, and especially before providing your data to Tilia through our website or by registering for the Tilia service. Your continued use or access to the site or the Tilia service after any changes or revisions to the Privacy Policy shall indicate your agreement with the terms of the revised Privacy Policy.

Contacting Tilia

For general inquiries, please contact us using the Contact Us page.