The General Data Protection Regulation (GDPR) is a landmark personal data protection regulation for the European Union (EU) residents. It is centered around the consumer and formulated to ensure their data protection and privacy. The GDPR came into effect on the 25th of May 2018.
By replacing the previous Data Protection Directive, the GDPR raises the bar in personal data protection for EU individuals. It applies to any person/legal entity that handles the personal data of EU residents, even if the person/legal entity operates outside of the EU region. For companies handling such data, this could imply extensive changes in their systems and contracts to ensure compliance.
At Chargebee, we welcome the regulation and see compliance as yet another milestone towards ensuring the security and privacy of your data and those of your customers. Chargebee is in compliance with the new Standard Contractual Clauses (SCCs) issued by the EU Commission in June 2021 and the same has been incorporated as part of our Data Processing Addendum (DPA) .
How are we compliant?
GDPR clearly defines rights for data subjects around aspects such as access, portability, rectification, and erasure of their personal data. Gaining explicit consent from data subjects for processing their personal data is also a key provision of the regulation.
Following are ways in which Chargebee is meeting these requirements:
- Chargebee only collects the minimum information necessary for the provision of our service. Every data field processed by Chargebee (such as your name, email address, emergency contact details, billing address, and payment method) is strictly for the purpose of providing the service.
- We do not process any special categories (as per Article 9 of GDPR) of personal data. We have signed contractual agreements and DPA with companies to store and process your personal data and that of your customers. You can find the list of these sub-processors here .
- Chargebee only keeps the data of you and your customers for as long as needed for the provision of service.
- Chargebee erases all your personal information 120 days after your account with us has been cancelled. Your Chargebee website along with all the information of your customers stored with us is also deleted. The only information retained is that which is necessary from a compliance or legal standpoint. This includes invoices, subscription information, and audit logs.
- All TEST sites in Chargebee that have been inactive for six months are automatically deleted.
- As a data processor, Chargebee gives you various in-app features to manage how the personal data of your customers are retained or purged.
- The Import and Export feature allows you the right to portability of all the information that we process on your behalf.
- Chargebee provides, via its app and API, ways of keeping all your personal data and that of your customers accurate.
- There are unambiguous features built into the app to gather/revoke consent from both you, the merchant and (on behalf of you) from your customers. These features make it as easy for you and your customers to revoke consent as it is to grant.
- Whenever we capture any form of consent from you or your customers, we log the IP address and the time and date of the action, thereby making granting or revocation of consent demonstrable. These logs are also available on request.
- We have implemented the SCCs released by the EU Commission to process any Personal data originating from Switzerland, the United Kingdom, and/or the European Economic Area (EEA) in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data. Contact support for a copy of the personal data that we(as data controllers) process.
- We also provide multiple options to host data in your respective regions. For detailed information refer to the data center locations mentioned here .
Privacy Features for Data Processing
As a data processor, we give you the following features in Chargebee to help you ensure the privacy of your customers' personal data.
- Consent Management: This feature allows you to obtain and revoke explicit consent from your customers and manage it within Chargebee.
- Personal Data Management: Chargebee gives you full control over how personal data of your customers is retained on our systems or erased from it.
Our Security Standards
Certifications help ensure that companies have the right systems in place to demonstrate their abilities in data privacy and security. Here's how we have been audited by independent third-party auditors:
- Ensuring the security of payment card data through PCI DSS Level 1 compliance.
- Information security is compliant with the ISO/IEC 27001:2013 standard.
- SOC 1 Type II report for assessing our internal controls over financial reporting.
- SOC 2 Type II report that evaluates our controls relevant to security, availability, and confidentiality.
These reports/certifications are available for download through Chargebee's LIVE site (can be accessed by the owner and admin of the site).
Refer to our security page to understand the detailed Technical and Organizational Measures (TOMs) which are implemented by Chargebee.
The Data Processing Addendum(DPA)
As referenced in our Terms of Service or any service agreement between you and Chargebee, the DPA applies where the Group Companies process personal data on your behalf. Contact support for a signed copy of the DPA.