Centered around the consumer and formulated to ensure the protection of their data and upholding their privacy, the General Data Protection Regulation is a landmark personal data protection regulation for EU residents. It came into effect on 25th of May 2018.
By replacing the previously in place Data Protection Directive, the GDPR raises the bar in personal data protection for EU individuals. It applies to any person/legal entity that handles personal data of EU residents, even if the person/legal entity operates outside of the EU region. For companies handling such data, this could imply extensive changes in their systems and contracts to ensure compliance.
At Chargebee, we welcome the regulation and see compliance as yet another milestone towards ensuring the security and privacy of your data and those of your customers.
Some important definitions under the regulation
- Personal Data: Any information that is related to an identified or identifiable natural person. Here, information is meant in the broadest possible sense. Moreover, the data protection law only applies to information related to a natural person and not legal entities such as corporations, institutions etc.
- Data Subject: Any EU resident whose personal data is being handled. In other words, the "natural person" as described in the previous paragraph.
- Data Controller: The entity that takes ownership of personal data and determines how and by whom it is handled.
- Data Processor: An entity that handles personal data on behalf of the controller. A data processor may have sub-processors.
- Third Party: An entity or person other than those who are authorized to handle personal data under the direct authority of the data controller.
How are we compliant?
GDPR clearly defines rights for data subjects around aspects such as access, portability, rectification and erasure of their personal data. Gaining explicit consent from data subjects for processing their personal data is also a key provision of the regulation.
We summarize here ways in which Chargebee is meeting these requirements:
- Chargebee only collects the minimum information necessary for the provision of our service. Every data field processed by Chargebee (such as your name, email address, emergency contact details, billing address and payment method) is strictly for the purpose of providing the service.
- We do not process any special categories (as per Article 9 of GDPR) of personal data.
We have signed contractual agreements with companies to store and process your personal data and that of your customers. We have reached out to them to ensure that they are GDPR-ready. You can find the list of these "sub-processors" here .
- Chargebee only keeps the data of you and your customers for as long as needed for the provision of service.
- Chargebee erases all your personal information 120 days after your account with us has been cancelled. Your Chargebee website along with all the information of your customers stored with us is also deleted. The only information retained is that which is necessary from a compliance or legal standpoint. This includes invoices, subscription information and audit logs.
- All test websites in Chargebee that have been inactive for 6 months are automatically deleted.
- As a data processor, Chargebee gives you in-app features to manage how the personal data of your customers are retained or purged.
- The Import and Export feature allows you the right to portability of all the information that we process on your behalf.
- Chargebee provides, via its app and API, ways of keeping all your personal data and that of your customers accurate. The Self-Serve Portal allows all data to be fully editable.
- There are unambiguous features built into the app to gather/revoke consent from both you, the merchant and (on behalf of you) from your customers. These features make it as easy for you and your customers to revoke consent as it is to grant.
- Whenever we capture any form of consent from you or your customers, we log the IP address and the time and date of the action, thereby making granting or revocation of consent demonstrable. These logs are also available on request.
- To ensure safe transfer of personal data with the EU and Switzerland, we have the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certification in place. For all other regions, we have signed DPAs with all our sub-processors to ensure compliance.
As a data controller, we are able to provide you a copy of your personal data we process. Please contact [email protected] for this.
Privacy Features for Data Processing
As data processor, we give you the following features in Chargebee to help you ensure the privacy of your customers' personal data.
- Consent Management: This feature allows you to obtain and revoke explicit consent from your customers and manage it within Chargebee.
- Personal Data Management: Chargebee gives you full control over how personal data of your customers is retained on our systems or erased from it.
Our Security Standards
Certifications help ensure that companies have the right systems in place to demonstrate their abilities in data privacy and security. Here's how we have been audited by independent third-party auditors:
- Ensuring security of payment card data through PCI DSS Level 1 compliance.
- Information security, compliant with the ISO/IEC 27001:2013 standard.
- Data protection for transatlantic commerce via EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield .
- SOC 1 Type I & II reports for assessing our internal controls over financial reporting.
- SOC 2 Type II report that evaluates our controls relevant to security, availability, integrity and confidentiality.
Our security page gives more details about all the provisions we have in place.
The Data Processing Addendum
With the Data Processing Addendum (DPA), we update our terms with you as your data processor. The DPA is an agreement between parties with regards to the processing of personal data in accordance with the requirements of GDPR. You can request a signed copy of the DPA by contacting [email protected] . Once you sign it and send it back to us, it becomes obligatory.