Why data security is critical for your Chargebee Receivables Platform?
Chargebee Receivables helps you view, track and collect your unpaid invoices. With critical information about your
business processes and revenue flowing through, the security of the Chargebee Receivables - system needs to be
Chargebee Receivable platform may collect personal information, for instance, name, email id, phone numbers and so on.
You owe your customers the promise that all of this data will be handled safely and securely and will never be shared
without their consent.
The Chargebee Promise
At Chargebee, we take data integrity and security very seriously. Due to the nature of the product and service we
provide, it is important that we acknowledge our responsibilities both as data controller as well as a data processor.
We store and process your data and that of your customers with care and help you be compliant so that you can continue
to build trust while enhancing customer experiences.
We help you assure your customers that their personal information and billing data are and will always be secure. The
promise of security stems from the very system that handles customer data and is an essential part of our product,
processes, and team culture
Our facilities, processes and systems are reliable, robust and third-party tested. We continuously look for
opportunities to make improvements and give you a highly secure, scalable system to provide a great experience to your
Chargebee lets you deliver a secure accounts receivable management experience at different levels by,
Securing your customers’ personal information: compliance to GDPR.
Ensuring Internal Data security of your data that rests with Chargebee Receivables: adherence to ISO, SOC 2
Network Security within Chargebee: Network, application and operational level security policies that we follow
SOC 2 attestation
When you trust us to handle key business operations such as managing your receivables , you gain assurance that we
value and protect the interests of your organization and the privacy of your customers.
The SOC attestation ensures that SaaS service providers such as Chargebee securely manage your data to protect the
interests of your organization and the privacy of its clients. SOC for Service Organizations are internal control
reports on the services provided by a service organization providing valuable information that users need to assess
and address the risks associated with an outsourced service.
The purpose of these reports is to help you and your auditors understand the Chargebee controls established to support
operations and compliance. SOC Report of Chargebee that you can get on-demand:
- Chargebee SOC 2 type II report
For more details around our SOC 2 attestation, you can reach out to
ISO 27001 certification
ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system
(ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls
involved in an organisation's information risk management processes with the aim of keeping information secure.
With ISO's robust information security management system (ISMS) in place, you gain the additional reassurance that a
full spectrum of security best practices are implemented across the organization.
Chargebee is ISO 27001:2013 certified and we're committed to identifying risks, assessing implications and putting in
place systemised controls that inspire trust in everything that we do - right from our codebase to physical
infrastructure to people practices.
The General Data Protection Regulation (GDPR) is a European privacy law. The GDPR replaces the EU Data Protection
Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European
Union (EU) by applying a single data protection law that is binding throughout each member state.
Our GDPR Commitment
The core of Chargebee's internal operations underpins protecting the personal data of our customers. We only collect
and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding
to this, our approach towards privacy, security, and data protection align with the goals of GDPR.
Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent
unauthorized access and processing of personal data. We continuously work with privacy specialists / partners around
the globe to assess and implement any new regulatory requirements which are rolled-out.
How are we compliant?
GDPR clearly defines rights for data subjects around aspects such as access, portability, rectification, and erasure
of their personal data. Gaining explicit consent from data subjects for processing their personal data is also a key
provision of the regulation.
Further, we have implemented the SCCs released by the EU Commission to process any Personal data originating from
Switzerland, the United Kingdom, and/or the European Economic Area (EEA) in a country that has not been designated by
the European Commission as providing an adequate level of protection for Personal Data. Contact [email@example.com] for a copy of the personal data that we (as data controllers) process.
Following are ways in which Chargebee is meeting GDPR requirements:
We collect the minimum information necessary for the provision of our service. Every data field processed
by Chargebee Receivables (such as your name, email address, invoice details of your customers) is strictly
for the purpose of providing the service.
We do not process any special categories (as per Article 9 of GDPR) of personal data. We have signed
contractual agreements and DPA with companies to store and process your personal data and that of your
customers. You can find the list of these sub-processors
Chargebee only keeps the data of you and your customers for as long as needed for the provision of
Chargebee erases all your personal information within a period of 120 days after your account with us has
been canceled. Your Chargebee Receivables site along with all the information of your customers stored
with us is also deleted. The only information retained is that which is necessary from a compliance or
legal standpoint. This includes invoices, subscription information, and audit logs.
Right to Portability:
The Import and Export feature allows you the right to portability of all the information that we process
on your behalf.
Governance, Risk and Compliance (GRC) and Privacy:
We have a dedicated team working on various GRC and Privacy initiatives and the team is responsible for managing the
organization's overall governance, enterprise risk management, compliance and Data privacy regulations. The objective
of the GRC and Privacy team is to enable a structured approach to aligning IT with business objectives, while
effectively managing risk and meeting compliance & data privacy requirements.
We perform periodic internal audits in line with the regulatory and compliance requirements and the identified
findings are tracked to closure, if any.
We have rolled out an Enterprise Risk Management (ERM)program, which is a continuous enterprise-wide process that
helps Chargebee in identifying, controlling and mitigating risks. This also helps in achieving our operational
objectives. The Information Security System of Chargebee is built and operated on the basis of risk perceived by
Physical and Network security
Chargebee Receivables uses Microsoft Azure platform and infrastructure. Chargebee employees do not have any physical
access to our production environment.
Here are more details about the security setup of Microsoft Azure.
security setup of Azure.
Cloud security is the highest priority at Microsoft. As an Microsoft customer, we are benefitted from a data center
and network architecture built to meet the requirements of the most securitysensitive organizations.
“Microsoft has many years of experience in designing, constructing, and operating large-scale data centers. This
experience has been applied to the Azure platform and infrastructure. Azure data centers are housed in nondescript
facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter,
at building and at floor level ingress points by professional security staff utilizing video surveillance, state of
the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication
no fewer than three times to access data center floors. All visitors and contractors are required to present
identification and are signed in. They are also continually escorted by authorized staff.”
In addition to physical security, being on Azure platform also provides us significant protection against traditional
network security issues on the infrastructure including,
- Distributed Denial Of Service (DDoS) Attacks
- Man In the Middle (MITM) Attacks
- Port Scanning
- Packet sniffing by other tenants
Chargebee obtains the SOC 2 report from Azure for the services rendered by them and validates the same for
the effectiveness of the opinion of the third party auditor.
We at Chargebee, use two-factor authentication to grant access for our administrative operations for our
infrastructure. Administrative privileges are restricted to very few employees. Additionally, role based access
controls are used to ensure only required operations are allowed for specific users.
Any administrative access is automatically logged into our internal system. Detailed information on when/why the
operations are carried out are documented before performing any changes in the production environment.
SSH keys are required to gain console access to our servers and each login is identified by a user. All critical
operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.
Access to Audit trails and logs are restricted to authorized personnel based on roles and responsibilities.
Segregation of duties is implemented to restrict the system administrators from accessing and modifying log files.
Security measures are implemented to secure the audit log files from unauthorized / unintentional modifications
through Azure IAM Policy
Hosts are segmented and accesses are restricted based on functionality. That is, application requests are allowed only
from Azure Application Gateway and database servers can be accessed only from application servers.
Chargebee Receivables application servers can be accessed only via HTTPS. We use industry standard encryption
for data traversing to and from the application servers.
All user input is properly encoded when displayed to ensure XSS vulnerabilities are mitigated.
All POST requests are checked for CSRF token before processing the request.
We use prepared statements for database access to avoid SQL Injection attacks.
Encrypted Data Storage
We do not store sensitive card details on any Chargebee network. The keys for various third party services
(like payment gateway) are stored in our database in encrypted form.
Chargebee Receivables application currently supports Google sign on that performs the authentication and sends the data to the service provider along with the user's access rights for the service.
Role based access and Custom roles:
Role based access can be granted for the users in your Chargebee Receivables site. User roles are assigned by
sending an invite. Roles need to be specified to the new user before sending an invite to define the kind of
access. Chargebee Receivables application has predefined user roles available. In addition, custom roles can
also be created to grant one or more privileges that allow users to perform specific tasks as required.
Vulnerability Scanning & Patching
We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered
we apply the fixes. We do periodic vulnerability scanning using the services of an independent third party vendor.
Chargebee performs the VAPT assessment on a quarterly basis.
In addition, we also have an inhouse security team who performs Vulnerability scans on a monthly basis.
Data Storage & Redundancy
We use Microsoft Azure and MongodbAtlas for our database. The automated backup feature is configured for Azure and
Mongodb . We backup data for upto 30 days. We have configured Azure in Multi-AZ which provides enhanced availability
and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be
Chargebee has developed a formal Business Continuity Plan (BCP) to minimise disruption to critical services in times
of crisis and to maintain a higher degree of resilience. Business Impact analysis is performed to identify critical
operations, processes and facilities. Crisis roles and responsibilities are defined as part of the BCP. The BCP and DR
plan of Chargebee are reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as
one of the trust service criteria.
We use both internal and multiple external monitoring services to monitor Chargebee Receivables. Our monitoring system
will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormalities in
the request pattern.
We are working continuously to make our system secure. If you find any security issue, please send it to
firstname.lastname@example.org. We will make sure the issue is fixed and updated at the earliest.
We take security as our highest priority.
Responsible Disclosure Policy
Responsible Disclosure Policy