Security and Compliance
at Chargebee

Why data security is critical for your Subscription Management Platform?

Your subscription and billing engine ties your product, customers, and payments together. With critical information about your business processes and revenue flowing through, the security of the billing-payments system needs to be water-tight.

Your subscription management platform collects sensitive payment information and frequently collects personal information as well, for instance, shipping addresses, phone numbers and so on. You owe your customers the promise that all of this data will be handled safely and securely and will never be shared without their consent.

The Chargebee Promise

At Chargebee, we take data integrity and security very seriously. Due to the nature of the product and service we provide, it is important that we acknowledge our responsibilities both as data controller as well as a data processor. We store and process your data and that of your customers with care and help you be compliant so that you can continue to build trust while enhancing customer experiences.

We help you assure your customers that their payment information and billing data are and will always be secure. The promise of security stems from the very system that handles all payment, billing, subscription, and customer data and is an essential part of our product, processes, and team culture.

Our facilities, processes and systems are reliable, robust and third-party tested. We continuously look for opportunities to make improvements and give you a highly secure, scalable system to provide a great subscription and billing experience to your customers.

Chargebee lets you deliver a secure subscription experience at different levels by,

  • Securing your customers' payment and personal information: compliance to PCI and GDPR.

  • Ensuring Internal Data security of your data that rests with Chargebee: adherence to ISO, SOC 1 & SOC 2, and MFA standards.

  • Network Security within Chargebee: Network, application and operational level security policies that we follow.

PCI DSS Compliance

Chargebee is a PCI-DSS Level 1 Service Provider.

Security continues to be a hot-button topic thanks to the seemingly endless breaches and leaked card details that hit news feed with increasing frequency. Chargebee is committed to ensuring that your customers' payment information is constantly protected and they have a superior subscription experience. This standard is reflected in the people, technologies, and processes we employ.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Chargebee ensures that your customers' sensitive card information is encrypted and handled in a safe and secure manner. With annual audits and PCI-DSS Level 1 certification, Chargebee protects sensitive data.

To read more about the PCI responsibility matrix covering Chargebee and its merchants, please click here.

SOC 1 and SOC 2 attestation

When you trust us to handle key business operations such as billing, invoicing and subscription management, you gain assurance that we value and protect the interests of your organization and the privacy of your customers.

The SOC attestation ensures that SaaS service providers such as Chargebee securely manage your data to protect the interests of your organization and the privacy of its clients. SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

Chargebee's SOC compliance is useful for businesses that require internal control over financial reporting, and need to showcase vendors who have deployed internal controls during audits.

The purpose of these reports is to help you and your auditors understand the Chargebee controls established to support operations and compliance. There are two SOC Reports of Chargebee that you can get on-demand:

  • Chargebee SOC 1 type II report
  • Chargebee SOC 2 type II report

For more details around our SOC 1 and SOC 2 attestation, you can reach out to support@chargebee.com

ISO 27001 certification

ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes with the aim of keeping information secure.

With ISO's robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization.

Chargebee is ISO 27001:2013 certified and we're committed to identifying risks, assessing implications and putting in place systemised controls that inspire trust in everything that we do - right from our codebase to physical infrastructure to people practices.

Consensus Assessment Initiative Questionnaire (CAIQ)

Cloud Security Alliance is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing. The Consensus Assessments Initiative Questionnaire(CAIQ) is submitted by the cloud providers to document compliance with the Cloud Controls Matrix (CCM) and helps cloud service customers to assess the security capabilities and practices of a cloud service provider.

Chargebee has completed a comprehensive self-assessment for our services, following industry best practices. Download our CSA STAR Self-Assessment from the official CSA STAR Registry for detailed insights into our security measures.

GDPR

The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

Our GDPR Commitment

The core of Chargebee's internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection align with the goals of GDPR.

Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. We continuously work with privacy specialists / partners around the globe to assess and implement any new regulatory requirements which are rolled-out.

How are we compliant?

GDPR clearly defines rights for data subjects around aspects such as access, portability, rectification, and erasure of their personal data. Gaining explicit consent from data subjects for processing their personal data is also a key provision of the regulation.

Further, we have implemented the SCCs released by the EU Commission to process any Personal data originating from Switzerland, the United Kingdom, and/or the European Economic Area (EEA) in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data. Contact [support@chargebee.com] for a copy of the personal data that we (as data controllers) process.

Following are ways in which Chargebee is meeting GDPR requirements:

  • Data minimisation:
    • Chargebee only collects the minimum information necessary for the provision of our service. Every data field processed by Chargebee (such as your name, email address, emergency contact details, billing address, and payment method) is strictly for the purpose of providing the service.
    • We do not process any special categories (as per Article 9 of GDPR) of personal data. We have signed contractual agreements and DPA with companies to store and process your personal data and that of your customers. You can find the list of these sub-processors here .
  • Data Storage:
    • Chargebee helps you stay up-to-date with the ever-changing compliance and security rules. We have data centers in Europe that helps us deliver on our GDPR compliance promise. So, you can confidently keep up your security and compliance promises.
  • Data retention:
    • Chargebee only keeps the data of you and your customers for as long as needed for the provision of service.
    • Chargebee erases all your personal information 120 days after your account with us has been canceled. Your Chargebee website along with all the information of your customers stored with us is also deleted. The only information retained is that which is necessary from a compliance or legal standpoint. This includes invoices, subscription information, and audit logs.

HIPAA Compliance

Health Insurance Portability and Accountability Act (HIPAA) is made up of a set of regulatory standards governing the security, privacy, and integrity of sensitive healthcare data called protected health information (PHI).

Chargebee provides SAAS solutions which caters to various customers including Healthcare merchants and we enable our customers both covered entities and business associates to successfully meet HIPAA requirements. We have established necessary safeguards in the below domains to protect ePHI (electronic protected health information) that is collected, accessed, processed, and stored.

  • Administrative Safeguards
  • Documentation Requirements
  • Technical Safeguards
  • Breach Notification Rules
  • Organizational Requirements
  • General Requirements

Chargebee has been assessed by an independent third party vendor on it's internal control environment against Security Rule , Privacy Rule and Breach Notification Rule. For further information on Chargebee's HIPAA compliance, please reach out to privacy@chargebee.com

Chargebee's In-app GDPR features

As a data processor, Chargebee gives you various in-app features to manage how the personal data of your customers are retained or purged.

Consent Management

Chargebee's Consent Management feature gives you powerful ways to capture consent from your customers and manage collected consent information.

The platform also allows your customers to easily revoke consent whenever they wish.

Personal Data Management

Personal Data Management helps you align Chargebee's platform with your customer data retention policies.

This feature allows you to configure Chargebee to delete PII for customers who no longer use your services.

Right to Portability

The Import and Export feature allows you the right to portability of all the information that we process on your behalf.

Governance, Risk and Compliance (GRC) and Privacy:

We have a dedicated team working on various GRC and Privacy initiatives and the team is responsible for managing the organization's overall governance, enterprise risk management, compliance and Data privacy regulations. The objective of the GRC and Privacy team is to enable a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance & data privacy requirements.

Internal audit

We perform periodic internal audits in line with the regulatory and compliance requirements and the identified findings are tracked to closure, if any.

Risk Assessment

We have rolled out an Enterprise Risk Management (ERM)program, which is a continuous enterprise-wide process that helps Chargebee in identifying, controlling and mitigating risks. This also helps in achieving our operational objectives. The Information Security System of Chargebee is built and operated on the basis of risk perceived by Chargebee.

Physical and Network security

Chargebee uses Amazon's AWS platform and infrastructure. Chargebee employees do not have any physical access to our production environment.

Here are more details about the security setup of AWS.

Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

"Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff."

In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure including,

  • Distributed Denial Of Service (DDoS) Attacks
  • Man In the Middle (MITM) Attacks
  • Port Scanning
  • Packet sniffing by other tenants

Chargebee obtains the SOC 1 and SOC 2 report from AWS for the services rendered by them and validates the same for the effectiveness of the opinion of the third party auditor.

Administrative Operations

We at Chargebee, use two-factor authentication to grant access for our administrative operations including both, infrastructure and Chargebee service. Administrative privileges are restricted to very few employees. Additionally, both application level roles and AWS roles are used to ensure only required operations are allowed for specific users.

Any administrative access is automatically logged and mailed to our internal security team. Detailed information on when/why the operations are carried out are documented and notified to the security team before performing any changes in the production environment.

Host Security

SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.

Access to Audit trails and logs are restricted to authorized personnel based on roles and responsibilities. Segregation of duties is implemented to restrict the system administrators from accessing and modifying log files. Security measures are implemented to secure the audit log files from unauthorized / unintentional modifications through AWS IAM Policy.

Hosts are segmented and accesses are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.

Application Security

  • Secure Access

    Chargebee's application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.

  • Two factor authentication

    Chargebee's customers are provided with a Two Factor Authentication feature which allows you to secure your Chargebee site with both a password and an additional code from the authenticator application.

  • SAML Single Sign-on

    Chargebee's application supports SAML 2.0 for Single Sign-On which will enable integration with authentication and authorization systems. This allows Enterprise organizations to manage the user access through their internal identity providers. Chargebee's application currently supports Okta, OneLogin and Azure AD Identity Providers that performs the authentication and sends the data to the service provider along with the user's access rights for the service.

  • XSS

    All user input is properly encoded when displayed to ensure XSS vulnerabilities are mitigated.

  • CSRF

    All POST requests are checked for CSRF token before processing the request.

  • SQL Injection

    We use prepared statements for database access to avoid SQL Injection attacks.

  • Encrypted Data Storage

    We do not store sensitive card details on any Chargebee network. The keys for various third party services (like payment gateway) are stored in our database in encrypted form.

  • Role based access and Custom roles:

    Role based access can be granted for the users in your Chargebee's site. User roles are assigned by sending an invite. Roles need to be specified to the new user before sending an invite to define the kind of access. Chargebee's application has predefined user roles available. In addition, custom roles can also be created to grant one or more privileges that allow users to perform specific tasks as required.

  • API and Webhooks:

    Chargebee provides API keys to allow your internal application to communicate with the Chargebee platform. Webhooks can be used for notifying the changes that happen in the customer's billing system related to subscriptions, plans, addons and coupons.

Vulnerability Scanning & Patching

We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA.

Chargebee performs the VAPT assessment on a quarterly basis.

In addition, we also have an inhouse security team who performs Vulnerability scans on a monthly basis.

Data Storage & Redundancy

We use Amazon's RDS for our database. The automated backup feature is configured for RDS. We backup data for upto 30 days. We have configured Amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Know more.

​​Chargebee has developed a formal Business Continuity Plan (BCP) to minimise disruption to critical services in times of crisis and to maintain a higher degree of resilience. Business Impact analysis is performed to identify critical operations, processes and facilities. Crisis roles and responsibilities are defined as part of the BCP. The BCP and DR plan of Chargebee are reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service criteria.

Monitoring

We use both internal and multiple external monitoring services to monitor Chargebee. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormalities in the request pattern.

Disclosure

We are working continuously to make our system secure. If you find any security issue, please send it to security@chargebee.com. We will make sure the issue is fixed and updated at the earliest.

We take security as our highest priority.