Consent and transparency have long inherited the margins of organizations' pursuit of customer information. And the EU's General Data Protection Regulation (GDPR) is a much-needed push to bring them to the center.
With the regulations coming into force by May 2018, it hands EU customers the power to control their personal information that businesses store and handle, without tradeoffs.
Our GDPR Commitment
The core of Chargebee's internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection aligns with the goals of GDPR.
Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. To know more about our technical and organizational security measures, check out our security page.
We are committed to being fully GDPR-compliant by 25th May 2018. To accomplish this, we've set up an internal compliance team (with functional heads) that has been working with an external specialist, to assess our requirements and roll out the required changes.
Here’s an overview of what has been done and is being done:
Our GDPR Compliance Roadmap
- Create and sustain awareness within the company regarding the Privacy by Default and Privacy by Design principles that need to be kept in mind for ongoing development — Completed
- Bring together the product, marketing, compliance, and security team heads to oversee Chargebee’s GDPR compliance initiatives — Completed
- Analyze all the areas of the product that GDPR would have an effect on — Completed
- Create a data retention policy and have an automated process in place to adhere to the same — Completed
- Release features that would enable our customers to be GDPR compliant — In Progress
- Reach out to all our third-party vendors to make sure they are GDPR-ready — Completed
Chargebee as a Data Controller
Chargebee recognizes its responsibilities as a data controller towards its customers. Detailed out below are all the steps we are taking towards fulfilling all legal obligations under GDPR, as a data controller.
Data Categorization and Analysis
- We have carried out a detailed data mapping exercise to track the flow of personal data through our systems.
- We have established and are maintaining a clean data repository that is constantly updated. This gives us control over the data flowing through our systems, with clear processes for handling, securing, and storing this data.
- The next step we took was to establish an automated data retention mechanism. This is how our data retention process works, when a customer closes their account with us:
- We will clear the customer’s Personally Identifiable Information (PII), and all end-user data from our databases, within a period of 120 days.
- This includes deleting the customer’s website and all their end-user information from our systems.
- The only data retained by us will be that which is needed from a compliance and legal standpoint, like invoices, subscription information, audit logs, etc.
- This is a conscious effort on our part to avoid storing and processing any customer data beyond the necessary period.
- We will also automatically delete stand-alone test sites that remain inactive for a period of 6 months.
- We have a data processing addendum for our customers, that incorporates our GDPR principles. Please reach out to our support team (email@example.com) if you require a signed copy of the same.
- We will actively start collecting consent from our customers from May 25th, wherever it’s applicable—especially in the case of any marketing communication sent to them.
- To give our customers the option to withdraw their consent at any given time, an easy process is being placed for our customers to provide consent during sign up, and actively manage their consent settings within the app. We want our customers to have complete control over whether they want to receive any communication from us, and what they want to receive.
Feature Development and GDPR Principles
- We have an active process in place that will guarantee all our features meet the standards of GDPR. Our product and engineering teams will take into account Privacy by Design and Privacy by Default while designing features and pushing them to production.
Note: We will continue to update this section with our latest information and findings.
What We're Doing as a Data Processor
In whatever we do, we ensure that we go the extra mile to make our customers' lives easier. And our GDPR compliance efforts are no exception.
In addition to making Chargebee GDPR compliant, we want to help our customers (or merchants) leverage Chargebee to become GDPR compliant as well, without having to break a sweat.
Here are some actions we've been undertaking to do just that:
- Connecting both the merchant and the end-user, we are seeking out ways to allow merchants to collect, record, and withdraw consent, directly from the checkout pages and customer portal.
- We are charting out a plan that will help merchants handle their customers’ PII data, when a customer cancels their subscription with the merchant. This allows merchants to clear PII data while still ensuring that numbers are not affected in the aggregate reporting of data. This will be available in the app and as an API.
- Our self serve portal is now fully configurable— it will enable merchants to give their end-users the option to view, update, edit or clear any personal information they have shared with them.
- We are also exploring other features in the context of GDPR and data security, and will provide updates soon enough.
This is only the first step towards our commitment to help you handle the requirements of data privacy and protection. We encourage you to reach out to us at firstname.lastname@example.org if you have any feature requests, and we are happy to discuss its feasibility.