Consent and transparency have long inherited the margins of organizations' pursuit of customer information. And the EU's General Data Protection Regulation (GDPR) was a much-needed push to bring them to the center.
With the regulations that came into action in May 2018, it handed EU customers the power to control their personal information that businesses store and handle, without tradeoffs.
Our GDPR Commitment
The core of Chargebee's internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection align with the goals of GDPR.
Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. To know more about our technical and organizational security measures, check out our security page.
By setting up an internal compliance team (with functional heads) who worked with an external specialist from a global audit firm, our requirements were assessed and the required changes were rolled out.
Here's an overview of what has been done:
Our GDPR Compliance Roadmap
- Create and sustain awareness within the company regarding the Privacy by Default and Privacy by Design principles that need to be kept in mind for ongoing development — Completed
- Bring together the product, marketing, compliance, and security team heads to oversee Chargebee's GDPR compliance initiatives — Completed
- Analyze all the areas of the product that GDPR would have an effect on — Completed
- Create a data retention policy and have an automated process in place to adhere to the same — Completed
- Release features that would enable our customers to be GDPR compliant — Completed
- Reach out to all our third-party vendors to make sure they are GDPR-ready — Completed
Chargebee as a Data Controller
Chargebee recognizes its responsibilities as a data controller towards its customers. Detailed out below are all the steps we have taken towards fulfilling all legal obligations under GDPR, as a data controller.
Data Categorization and Analysis
- We have carried out a detailed data mapping exercise to track the flow of personal data through our systems.
- We have established and are maintaining a clean data repository that is constantly updated. This gives us control over the data flowing through our systems, with clear processes for handling, securing, and storing this data.
- We have established an automated data retention mechanism. This is how our data retention process works when a customer closes their account with us:
- We will clear the customer's Personally Identifiable Information (PII), and all end-user data from our databases, within a period of 120 days.
- This includes deleting the customer's website and all their end-user information from our systems.
- The only data retained by us will be that which is needed from a compliance and legal standpoint, like invoices, subscription information, audit logs, etc.
- This is a conscious effort on our part to avoid storing and processing any customer data beyond the necessary period.
- We will also automatically delete stand-alone test sites that remain inactive for a period of 6 months.
- We have a data processing addendum for our customers, that incorporates our GDPR principles. Please reach out to our support team ([email protected]) if you require a signed copy of the same.
Feature Development and GDPR Principles
- We have an active process in place that guarantees all our features meet the standards of GDPR. Our product and engineering teams takes into account Privacy by Design and Privacy by Default while designing features and pushing them to production.
Note: We will continue to update this section with our latest information and findings.
What We're Doing as a Data Processor
In whatever we do, we ensure that we go the extra mile to make our customers' lives easier. And our GDPR compliance efforts are no exception.
In addition to making Chargebee GDPR compliant, we wanted to help our customers (or merchants) leverage Chargebee to become GDPR compliant as well, without having to break a sweat.
Here are some actions we undertook to do just that:
- Connecting both the merchant and the end-user, we allow merchants to collect, record, and withdraw consent, directly from the checkout pages and customer portal.
- We have charted out a plan that will help merchants handle their customers' PII data when a customer cancels their subscription with the merchant. This allows merchants to clear PII data while still ensuring that numbers are not affected in the aggregate reporting of data. This is available in the app and as an API.
- Our self-serve portal is now fully configurable— it enables merchants to give their end-users the option to view, update, edit or clear any personal information they have shared with them.
While this is only the first step towards our commitment to help you handle the requirements of data privacy and protection, we are continuing to explore other features in the context of GDPR and data security. We encourage you to reach out to us at [email protected] if you have any feature requests, and we are happy to discuss its feasibility.