EU General Data Protection Regulation

Richard Haynes's Avatar

Richard Haynes

13 Feb, 2018 08:33 AM

Hello,

I would like to understand if Cheddar is able to confirm compliance with the upcoming General Data Protection Regulations in the EU (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)? We can handle the consent side of things but under our existing solution we provide customer data (name, email, email, credit card details, address etc) to Cheddar who would likely then need to comply with the GDPR. The main parts are below, perhaps you could comment to these:

Pseudonymisation / Encryption of personal data
Notification of data breaches
Right of access (I think this is pretty straight forward and already embedded in Cheddargetter, but is there any data collected that customers don't have access to?
Right to erasure
Data portability
Data protection by Design and by Default
Records of processing activities

I should note, we're an Australian business, but we have a growing customer base in Europe, hence the interest in this.

Thanks in advance!

Rich

  1. Support Staff 1 Posted by Meghan Turner on 15 Feb, 2018 06:54 PM

    Meghan Turner's Avatar

    Hi Richard,

    The GDPR has been on our radar for a while now! We're in the process of evaluating what we'll need to do to make sure we're compliant with the regulations outlined for data processors, but as an organization that's already PCI compliant, we've got quite a bit of it covered already. I'll address your questions point by point, but first I want to outline how data is stored by Cheddar and how we work with the gateway provider you've selected to process payments on your behalf, so you understand how your customer data is stored and processed.

    When you create a customer in Cheddar, Cheddar stores their customer and subscription information (like name, email, billing address, pricing plan, etc). While Cheddar does store some information related to the customer's credit card, like expiration date, card type, and last 4 digits of the card number, Cheddar passes along the full credit card number to your payment gateway provider (in your case, Eway, Stripe, and PayPal). The gateway stores the full credit card number and runs transactions for you, Cheddar just tells it when those transactions should run and the amount that should be charged, so you'll want to check-in with your gateway provider as well to ensure that they're prepared for GDPR.

    The customer information that is stored by Cheddar is stored on secure servers that are hosted by a company called Armor. Armor is a secure cloud hosting provider with infrastructure that's built specifically to handle highly regulated information like the personally identifiable information that is outlined in the GDPR (you can find more information about them here https://www.armor.com/armor-complete-secure-hosting/).

    To address your questions point by point:

    Pseudonymisation / Encryption of personal data

    Yes, we're up to date on SSL best practices and PCI compliance requirements regarding SSL. We support the most recent version of TLS (1.2).

    Notification of data breaches

    Should a data breach occur, you'll be notified via email as soon as possible and we'll give you as much detail about the breach as we have available. As the data controller, you'll then be obligated to inform your customers.

    Right of access (I think this is pretty straightforward and already embedded in Cheddargetter, but is there any data collected that customers don't have access to?

    You have access to all of the customer and pricing data stored by Cheddar on your behalf via the Cheddar user interface and the API.

    Right to erasure

    We have functionality in place that will allow you to permanently delete your customer information from Cheddar (check out the Edit Profile page of customer profiles in the Cheddar UI to see where to do this). You can also request that Cheddar deletes your personal information from the platform if you decide to cancel your Cheddar product.

    Data portability

    All of the customer and pricing information you've saved in Cheddar can be exported free of charge. You can get this data via the API or the Cheddar user interface.

    You'll want to check in with your gateway provider about their data portability standards as well since they're storing your customer's payment information.

    Data protection by Design and by Default

    As a billing platform, security and data protection is one of our highest priorities. As I mentioned before, we're already aligned with current PCI standards, we utilize a secure cloud hosting provider that's built to handle sensitive information, and we use the most recent version of TLS.

    Records of processing activities

    Much of the information relating to this particular article can be found in our existing Terms and Conditions and Privacy Policy.

    I hope I've been able to adequately address your questions. Our evaluation process for GDPR is ongoing, so it's possible that we may still need to update our policies or documentation. We anticipate that we'll communicate with all of our customers further about the GDPR in coming months, but if you have any other questions in the meantime, please let me know!

    Meghan

  2. 2 Posted by Richard Haynes on 19 Feb, 2018 04:57 AM

    Richard Haynes's Avatar

    Hi Meghan,

    Thanks for your reply. It's reassuring that you're across this, I was a little surprised that specific reference to GDPR in the knowledge base so thought I'd post, great to hear you're across it. I've opened similar conversations with the payment processors also.

    Regard Pseudonymisation / Encryption of personal data, SSL will protect the data in transit, what about at rest, is the data encrypted on the data base and / or the drive?

    Thanks in advance,

    Rich

  3. Support Staff 3 Posted by Meghan Turner on 21 Feb, 2018 12:01 AM

    Meghan Turner's Avatar

    Hey Richard,

    Our database is in a protected environment that complies with current PCI standards for encryption but we're evaluating whether that level of data protection will also be considered compliant with the GDPR. We'll report back if we decide to make any updates!

    Meghan

  4. Meghan Turner closed this discussion on 26 Jul, 2018 05:36 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac