Data privacy and security is fundamental to ChargeDesk's operation. We know that keeping your customer's data private and secure is a vital part of our service to you and your customers.
"We believe the GDPR is a significant step forward for personal data protection.
The General Data Protection Regulation ("GDPR") is a new European privacy regulation which will replace the current EU Data Protection Directive ("Directive 95/46/EC"). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. It becomes enforceable on May 25, 2018.
We believe the GDPR is a significant step forward for personal data protection. Wherever possible, we intend apply these protections to all personal data processed by our service, not just for customers from the EU. ChargeDesk can help facilitate your company's GDPR compliance by giving your customers access to view and edit some of the personal billing data you store for them.
This document details the steps ChargeDesk has taken to become GDPR compliant and our relationship to your company with respect to the GDPR.
As a ChargeDesk customer, you will typically act as a data Controller for any Personal Data made available to ChargeDesk through use of our Service. The data Controller determines the purposes and means of processing personal data, while the data Processor processes data on behalf of the data Controller.
Personal Data in the context of the GDPR is quite broad and can be include anything which can identify a customer such as their name, email address, postal address, truncated credit card number, username and in some cases even their IP address.
ChargeDesk, as the data Processor, will process Personal Data on your behalf in connection with your use of our Service. If any of your customers are located in the European Economic Area (EEA), your use of ChargeDesk will most likely involve transferring some of their Personal Data to our Service.
We use a third party enterprise-class web application firewall to restrict access to our services. We have also internally developed a highly advanced Reputation Management System which would rival most banks. This system monitors access points to your customer’s data and automatically blocks any threats it identifies. We use a ‘block first, ask questions later’ approach and all subsequent requests by a potential threat will also be blocked - only a manual review by our support team will lift a block.
All communication with our service is performed through a secure connection. We do not provide any non-SSL endpoints. We support the most modern ciphers and important recent innovations such as Forward Secrecy and Strict Transport Security. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted. You can find an independent, live, review of our SSL security here: https://www.ssllabs.com/ssltest/analyze.html?d=chargedesk.com
All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.
Further information about is available about our security.
All data imported by ChargeDesk is processed and stored in the United States.
ChargeDesk is already bound by the Australian Privacy Act 1988 which shares many common features with the GDPR, although there are a number of differences. We have internally audited these difference and where applicable made changes to comply with the GDPR.
As ChargeDesk performs processing inside the United States, use of our service may involve exporting your Customer Personal Data outside of the European Economic Area (EEA). In such a case, you should consider using our new Data Processing Agreement. This agreement contractually gives your customer personal data the same protections as if the data was being processed inside of the EEA and complies with the GDPR personal data export requirements.
The changes ChargeDesk has made allow us to comply with these requirements. We now automatically delete all Personal Data once a company is no longer using our service. This includes all reasons for deactivation, such as an expired trial, cancelled account or any other kind of suspension.
We have also added a tool which allows companies using our service to immediately delete all personal data associated with an individual customer. This allows you to comply with withdrawn consent. If ChargeDesk receives a request for data deletion directly (withdrawn consent or processing objection) we will forward this onto you to action as required by the GDPR. You may also need to delete the customer's personal data from other services connected with ChargeDesk which you control. You can access this new tool, but going to a customer record in our web interface, clicking the "Edit Customer" button, then clicking the "Delete" button at the bottom of the page.
We also offer machine readable (CSV) downloads of all data in your account. You can access these downloads by navigating to the Charges, Customers or Products page on your account, expanding the "There are xx charges/customers/products on record." section and clicking the Download CSV button.
Finally, we've added the option for your customers to download their own billing records stored on ChargeDesk through our billing history pages. You can now enable a "Download CSV" on billing history pages which your customers can use to download these records in a machine readable format. You can enable this in your account from Setup > Customer Self-Support > Set "Download CSV" to "Enabled" under Billing History.
Any changes to the sub-processors engaged by ChargeDesk will be notified by an update to this page, located at https://chargedesk.com/docs/GDPR/subprocessors. You may also email firstname.lastname@example.org and request to be notified directly when this list changes.
The following is an up-to-date list (as of 20 April 2018) of the names and locations of ChargeDesk sub-processors:
|Sub-processor||Purpose||Location of Sub-processor||Website|
|Amazon Web Services, Inc||Data hosting||United States||https://aws.amazon.com/|
|Rackspace US, Inc||Data hosting||United States||https://www.rackspace.com/|
|Cloudflare, Inc||Data transmission and security||United States||https://www.cloudflare.com/|
|Mailgun Technologies, Inc||Email delivery||United States||https://www.mailgun.com/|
|Twilio, Inc||Text message delivery||United States||https://www.twilio.com/|
In using ChargeDesk you are also likely to connect one or more payment gateways and helpdesks to our Service. These are third party data processors engaged by you. Your use of the ChargeDesk Service may or may not result in Personal Data being transmitted between ChargeDesk and these processors. You may email email@example.com to confirm what, if any Personal Data will be transmitted to these processors. In the case that Personal Data is transmitted, you should ensure that you have a suitable Data Processing Agreement in place with these processors before connecting them to ChargeDesk.
We have made available a pre-signed copy of our Data Processing Agreement.
Please complete the first page of this Agreement. This signed agreement must be submitted to firstname.lastname@example.org. Upon receipt of the validly completed DPA by ChargeDesk at this email address, this DPA will become legally binding.
You may also mail your query to;
ChargeDesk Pty Ltd
2 Celosia Place
Sydney, NSW 2232