It looks like you're using Google Chrome - try our powerful new extension! Find out more.
x

General Data Protection Regulation (GDPR)

Data privacy and security is fundamental to ChargeDesk's operation. We know that keeping your customer's data private and secure is a vital part of our service to you and your customers.

"We believe the GDPR is a significant step forward for personal data protection.

The General Data Protection Regulation ("GDPR") is a new European privacy regulation which will replace the current EU Data Protection Directive ("Directive 95/46/EC"). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. It becomes enforceable on May 25, 2018.

We believe the GDPR is a significant step forward for personal data protection. Wherever possible, we intend apply these protections to all personal data processed by our service, not just for customers from the EU. ChargeDesk can help facilitate your company's GDPR compliance by giving your customers access to view and edit some of the personal billing data you store for them.

This document details the steps ChargeDesk has taken to become GDPR compliant and our relationship to your company with respect to the GDPR.

ChargeDesk is a data Processor with respect to the GDPR and its relationship to your imported data.

As a ChargeDesk customer, you will typically act as a data Controller for any Personal Data made available to ChargeDesk through use of our Service. The data Controller determines the purposes and means of processing personal data, while the data Processor processes data on behalf of the data Controller.

Personal Data in the context of the GDPR is quite broad and can be include anything which can identify a customer such as their name, email address, postal address, truncated credit card number, username and in some cases even their IP address.

ChargeDesk, as the data Processor, will process Personal Data on your behalf in connection with your use of our Service. If any of your customers are located in the European Economic Area (EEA), your use of ChargeDesk will most likely involve transferring some of their Personal Data to our Service.

ChargeDesk has made a number of changes in readiness for the GDPR to come into effect.
  1. We have audited the Personal Data processed by ChargeDesk and determined how long it is retained.
  2. We have implemented automatic deletion of Customer Personal Data after 90 days from when any company account becomes inactive.
  3. We have added additional controls to our web app to allow Controllers to delete all data associated with individual customer records on request.
  4. We have added functionality which you may enable to allow your customers to download their billing records in a machine readable format.
  5. We have updated both our Terms of Service and Privacy Policy to better comply with the GDPR.
  6. We have made available a new Data Processing Agreement which should be used by Controllers of Personal Data from customers in the EU.
As ChargeDesk can process your customer's Personal Data, security is a core concern in all parts of our infrastructure. We've invested heavily into our security systems.

We use a third party enterprise-class web application firewall to restrict access to our services. We have also internally developed a highly advanced Reputation Management System which would rival most banks. This system monitors access points to your customer’s data and automatically blocks any threats it identifies. We use a ‘block first, ask questions later’ approach and all subsequent requests by a potential threat will also be blocked - only a manual review by our support team will lift a block.

All communication with our service is performed through a secure connection. We do not provide any non-SSL endpoints. We support the most modern ciphers and important recent innovations such as Forward Secrecy and Strict Transport Security. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted. You can find an independent, live, review of our SSL security here: https://www.ssllabs.com/ssltest/analyze.html?d=chargedesk.com

All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.

Further information about is available about our security.

ChargeDesk is a registered company from Sydney, Australia (ABN 13 588 984 088).

All data imported by ChargeDesk is processed and stored in the United States.

ChargeDesk is already bound by the Australian Privacy Act 1988 which shares many common features with the GDPR, although there are a number of differences. We have internally audited these difference and where applicable made changes to comply with the GDPR.

As ChargeDesk performs processing inside the United States, use of our service may involve exporting your Customer Personal Data outside of the European Economic Area (EEA). In such a case, you should consider using our new Data Processing Agreement. This agreement contractually gives your customer personal data the same protections as if the data was being processed inside of the EEA and complies with the GDPR personal data export requirements.

Also known as the 'right to erasure', the GDPR clarifies the rights of people to have their data removed from the services they use. There's two key aspects of this;
  1. The removal of data when no longer necessary in relation to the purposes for which they were collected.
  2. The removal of data when someone withdraws consent or objects to the processing (i.e. asks for their data to be deleted).

The changes ChargeDesk has made allow us to comply with these requirements. We now automatically delete all Personal Data once a company is no longer using our service. This includes all reasons for deactivation, such as an expired trial, cancelled account or any other kind of suspension.

We have also added a tool which allows companies using our service to immediately delete all personal data associated with an individual customer. This allows you to comply with withdrawn consent. If ChargeDesk receives a request for data deletion directly (withdrawn consent or processing objection) we will forward this onto you to action as required by the GDPR. You may also need to delete the customer's personal data from other services connected with ChargeDesk which you control. You can access this new tool, but going to a customer record in our web interface, clicking the "Edit Customer" button, then clicking the "Delete" button at the bottom of the page.

Unlike many other billing systems, ChargeDesk uses your payment gateway as our primary source of record, rather than our own internal servers. This means that if you ever leave ChargeDesk, all of your customer’s card data and subscriptions will continue to run on your payment gateway. Your use of ChargeDesk is portable by default.

We also offer machine readable (CSV) downloads of all data in your account. You can access these downloads by navigating to the Charges, Customers or Products page on your account, expanding the "There are xx charges/customers/products on record." section and clicking the Download CSV button.

Finally, we've added the option for your customers to download their own billing records stored on ChargeDesk through our billing history pages. You can now enable a "Download CSV" on billing history pages which your customers can use to download these records in a machine readable format. You can enable this in your account from Setup > Customer Self-Support > Set "Download CSV" to "Enabled" under Billing History.

ChargeDesk uses sub-processors to assist in providing the ChargeDesk Service. A sub-processor is a third party data processor engaged by ChargeDesk, who has or potentially will have access to or process Service Data (which may contain Personal Data). ChargeDesk evaluates the security, privacy and confidentiality practices of proposed sub-processors that have access to or process Service Data both before they are engaged and on an ongoing basis.

Any changes to the sub-processors engaged by ChargeDesk will be notified by an update to this page, located at https://chargedesk.com/docs/GDPR/subprocessors. You may also email privacy@chargedesk.com and request to be notified directly when this list changes.

The following is an up-to-date list (as of 22 June 2018) of the names and locations of ChargeDesk sub-processors:
Sub-processor Purpose Location of Sub-processor Website
Amazon Web Services, Inc Data hosting United States https://aws.amazon.com/
Rackspace US, Inc Data hosting United States https://www.rackspace.com/
Cloudflare, Inc Data transmission and security United States https://www.cloudflare.com/
Mailgun Technologies, Inc Email delivery United States https://www.mailgun.com/
Twilio, Inc Text message delivery United States https://www.twilio.com/

In using ChargeDesk you are also likely to connect one or more payment gateways and helpdesks to our Service. These are third party data processors engaged by you. Your use of the ChargeDesk Service may or may not result in Personal Data being transmitted between ChargeDesk and these processors. You may email privacy@chargedesk.com to confirm what, if any Personal Data will be transmitted to these processors. In the case that Personal Data is transmitted, you should ensure that you have a suitable Data Processing Agreement in place with these processors before connecting them to ChargeDesk.

Data Processing Agreement

ChargeDesk offers you a robust Data Processing Agreement ("DPA"), governing the relationship between the you (acting as a data controller) and ChargeDesk (acting as a data processor). The DPA facilitates ChargeDesk’s customers’ compliance with their obligations under EU data protection law.

We have made available a pre-signed copy of our Data Processing Agreement.

Please complete the first page of this Agreement. This signed agreement must be submitted to privacy@chargedesk.com. Upon receipt of the validly completed DPA by ChargeDesk at this email address, this DPA will become legally binding.

If you have any questions about any of the details on this page, or any other part of our GDPR compliance, please email privacy@chargedesk.com and we'll be happy to help.

You may also mail your query to;
ChargeDesk Pty Ltd
2 Celosia Place
Sydney, NSW 2232
Australia