Chargify has always been dedicated to maintaining the best security for our merchants and their customers. We offer complete GDPR compliance.
GDPR distinguishes between a data controller (who collects and owns the data) and a data processor (who handles the data on behalf of the Controller). Chargify is a data processor. As a merchant with Chargify, you are usually the controller (unless you happen to be sub-contracted processor for another company).
When classified as the data controller, Chargify merchants must meet certain obligations, such as notifying or obtaining data subject consent.
As the data processor, Chargify promises to:
- Keep your data safe, secure, and private
- Maintain our EU Privacy Shield certification to allow for cross-border transfer of personal data
- Disclose our sub-processors and monitor their GDPR compliance
- Keep records of compliance and audit logs as required
- Make available tools to handle data subject requests, such as right-to-erasure and right-to-access
- Notify you of a security breach using your account notification contact
Although GDPR is very new, the standard has begun to emerge that each data processor writes a Data Processing Addendum that specifically covers the legal language needed to demonstrate compliance with GDPR. Since this document must reflect our actual internal policies and procedures, Chargify (as the processor) is in the best position to enumerate how we comply. (We can’t sign a contract that claims we do something that we actually don’t do!)
Every Chargify merchant is eligible to request and sign our established Data Processing Addendum. Simply email us at firstname.lastname@example.org
When a Merchant’s employee accesses the Chargify system, we utilize various Data Processors. These Data Processors do not receive personal information about subscribers or end-customers.
- Twilio - https://www.twilio.com/gdpr
- Zoho - https://www.zoho.com/lp/gdpr.html
- Salesforce - https://www.salesforce.com/eu/campaign/gdpr/
- Segment - https://segment.com/product/gdpr
- Autopilot - https://blog.autopilothq.com/what-is-gdpr/
- Mailchimp - https://blog.mailchimp.com/gdpr-forms-and-more-tools/
- Zapier - https://zapier.com/help/gdpr/
- Zendesk - https://www.zendesk.com/company/customers-partners/eu-data-protection/
Chargify utilizes the following sub-processors when providing our service. Subscriber data is shared, stored, or processed on these services:
- Amazon Web Services - https://aws.amazon.com/compliance/gdpr-center/
- SumoLogic - https://www.sumologic.com/compliance/what-is-gdpr/
- SendGrid (if you enable any email sending inside Chargify) - https://sendgrid.com/resource/general-data-protection-regulation/
- Avalara (if you enable Avalara tax integration) - https://www1.avalara.com/us/en/legal/terms.html
- Honeybadger - https://www.honeybadger.io/gdpr/
- Heroku - https://help.heroku.com/RXPQ7FOV/eu-general-data-protection-regulations-gdpr
- Google Cloud - https://cloud.google.com/security/gdpr/
You also have the option to enable additional Chargify integrations (either built-in or through our APIs or webhooks). We do NOT directly evaluate or attest to the GDPR qualifications of integration partners. Each merchant is responsible for evaluating any third-party before creating or enabling an integration. You should ensure you establish a direct contractual privacy agreement with any third-party that you ask Chargify to transmit Data Subject personal data to. These include, but are not limited to:
- Your chosen Gateway or Payment Processor
- Quickbooks Online