Cheddar, the GDPR, and You

The Cheddar team has been hard at work getting ready for the European Union’s new data protection laws.  As a company that you trust with billing and the sensitive data that entails, Cheddar has always taken data protection and access very seriously.

Many of the features required by the GDPR have been built into our platform since the beginning, and we’ve maintained PCI compliant security measures and sub-processors for several years.  However, the GDPR did provide us with an opportunity to make some improvements and add some clarity to how we process data.

We’ve made updates to our Terms of Service, Privacy Policy, and internal procedures, and we’d like to share with you the features Cheddar offers that will assist you in achieving compliance.

The new policies include:

• Clarity about how Cheddar uses the personal data you send to us
• Provisions to give users additional control over how and when their data is processed

Changes to our internal procedures include:

• Processes to handle data access, objection, restriction, and erasure requests internally and with our sub-processors
• Improved notification and consent processes on our website and in our email communications
• A status page where we’ll notify you of changes to our platform or any issues with the availability of our services

We’ve also developed a Data Processing Agreement that our users can sign with us. This isn’t a requirement for all of our users, but if you need a DPA, please contact us at compliance@getcheddar.com.

Sub-processors

According to the GDPR, our users would be considered data controllers, while Cheddar is your data processor. Depending on your implementation, you might also be using some add-on features that involve additional processors and sub-processors. We’d like to clear up the difference between built-in Cheddar features and external processors outside of Cheddar, so you know who to contact if you need help with GDPR compliance issues.

Payment Processors:  Cheddar has multiple payment processor/gateway options:

• Built-in: (CheddarPay) or our legacy payment gateway (CheddarGateway).  If you use either of these and need help with GDPR compliance issues, let us know!
• External: You can also bring your own external gateway account. Cheddar manages transactions for you, but you’re in charge of managing the relationship with that provider, including any compliance-related requests.

Email Notifications: You can choose to enable customer communications in your Cheddar dashboard.

• Built-in:  We provide a built-in SMTP (Sendgrid) for mail delivery, and we’ll handle GDPR compliance issues with them at your request.
• External: It’s recommended that you use your own SMTP provider, which you can configure in your Cheddar dashboard.  You’ll need to reach out to them for help with compliance issues.

Webhooks:  You can use a custom hook listener or one of our third party integrations (Zapier, Campaign Monitor, or Campfire).  In all cases, these are handled like external providers: you manage these relationships and choose where that data is sent.

Hosted Pages: Hosted payment pages are provided by Cheddar and the data your customers provide goes directly to the Cheddar platform.  There are no additional sub-processors involved.

Built-in Features to Assist with Compliance

We have features built in to Cheddar’s core service that will help you control and access your customers’ data:

• You can see all the data Cheddar has stored about your customers using the customers/get API call or by downloading the data via the Customers search in the UI.  (If you use the UI, be sure to download the JSON or XML downloads in order to get a full report of the customer’s data.)
• To erase all of a customer’s data from Cheddar, use the customers/delete call, or delete the customer via their customer profile in the UI.
  • Note: Deletion is a permanent action, and you’ll lose access to all of that customer’s transaction history.  This means if they request a refund, you’ll be unable to issue it through Cheddar.
• You can cancel a customer via the customers/cancel API call, or by canceling their subscription in the “Edit Subscription” page of their customer profile.  We’ll hang on to their data, but we won’t do anything else with it unless you reactivate or delete them.
• You can update or correct a customer’s information using the /customers/edit-customer/ API call or by editing their details in their customer profile in the UI.

(For more information about the API calls, see our docs)

These features apply to the data stored in Cheddar’s core platform.  However, if you use any of the optional add-ons mentioned above, there might be some extra steps to fulfill a GDPR-related data request.  Just shoot us an email at compliance@getcheddar.com, and we’ll be glad to help!

Your data in Cheddar

If you’d like to exercise your rights under the GDPR and make a request concerning your data in Cheddar, we take care of that too.  We actually use Cheddar for billing and managing our users (Cheddar-ception), so we have all the tools we need at our disposal. Reach out to us at compliance@getcheddar.com to make a request.

What’s next

We’ve made these changes according to existing guidance and best practices for GDPR compliance, but this situation will continue to develop as the law is put into practice.  We’ll be on the lookout for new developments! Going forward, we’ll continue to update our platform to offer the most up-to-date standards for control, access, and transparency about the data you share with us.  This might mean more emails from us in the future, but don’t worry, we’ll make sure we have your consent first.

If you have any questions about compliance, don’t hesitate to contact us at compliance@getcheddar.com.