Is Spreedly compliant with the EU General Data Protection Regulation (GDPR)?
The EU GDPR is coming into effect May 25, 2018 and I would like to know if Spreedly is compliant. How does Spreedly handle customer data in the EU?
Is there any documentation you can provide?
-
Official comment
Hi Elaya,
Spreedly is aware that on May 25th, 2018, EU driven GDPR comes into effect. The good news is Spreedly, as a PCI Level 1 compliant service, is well prepared to meet the requirements. Internally, our systems and services are ready. There are three components to GDPR that we want to make you aware of as we move towards the effective date and beyond:
Controller: That’s you, our customer. If your goal is to comply with the GDPR, then you need to fulfill your obligations as a Controller
Processor: That is wherever you decide to send your data for processing, which could be us, Spreedly, or your respective gateway or receiver (collectively “3rd party end points”). We are prepared to be a compliant processor, ready to assist you with any data subject rights requests you may receive.
Sub Processor: These are the processors or vendors we use to manage data. It is our obligation to ensure that any entity we engage with that touches your data is GDPR compliant.
Spreedly is and will maintain GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. To give a specific example, if you only use us to tokenize and store card data, that is a closed loop where Spreedly decides where and how that data will be managed and so relying on our GDPR compliance is the only requirement.
One unique, and critical, dynamic though is our role as a pass through for transaction processing. The majority of our customers typically use Spreedly as a means to send transactions to third party API end points. The benefit of Spreedly is that today there are nearly 300 supported end points, with more added all the time and switching or adding end points is seamless and within your control. After consulting with industry and legal experts, we want to point out that with that control comes the responsibility, or if you’re a platform/marketplace then it is your merchant’s responsibility, to ensure that the end points you interact with are also GDPR compliant. The burden here should be low given the general need already exists to have a commercial relationship with end points you pass data to for transacting. Working with them to add GDPR certification should be one more element to your overall relationship.
Put simply, if you only use Spreedly to store and tokenize data then our GDPR compliance should suffice. If you also use our platform to direct transactions against end points you’ve contracted with, you need to work with them to ensure they too handle data in a GDPR compliant manner. If you are a platform that uses Spreedly to allow your customers to direct transactions on your platform via us, then you need to inform them to ensure they have an agreement with that end point, in addition to yours, for end to end GDPR compliance.
We plan to build and maintain a list of known GDPR compliant Sub Processors (Hubspot, Zendesk, AWS etc.) that we use, so that you as a Controller concerned about being GDPR compliant, can know that we are only working with Sub Processors that are known to be GDPR complaint.
We will continue to monitor GDPR compliance requirements and will make changes when required, or when we see an opportunity to improve to stay compliant for ourselves and our customers.
Don't hesitate to reach out if you have any other questions on this information. Thanks!
Comment actions -
We don't currently have specifics to share with you in regards to EU-GDPR, however, our executive and security management teams continue to make GDPR compliance review a priority.
We're planning on publishing a statement as we get closer and have some of our questions around compliance answered.
Please sign in to leave a comment.
Comments
5 comments