EU General Data Protection Regulation (GDPR)

What is GDPR?

GDPR is a set of European regulations that came into effect on May 25th, 2018. These regulations aim to strengthen the security and protection of personal data gathered from EU citizens, even by companies outside of the EU - like Spreedly.

What do you, our customers, need to know?

There are three components to GDPR that we want to make you aware of as we move towards the effective date and beyond:

  • Controller: That’s you, our customer. If your goal is to comply with the GDPR, then you need to fulfill your obligations as a Controller
  • Processor: That is wherever you decide to send your data for processing, which could be us, Spreedly, or your respective gateway or receiver (collectively “3rd party end points”). We are a compliant processor, ready to assist you with any data subject rights requests you may receive.
  • Sub Processor: These are the processors or vendors we use to manage data. It is our obligation to ensure that any entity we engage with that touches your data is GDPR compliant.

Additionally, there is an aspect of our interaction with this new regulation that should be called out:

One unique and critical dynamic is our role as a pass through for transaction processing. The majority of our customers typically use Spreedly as a means to send transactions to third party API end points. The benefit of Spreedly is that today there are nearly 300 supported end points, with more added all the time and switching or adding end points is seamless and within your control.

After consulting with industry and legal experts, we want to highlight that with that control comes the responsibility, or if you’re a platform/marketplace then it is your merchant’s responsibility, to ensure that the end points you interact with are also GDPR compliant. The burden here should be low given the general need already exists to have a commercial relationship with end points you pass data to for transacting. Working with them to add GDPR certification should be one more element to your overall relationship.

Put simply, if you only use Spreedly to store and tokenize data then our GDPR compliance should suffice. If you also use our platform to direct transactions against end points you’ve contracted with, you need to work with them to ensure they too handle data in a GDPR compliant manner. If you are a platform that uses Spreedly to allow your customers to direct transactions on your platform via us, then you need to inform them to ensure they have an agreement with that end point, in addition to yours, for end to end GDPR compliance.

How Spreedly maintains GDPR compliance

Spreedly is GDPR compliant effective May 25th 2018, and will maintain GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed.

  • We have worked with our legal team to prepare a Data Processing Agreement (DPA) - a copy of which is hosted here.
  • This DPA provides our customers with contractual commitments to our compliance with applicable EU law and establishes our commitment to respond to data subject requests, report breaches to supervisory authorities and data subjects within the timeframe prescribed by GDPR, and to demonstrate our own compliance status.
  • We have prepared a list of subprocessors we use, as well as the purpose of their use - this list will always be viewable here.
  • We have established a mechanism to inform customers of intended changes to our subprocessors to give them time to object.
How can I exercise my rights under GDPR?

To exercise your rights under GDPR, or request information Spreedly may have about you, please use this form.

More Questions?

Contact Us and we'll get your questions answered.

See Payment Services
See Payment Gateways
Get Your Payments Grade
Contact Us
mathias fonseca's photo
Hover me!
"Extremely clear documentation and awesome testing environment. It took me literally 20 minutes to test everything"
Mathias Fonseca
peter moody's photo
"Spreedly has allowed us to keep our development time focused on improving our platform.”
Peter Moody
Justin wheeler's photo
"Leaning on Spreedly's technology is going to allow you to get to market faster.”
Justin Wheeler
armando rivas logo
"Cabify is a global business, working with different gateways. In this scenario, the fact of being informed about their behaviour is key, as minimal issues could lead to a severe economic impact."
Armando Rivas
lance carlson's photo
"There's a lot of compliance and security issues that come along with taking payments. That's actually a big reason why we came to Spreedly."
Lance Carlson

Hundreds of Happy Customers

See why 500+ innovative companies use Spreedly to orchestrate their payments.