EU General Data Protection Regulation (GDPR)

What is GDPR?

GDPR Is a new set of European regulations that come into effect on May 25th, 2018. These regulations aim to strengthen the security and protection of personal data gathered from EU citizens, even by companies outside of the EU – like Spreedly.

What do you, our customers, need to know?

There are three components to GDPR that we want to make you aware of as we move towards the effective date and beyond:

  • Controller: That’s you, our customer. If your goal is to comply with the GDPR, then you need to fulfill your obligations as a Controller
  • Processor: That is wherever you decide to send your data for processing, which could be us, Spreedly, or your respective gateway or receiver (collectively “3rd party end points”). We are prepared to be a compliant processor, ready to assist you with any data subject rights requests you may receive.
  • Sub Processor: These are the processors or vendors we use to manage data. It is our obligation to ensure that any entity we engage with that touches your data is GDPR compliant.

Additionally, there is an aspect of our interaction with this new regulation that should be called out:

One unique and critical dynamic is our role as a pass through for transaction processing. The majority of our customers typically use Spreedly as a means to send transactions to third party API end points. The benefit of Spreedly is that today there are nearly 300 supported end points, with more added all the time and switching or adding end points is seamless and within your control.

After consulting with industry and legal experts, we want to highlight that with that control comes the responsibility, or if you’re a platform/marketplace then it is your merchant’s responsibility, to ensure that the end points you interact with are also GDPR compliant. The burden here should be low given the general need already exists to have a commercial relationship with end points you pass data to for transacting. Working with them to add GDPR certification should be one more element to your overall relationship.

Put simply, if you only use Spreedly to store and tokenize data then our GDPR compliance should suffice. If you also use our platform to direct transactions against end points you’ve contracted with, you need to work with them to ensure they too handle data in a GDPR compliant manner. If you are a platform that uses Spreedly to allow your customers to direct transactions on your platform via us, then you need to inform them to ensure they have an agreement with that end point, in addition to yours, for end to end GDPR compliance.

What is Spreedly doing to prepare?

Spreedly is prepared to be GDPR compliant when the regulation comes into effect on May 25th, and will maintain GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed.

  • We have worked with our legal team to prepare a Data Processing Agreement (DPA) – a copy of which is hosted here.
  • This DPA provides our customers with contractual commitments to our compliance with applicable EU law and establishes our commitment to respond to data subject requests, report breaches to supervisory authorities and data subjects within the timeframe prescribed by GDPR, and to demonstrate our own compliance status.
  • We have prepared a list of subprocessors we use, as well as the purpose of their use – this list will always be viewable here.
  • We have established a mechanism to inform customers of intended changes to our subprocessors to give them time to object.