Security & Data Protection (GDPR and CCPA compliance)
If you sell/offer products or services to customers based in the EU, you must adhere to the General Data Protection Regulation (GDPR). Moreover, if your business operates in California, your services need to be compliant with the California Consumer Privacy Act (CCPA).
This page provides a summary of our work towards GDPR compliance and tutorials on how Voucherify implements particular GDPR procedures.
What is GDPR?
The General Data Protection Regulation (GDPR), a European privacy law approved by the European Commission, is an attempt to strengthen, modernize EU data protection law, and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their data while simplifying the regulatory environment for international businesses that operate in the EU.
The authors of this regulation introduce the concept of data minimization which forces companies to:
- Collect as little information as they need to run the business.
- Inform customers about every way their data will be processed (including 3rd party providers).
- Enable customers to delete, export, or update their data at any point in time.
- And finally – gain a customer’s unambiguous consent for every data processing activity.
Voucherify commitment to data privacy and GDPR compliance
Voucherify is a GDPR-compliant data processor. To find comprehensive security and data protection measures we have implemented, visit our legal section. Take a look at an overview of what we have done to meet the regulation requirements:
- Data Processing Addendum – we offer a data processing addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.
- GDPR-ready contracts with third-party vendors – Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners which subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be confident that your data are neither stored nor processed in a non-secure environment.
- Email consent – you can control which information you want to receive from Voucherify. The contact preference center provides fine-grained controls to activate and deactivate various notification for you and your team.
- Employee training – Data Protection Officer ensures that all employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks. Moreover, Voucherify team access is controlled by a carefully managed and audited security policy.
- Risk Assessment – Data Protection Impact Assessment process guarantees that the Voucherify team considers data protection risk identification and minimization as its priority. Every change to the software, organizational procedures, or tooling triggers privacy due diligence. If any risk is identified, the team collaborates on a solution to mitigate the consequences for our clients and their end-customers.
- Data Access, Portability, and Deletion – new features have been introduced to stay in line with data regulations for the right of portability, to be forgotten, and to rectification, see the section below for details and tutorials.
Data Protection Officer
We are working with our customers to answer any questions and address any concerns regarding how we protect their data in compliance with the GDPR standards. If you have any questions, please don't hesitate to reach out.
How to execute GDPR procedures in Voucherify?
Read on to learn more about standard procedures in Voucherify related to GRDP regulations.
How to remove your account permanently?
Submit a ticket through the support page, and our team will take care of removing your account and all underlying data from the data center and 3rd party providers.
How to remove a team member permanently?
Option 1: The organization administrator can remove a team member by reaching out to the support team through the support page.
Option 2: The organization administrator can remove user data permanently from the Voucherify system by using the user interface. The steps to be taken by the administrator are as follows:
- Log in to the Dashboard.
- In the Team settings, find a user you want to remove.
- Run “Remove Permanently” and confirm the operation.
How to remove/update a customer permanently?
Option 1: The organization Admin can remove customers' data permanently from the Voucherify system by using the user interface. To do so, go to the Delete People Data tab in your Team Settings.
Option 2: An Admin or a customer can directly reach out to Voucherify Support Team to remove/update customer's data. To perform removal/update requested directly by a customer, s/he has to submit the information that allows the Support Team to identify a corresponding organization and records. In case of such an incident, the organization administrator will be notified.
Option 3: You can use this API endpoint to remove customer data permanently.
How to export your data?
You can export all of your data, individual customers, subsets of customers, or specific periods as CSV or JSON files.
Option 1: Dashboard – see the tutorial.
Option 2: API – see the reference.
How to add contact details for EU Representative and Data Protection Officer
You can find sections for contact details in Your Profile settings:
Contact with EU Rep - Person designated, where applicable, to represent customers not established in the EU concerning their obligations under the General Data Protection Regulation (GDPR).
Contact with DPO - Person designated, where applicable, to facilitate compliance with the provisions of the GDPR, which defines the criteria and the conditions under which a data protection officer shall be designated.
You can also add contact details to SLS Person.
How to remove customer data by using the dashboard?
You can permanently delete any customer history from Voucherify to comply with European data protection laws (GDPR).
Go to the Team Settings (1) and choose the tab 'Delete People Data' (2).
Search for active customers or people you have already archived from customers list within the current project (3).
Choose the bin icon and confirm to remove a customer history permanently (4).
When it comes to the correspondence between you and Voucherify, you can also decide if and when you'd like to be contacted by our Marketing Team. To do so, go to My Profile and tick the appropriate checkboxes:
California Consumer Privacy Act (CCPA)
As the CCPA comes into effect in January 2020, we want out Californian clients to be aware of Voucherify dedication to making our services fully compliant with the CCPA. This document is going to be one of the first such laws in the US and in its form and principles resembles EU GDPR data law. In order to be compliant with the CCPS, Voucherify as a Service Provider is required to:
- Inform customers that their personal data is being collected by the Service Provider.
- Inform customers whether their personal data is sold or disclosed and to whom.
- Allow customers to reject the sale of their personal data.
- Allow customers to access their personal data.
- Allow customers to request deletion of any personal information about him/her.
- Not discriminate against customers who exercised their privacy rights.
All of these principles are met by Voucherify. Shall you have any questions about how Voucherify collects, uses, and stores your clients' personal data, please let us know. In addition, we are willing to sign for your business CCPA-compliance document that certifies that Voucherify Services are CCPA-ready.