Security at Churn Buster

Security is one of our top priorities at Churn Buster.

Even with Churn Buster as part of your financial stack, the software adds no additional exposure with customer payments data—this data is neither handled nor stored on Churn Buster servers.

Churn Buster is:
• PCI Compliant, with PCI SAQ-A/AOC and VSAQ available by request.
• GDPR/CCPA Compliant—minimal customer data is stored, and is permanently removed by request.
• Fast to comply with changing international requirements such as Strong Customer Authorization.
• Able to support any specific DPA needs you may have.

Payment Processor Account Access

Wherever possible, offsite keys are used to access payment processor data. In the case of Stripe, we use our own offsite API key, combined with your Account ID, to interact with the Stripe system. For processors where this isn’t possible, API keys or tokens are stored and encrypted as described below.

Data Encryption

Any sensitive details, such as passwords or API keys, are encrypted on-disk. Decryption keys are stored on separate machines.  

SSL Encryption

All access, whether between users and the Churn Buster dashboard, or between Churn Buster and third-party applications like Stripe, is restricted to and protected by SSL encryption (using TLS 1.2).

Security Audits

Churn Buster undergoes 3rd party audits at minimum once a year, to audit the code base and infrastructure. Our team works with these auditors to resolve potential issues.

Audit Trail

Logentries is used to provide an audit trail of all interaction with the Churn Buster application. This enables the Churn Buster team to respond quickly to bug reports and security issues.

PCI Compliance

Churn Buster Customers

Churn Buster bills customers using Stripe, a PCI Service Provider Level 1 certified payment processor—the most stringent certification level available. Stripe’s security information is available online.

Customer card details are never transmitted through or stored on Churn Buster servers.

Churn Buster validates its PCI compliance annually by filing a SAQ-A questionnaire.

Card Update Pages

Churn Buster offers card update pages which customers can use to collect card details from their customers. These pages are only available for customers using a payment processor like Stripe or Braintree which makes use of tokenized cards, preventing card data from transmitting through or being stored on Churn Buster servers.

Data Center Security

Churn Buster exclusively uses Heroku and AWS as data centers. Their robust security policies can be viewed here:

GDPR and CCPA

Churn Buster is GDPR and CCPA Compliant. You can read the details of our compliance here.

Responsible Vulnerability Disclosure

Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Churn Buster security, please get in touch at support+security@churnbuster.io (optionally using our PGP key).

We request that you not publicly disclose the issue until it has been addressed by Churn Buster.