Payment Processor Account Access
Wherever possible, we use offsite keys to access your payment processor data. In the case of Stripe, we use our own offsite API key, combined with your Account ID, to interact with their system. For processors where this isn’t possible, we will store and encrypt your API keys or tokens as described below:
Any sensitive details, such as passwords or API keys (Churn Buster, Stripe, etc), are encrypted on-disk. Decryption keys are stored on separate machines.
We use the latest best practices and technologies to protect your Churn Buster, payment processor(s), and other account access.
All access, whether between users and our dashboard, or between Churn Buster and third-party applications like Stripe, is restricted to and protected by SSL encryption (using TLS 1.2).
We engage with well-regarded third-party auditors at least once a year, to audit our code base and infrastructure, and our team works with them to resolve potential issues.
We use Logentries to provide an audit trail of all interaction with the Churn Buster application. This enables us to respond quickly to bug reports and security issues.
Churn Buster Customers
Churn Buster bills customers using Stripe, a PCI Service Provider Level 1 certified payment processor. (the most stringent certification level available). Stripe’s security information is available online.
Customer card details are never transmitted through or stored on Churn Buster servers.
Churn Buster validates its PCI compliance annually by filing a SAQ-A questionnaire.
Card Update Pages
Churn Buster offers card update pages which customers can use to collect card details from their customers. These pages are only available for customers using a payment processor like Stripe or Braintree which makes use of tokenized cards, preventing card data from transmitting through or being stored on Churn Buster servers.
Data Center Security
We exclusively use Heroku and AWS as our data centers. Their security policies are excellent and can be viewed here:
We’re committed to supporting our customers to prepare for the General Data Protection Regulation (GDPR).
We're working on implementing our readiness program across our organization. This involves:
- Conducting a gap analysis
- Planning policy and product changes, specifically around data access, management and portability
- Reviewing our contract commitments with our customers and vendors
We commit to being GDPR ready prior to the May 25, 2018 deadline.
Responsible Vulnerability Disclosure
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Churn Buster’s security, please get in touch at [email protected] (optionally using our PGP key).
We request that you not publicly disclose the issue until it has been addressed by Churn Buster.