On our website and on Facebook, we may collect certain personally-identifiable information about our online visitors. Personally-identifiable information relates to an individual consumer – for example, name, address, telephone number and e-mail address. You may provide personally-identifiable information, for example, by entering a promotion. We don’t require you to register or provide personally-identifiable information to view our site or access much of its content. Here are the ways we collect personally-identifiable information.
Our site and our Facebook page contain notices of contests, sweepstakes and games we are conducting, which you may enter electronically in some cases. We use the information you provide to conduct the promotion (for example, to contact you if you’re a winner). We won’t use the information you for any other purpose unless you’ve agreed otherwise.
We offer visitors to our website various features for their enjoyment, which we change from time to time. We may ask you to submit certain personally-identifiable information so we can provide you with these features.
We collect certain aggregate and non-personal information when you visit our website. Aggregate and non-personal information does not relate to a single, identifiable visitor. It tells us how many users visited our site or the pages accessed. By collecting this information, we learn how to best tailor our website to our visitors. We collect this information through “cookie” technology, as explained below.
Like many companies, we use “cookies” on our website. Cookies are bits of text that are placed on your computer’s hard drive when you visit certain websites. Cookies may enhance your online experience by saving your preferences while you are visiting a particular site.
If you ask to be contacted by us, we may use the information you provide to contact you from time to time. For example, we may (i) send you promotional materials and other communications you request, (ii) respond to your comments or questions, or (iii) contact you if needed while processing service you requested through our website.
We also use personally-identifiable information about you to improve our website features and content and to analyze website usage. In addition, we use personally-identifiable information for market research purposes. We also may use personally-identifiable information about you to deliver content that is customized to your interests as we understand from the information you’ve provided to us and your activities on the site.
Except as described below, we don’t sell, transfer or otherwise disclose to third parties the personally-identifiable information we collect on this website or on Facebook without your prior consent. We disclose information where we think it’s necessary to investigate or prevent an actual or suspected crime or injury to ourselves or others or where disclosure is required by law. We also may disclose information in response to a request from law enforcement authorities or other government officials.
On our website and on Facebook, we may conduct joint promotions with other companies. We may share with our promotional partners (and their service providers) certain personally-identifiable information as necessary to conduct the promotion. We will not share this information with our promotional partners for any other purpose unless you tell us it’s ok to do so.
Some portions of our website and Facebook page may be directed to kids under 13. In these areas of our website, our conduct is governed by federal law and regulations that address children’s online privacy.
Upon proper identification, a parent may review any personal information we have collected from his or her child if we still have the information in our database. The parent also may request that the child’s information be deleted from our database and may refuse to permit further collection or use of the child’s information. If you are a parent and wish to exercise these rights, please contact us as described below.
The security of personally-identifiable information is important to us. We maintain administrative, technical and physical safeguards to protect against unauthorized use, disclosure, alteration or destruction of the personally-identifiable information we collect on this website and on Facebook.
40 Fulton St. FL 17
New York, NY 10038
Attention: Website Administrator
+1 (212) 374-2779, 9am – 5pm Eastern Time, Monday through Friday, excluding holidays.
Chargebee offers Subscription Management and Recurring Billing Solution for online businesses across various industries. Businesses can automate billing, invoicing and payments collection using Chargebee as their extended solution on the cloud. Businesses can leverage Chargebee's highly secure, scalable system to provide a great billing experience to their customers.
We take security very seriously and we continuously look for opportunities to make improvements.
Chargebee is PCI-DSS Level 1 Service Provider
The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures that have to be followed by the organizations that process, store or transmit card data. The PCI Security Standards Council is governed by the five major payment card brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
We use Amazon's AWS platform and infrastructure for Chargebee. Chargebee employees do not have any physical access to our production environment.
Here are more details about security setup of AWS.
“Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.”
In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure such as
We use two factor authentication for access to all our administrative operations including both infrastructure and Chargebee service. Administrative privileges are restricted to very few employees. Additionally both application level roles and AWS roles are used to ensure only required operations are allowed for specific users.
Any administrative access are automatically logged and mailed. A detailed information on when/why the operations are carried out are documented and notified to the security team before doing any changes in the production environment.
SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server. In addition our servers can be accessed only from restricted IPs.
Hosts are segmented and access are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.
Secure Access: Chargebee application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.
XSS: All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
CSRF: All POST requests are checked for CSRF token before processing the request.
SQL Injection: We use prepared statements for database access to avoid SQL Injection.
Encrypted Data Storage: We do not store sensitive card details on any Chargebee network. The keys for various third party services (like payment gateway) are stored in our database in encrypted form.
We periodically check and apply patches for third party software/services. As & when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA.
We use Amazon's RDS for database. The automated backup feature is configured for RDS. We backup data for upto 30 days. We have configured amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. More details here.
We use both internal and multiple external monitoring services to monitor Chargebee. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormality in the request pattern.
We are working continuously to make our system secure. If you find any security issues, please submit it to firstname.lastname@example.org. We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.