💽GDPR compliance

A brief summary of measures taken at Hyperswitch to ensure GDPR compliance

In this section you will learn about our initiatives to prioritise and improve the security and privacy of Customer Data and Personally Identifiable Information (PII).

The General Data Protection Regulation (GDPR) lays out the definition of Data Controller, Data Processor and Data Subject as below:

Role	Definition
Data Controller	A Data Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities.
Data Processor	A Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under the instructions of the controller
Data Subject	The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organization.

Role

Definition

Data Controller

A Data Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities.

Data Processor

A Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under the instructions of the controller

Data Subject

The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organization.

Hyperswitch plays the role of a ‘Data Processor’ and takes all the below initiatives to ensure compliance.

Data Protection and Privacy Principles

Principles	Initiatives
Lawfulness, fairness, and transparency	Lawful - We gather data and process it with a valid legal basis which is vetted by our legal team Fair - We process personal data in the best interest of the people and scope of our processing can be reasonably expected by the person. Transparent - We clearly communicate what, how, and why we process data and what role do we play in the data lifecycle via our Privacy Notice on the website. It is written in a clear, plain language that enables everyone to easily understand the scope and methods of our processing. We also enable our merchants to be compliant to the Transparency principle by enabling them to respond to Data Subject Rights Requests in a better, sustainable way via our Data Compliance APIs.
Purpose limitation	We only process data for clear, defined purposes and have strict processes in place to avoid function creep or utilisation of data in any other way than intended. We also verify on a periodic basis that our purposes are valid and essential to deliver services to our merchants and avoid any unnecessary processing. We maintain records of our purposes via RoPA to ensure compliance to Purpose Limitation
Data minimisation	We ensure and evaluate that we gather only essential personal data that we need to deliver the service. In other words, we only gather and process the exact amount of data that is needed.
Accuracy	We as a data processor take reasonable measures to ensure that the personal data we are processing is correct and up to date by employing various security and privacy centric principles: Access Control (maker and checker system) Encrypted communication channels Encryption of data during transmission and storage Automated Backups
Storage limitations	We ensure that we get a defined retention period requirements from our merchants so we do not end up storing data that is no longer of use for the purpose it was intended. We have implemented a process for destroying data in a secure way that helps us ensure that the data no longer needed is really removed and not still stored on a device or in the cloud, where it could be a potential security risk.
Integrity and confidentiality	We have developed, implemented, and maintain effective information security and privacy policies and procedures that include administrative, technical and physical safeguards designed to: Ensure the security and confidentiality of confidential information and systems provided Protect against anticipated threats or hazards to the security or integrity of such confidential information and systems Protect against unauthorised access or use of such confidential information and systems We employ various security measures to ensure that the integrity and confidentiality of data is maintained throughout the lifecycle of the data: Restriction of access to data (need to know principle) Encryption of PII Implementing a data retention policy Antivirus programs, Firewalls, Intrusion detection systems, Multi-factor authentication, Software updates Cyber Security and Privacy awareness trainings Non Disclosure Agreements with our employees, merchants and vendors.
Accountability	We abide by this principle by taking responsibility for our data processing. It means that we, the data processor, are accountable for the proper processing of personal data and compliance with the rules of the GDPR and we ensure that the responsibilities on each side (controller and processor) are captured in our agreements/DPAs with all our merchants.

Principles

Initiatives

Lawfulness, fairness, and transparency

Lawful - We gather data and process it with a valid legal basis which is vetted by our legal team

Fair - We process personal data in the best interest of the people and scope of our processing can be reasonably expected by the person.

Transparent - We clearly communicate what, how, and why we process data and what role do we play in the data lifecycle via our Privacy Notice on the website. It is written in a clear, plain language that enables everyone to easily understand the scope and methods of our processing. We also enable our merchants to be compliant to the Transparency principle by enabling them to respond to Data Subject Rights Requests in a better, sustainable way via our Data Compliance APIs.

Purpose limitation

We only process data for clear, defined purposes and have strict processes in place to avoid function creep or utilisation of data in any other way than intended. We also verify on a periodic basis that our purposes are valid and essential to deliver services to our merchants and avoid any unnecessary processing.

We maintain records of our purposes via RoPA to ensure compliance to Purpose Limitation

Data minimisation

We ensure and evaluate that we gather only essential personal data that we need to deliver the service. In other words, we only gather and process the exact amount of data that is needed.

Accuracy

We as a data processor take reasonable measures to ensure that the personal data we are processing is correct and up to date by employing various security and privacy centric principles:

Access Control (maker and checker system)
Encrypted communication channels
Encryption of data during transmission and storage
Automated Backups

Storage limitations

We ensure that we get a defined retention period requirements from our merchants so we do not end up storing data that is no longer of use for the purpose it was intended.

We have implemented a process for destroying data in a secure way that helps us ensure that the data no longer needed is really removed and not still stored on a device or in the cloud, where it could be a potential security risk.

Integrity and confidentiality

We have developed, implemented, and maintain effective information security and privacy policies and procedures that include administrative, technical and physical safeguards designed to:

Ensure the security and confidentiality of confidential information and systems provided
Protect against anticipated threats or hazards to the security or integrity of such confidential information and systems
Protect against unauthorised access or use of such confidential information and systems

We employ various security measures to ensure that the integrity and confidentiality of data is maintained throughout the lifecycle of the data:

Restriction of access to data (need to know principle)
Encryption of PII
Implementing a data retention policy
Antivirus programs,
Firewalls,
Intrusion detection systems,
Multi-factor authentication,
Software updates
Cyber Security and Privacy awareness trainings
Non Disclosure Agreements with our employees, merchants and vendors.

Accountability

We abide by this principle by taking responsibility for our data processing. It means that we, the data processor, are accountable for the proper processing of personal data and compliance with the rules of the GDPR and we ensure that the responsibilities on each side (controller and processor) are captured in our agreements/DPAs with all our merchants.

Security

Hyperswitch is engineered with a meticulous focus on safeguarding sensitive data aligning with PCI standards. The application also employs various strategies that encompasses various stage, which includes

Encryption of Data at rest and Data in Transit
Masking of PII information at source
Minimizing PII data exposure across the application
Secure software development practices
SOC Type I and Type II certification

Read more about Data security at Hyperswitch.

Data Retention and Deletion

In the spirit of Data Minimisation principle, we capture data retention and deletion requirements with all our merchants in our DPAs and Master Service Agreement to avoid processing data longer than required. We regularly audit our processes to ensure that the data retention requirements are met.

We support the right to erasure through a permanent deletion of personal data upon request. The Deletion API is published and accessible for all merchants to permanently delete Customer PII Data.

Data Protection Team

Juspay Technologies Private Limited (doing business as Hyperswitch) has a Privacy and Data Protection team and a designated Data Protection Officer to look after Data Protection, Privacy and Compliance Obligations

Data Protection Agreement

Hyperswitch Master Services Agreement includes a Data Protection Agreement which clearly articulates our privacy commitment to merchants. We have evolved these terms and specifically updated these terms to reflect the GDPR from the perspective of payment processing, and, to facilitate merchants’ compliance assessment and GDPR readiness when using Hyperswitch.

Standards and Certifications

We hold ourselves to the highest standards of data security and reliability. We believe in protecting sensitive information and ensuring the utmost trust in our services by our merchants. To achieve that goal we undergo regular audits to address any gaps and strengthen our security and privacy posture.

Standards	Significance
ISO/IEC 27001:2013 (Upgrading to ISO 27001:2022 during 2024)	ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps us manage our information security by addressing people, processes and technology.This certification signifies our establishment of a robust Information Security Management System (ISMS) and the mastery of a comprehensive suite of controls to ensure the highest level of data protection.
SOC 2 Type 1 and 2	System and Organisation Control 2 is a security framework that specifies how we should protect customer data from unauthorized access, security incidents, and other vulnerabilities. Type 2 controls examines how well our system and controls perform over a period of time (typically 3-12 months).
PCI DSS v3.2.1 (Certification under process for PCI 4.0)	PCI DSS is one of the stringent compliance requirements for entities that process, store, or transmit credit card information to maintain a secure environment - It talks about the necessary framework for developing complete payment card data security systems & processes that encompasses prevention, detection, and appropriate reaction to security incidents. This accomplishment marks a significant milestone in our commitment to safeguarding sensitive cardholder data and ensuring the highest level of security for our merchants.

Standards

Significance

ISO/IEC 27001:2013

(Upgrading to ISO 27001:2022 during 2024)

ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps us manage our information security by addressing people, processes and technology.This certification signifies our establishment of a robust Information Security Management System (ISMS) and the mastery of a comprehensive suite of controls to ensure the highest level of data protection.

SOC 2 Type 1 and 2

System and Organisation Control 2 is a security framework that specifies how we should protect customer data from unauthorized access, security incidents, and other vulnerabilities. Type 2 controls examines how well our system and controls perform over a period of time (typically 3-12 months).

PCI DSS v3.2.1

(Certification under process for PCI 4.0)

PCI DSS is one of the stringent compliance requirements for entities that process, store, or transmit credit card information to maintain a secure environment - It talks about the necessary framework for developing complete payment card data security systems & processes that encompasses prevention, detection, and appropriate reaction to security incidents. This accomplishment marks a significant milestone in our commitment to safeguarding sensitive cardholder data and ensuring the highest level of security for our merchants.

Use of Sub processors

Below is the list of sub-processors we use at Hyperswitch, as well as the purpose of their use.

Sub processor	Purpose	Hosted region
AWS	Cloud processing of user data and merchant data	Global server (US) EU Data Residency server (EU)
Slack	Merchant communication	US
Google Workspace	Merchant communication and documentation	US

Sub processor

Purpose

Hosted region

AWS

Cloud processing of user data and merchant data

Global server (US)

EU Data Residency server (EU)

Slack

Merchant communication

Google Workspace

Merchant communication and documentation

Other use cases such as Data Infrastructure, Monitoring Systems are solved by using a self-deployed version of popular open source technologies - Clickhouse, Grafana and Sentry. This provides more control and reduces the need for sharing data and the data being shared across more sub-processors.

Last updated 1 month ago