It has mostly flown under the radar – so don’t worry if this is new to you – but the EU recently adopted a new regulation regarding privacy called GDPR.

I kid.

Clearly the EU’s GDPR (General Data Protection Regulation) has been all over the news for years now, and we’ve heard a huge amount about it since its May 25th implementation. You probably even received a number of emails about updates to security and privacy policies. Like many companies, Riskified also took some major steps to ensure GDPR compliance. We thought we’d lay out those details in a blog post so that consumers and merchants alike can better understand how we process data and what we do to keep that data secure.

Riskified’s Dedication to Security

Before we get into changes for GDPR, we want to reassure everyone that Riskified has always treated our merchants’ data – and the data of their customers – with the utmost care. We only collect that data that we require to successfully perform our service, and we adhere to the highest standards of data security, encryption and more. This has always – and will always – be the case.  We follow the ISO27001:2013 Information Security Management System and adopt the latest information security industry standards. We have numerous policies and technologies in place to protect our service and customer data, including:

    • Access Management
    • Encryption
    • Vulnerability Management
    • Cryptography
    • Physical Security
  • SDLC

Updates for GDPR Compliance

That’s what we’ve always done. But the adoption of GDPR provided an important moment to reaffirm that dedication to security while giving merchants and consumers additional insight into how we work. In addition to performing a comprehensive Data Protection Impact Assessment (DPIA), we also took steps to help consumers seeking to access or delete their data, and instituted protections to make that policy as safe and effective as possible. And we improved our security and controls/access to make sure only the people that need access to the data actually have it.

Updates to Our Privacy Policy

To that end, we’ve updated our privacy policy to clarify how we process personal data in the course of providing our services. These updates also clarify the legal basis for those actions and highlight users’ rights. In brief:

    • We’re providing additional details regarding the data we collect, why we collect it and how we use it – including what data we share and with whom.
    • We’ve added an explanation of individuals’ rights in regards to their data, including how to contact us about that data. This will provide consumers with greater control over their personal information.

We encourage everyone to read the full version of the privacy policy and familiarize themselves with how Riskified uses personal data to provide its services.

EU Model Clauses Certifying Compliance

As an added step to reassure merchants of our compliance with GDPR, we’re also making available the EU-sanctioned model clauses to govern the data transfer between merchants and Riskified. Riskified’s service won’t be impacted, and our dedication to merchants’ data and its security will continue. The executed agreement is entirely for the benefit of the merchant, as it certifies that we’re taking all appropriate steps for GDPR compliance. Having that executed agreement in writing provides merchants protection, should any complaints arise.

If you’re a current Riskified merchant interested in executing this agreement, please email [email protected] for that document. Once it is signed and returned, we’ll then countersign and send you the final agreement.

We are also, of course, happy to answer any additional questions you have, including involving our data security and legal teams as needed. Please feel free to contact us at [email protected].