GDPR, Data Protection and IT Security at Rich Returns

Data protection and information security are key elements of Rich Returns' products and services. Protecting your data and earning your trust is pivotal to us. Therefore, we have implemented and keep on developing technical and organizational measures to ensure secure processing of information.
Our practices are based on the legal framework of the European General Data Protection Regulation (EU GDPR) as well as common standards, guidelines and principles of IT Security and Protection.

A powerful choice for Privacy focused companies

What does the GDPR mean for your business operations?

The GDPR defines an extended set of rights for European Union citizens and residents regarding their personal information. Consequently, it describes strict requirements for companies and organizations on collecting, storing, processing and managing personal data.

Since when?

Applicable from May 25, 2018.

What are the fines?

Fines up to 4% of global revenue.

Even for US companies?

Applies to every company doing business in the EU.

Build trust?

Data protection is a chance to enhance consumer trust.

No matter if you're a data controller or data processor, the GDPR will change how you handle personal data in the cloud. Rich Returns helps you meet the new requirements. The GDPR requires that all organizations design and implement workflows and processes with privacy by design and by default. This means that your business should prioritize data protection from the very beginning of setting up new processes. Data protection should be an essential part of all services and not an extra option you add later.

Choosing a returns solution

Can I just choose a returns solution from any country for EU customers?

Short answer: No

As an eCommerce business operating a store you are the entity controlling the customer data. Under GDPR this is called the 'data controller'. You are required to audit all entities - your 'data-processors' e.g. a returns solution provider - and ensure that this provider is GDPR compliant.

With the recent invalidation of the EU-US Privacy Shield, the Schrems II decision changed the way organizations manage personal data transfers overnight. To legally transfer personal data from the EU to a third country, it must be shown that the recipient country and company have an equivalent level of data protection to that of the GDPR.

Key facts about our security policy and server infrastructure

EU Hosting

All customer data is hosted in the EU with ISO 27001, 27017, 27018 and SOC1, SOC2, SOC3 compliant partners in order to comply with EU GDPR requirements.

24/7 Proactive Monitoring

All our systems are continuously monitored for security, availability, and performance.

SSL/HTTPS Encryption

Communication with our servers is securely encrypted using SSL, HTTPS, and TLS.

Professional Data Centers

We exclusively use leading data center providers with excellent physical security controls.

System & Data Backups

All our systems are regularly backed up for disaster recovery and system outages.

Automatic Updates

Benefit from full maintenance with an automated system and application updates.

High Availability

World-class data connectivity and uptime, see our status page for details and past performance.

Access Permissions

Fine-grained access control via system permissions, roles, and network addresses.

General Information on Data Protection

All customer data is hosted in the EU with ISO 27001, 27017, 27018 and SOC1, SOC2, SOC3 compliant partners in order to comply with EU GDPR requirements.

For one thing, all Rich Returns employees are bound to data secrecy and data protection in general and are made aware of the consequences of any breach.
For another thing, we run training and awareness programs regarding the handling of personal details, as well as data protection, on a regular basis. These programs also include new legislation such as the European General Data Protection Regulation (EU GDPR).

We generally assume that we are compliant with the essential requirements of the EU GDPR already today. This includes, in addition to the stipulations of article 25 of EU GDPR data protection by design and by default, supporting the customer in respecting the rights of data subjects such as the right to obtain erasure of personal details as well as the rights of access and data portability (ch. 3 of EU GDPR). Nevertheless, we make sure that the application, the underlying infrastructure and our organizational structure are suitably equipped at various levels to meet the requirements of the EU GDPR.

Yes, data protection is an integral element of our product strategy. Therefore, even at the development stage of our features and roadmap we carefully respect principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection. In addition, when preparing for the EU GDPR, we reviewed the default settings of the entire application and adapted them to provide the highest-possible level of data protection while still ensuring user friendliness. Furthermore, the settings are generally adaptable to the customer’s individual needs. In order to continuously ensure this, we also defined a process for feeding legal requirements into the product development process on an ongoing basis and reviewing the application accordingly at set intervals.

In the unlikely event of a data breach at Rich Returns, if personal data of a customer is affected and the breach is likely to entail a risk to the rights and the freedom of the customer’s staff, Rich Returns will immediately notify the customer concerned, so as to enable them to fulfill their legal obligation to inform the regulatory authority and the individuals concerned.

For responsible disclosure please get in touch with us directly and include the following details:

Web application and APIs:
– URL where the vulnerability was detected
– Account name
– Type of vulnerability
– Information on how the vulnerability can be reproduced