Frequently asked questions

Security

How do I know my money is safe?

We are authorised by the Financial Conduct Authority to provide payment services as an Authorised Payment Institution. We serve more businesses than any other Direct Debit provider. All money collected is held in a secure client monies account with either the Royal Bank of Scotland, Barclays Bank, BNP Paribas, Danske Bank, JP Morgan, RBC, CFSB or ASB.

How does GoCardless protect my data?

At GoCardless we know security is important, especially when it comes to payments. Our merchants rely on us to invest in security and maintain robust data protection for them and their customers.

• Our access to the Direct Debit system is provided by major banks, who have approved our systems.

• All customer data is treated in accordance with European data protection laws, including the Data Protection Act 1998.

• Our financial data server is separated from our application server by multiple firewalls.

• All client-server communication is 256-bit SSL encrypted. The banking system requires just 128-bit.

• We have received ISO 27001 certification for information security.

What is ISO 27001 certification?

GoCardless has been awarded ISO 27001 certification. ISO 27001 is a widely recognised, internationally accepted standard for information security and we have attained it across all GoCardless services and products. An accredited independent auditor has assessed our processes and controls, and confirmed they align with the certification standard. British Assessment Bureau, an ISO accredited certification body, has certified our compliance with the ISO standard. Having ISO 27001 certification helps assure our merchants and their customers that we take information security management seriously. GoCardless will ensure that an independent auditor will reassess our Information Security Management System on an annual basis.

What do you do with my money before it is paid out?

All money collected is held in a secure client monies account held with one of our partner banks. Funds are held fully in accordance with safeguarding provisions.

Is it safe for my customers?

Yes. Your customers are protected by SEPA Direct Debit Customer Protection in the Eurozone and the Direct Debit Guarantee in the UK. There are also customer protections offered in other Direct Debit schemes, you can see an overview of these protections in our Direct Debit guides.

Vulnerability Disclosure

We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. Sharing vulnerabilities publicly puts our entire user base at risk, so we urge you to keep issues private until we’ve had a chance to release a fix. If you are interested in testing our service for vulnerabilities, then we would appreciate any reports regarding our Merchant Dashboard and API. Please conduct testing on our Sandbox environment only. You can sign up for a Sandbox account to get started. Our developer documentation provides details on how to configure an account.

Reporting issues

• Report via https://hackerone.com/gocardless_bbp or email vuln-disc@gocardless.com as soon as you become aware of the issue.

• You will be asked to register on HackerOne and submit the issue via our Bug Bounty Program.

• In the initial email include a general overview of the issue, please do not include steps for reproducing the issue. We will provide you a secure way to communicate further details.

• When demonstrating the issue only exploit the vulnerability using a benign payload to demonstrate the issue using your own accounts.

• Do not disclose the issue to anyone else until we have confirmed a fix or resolution."

Rules

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Denial of service attacks

• Do not attempt to access or modify any user data that is not your own.

• Do not degrade the performance of our services (e.g. via automated scanning, brute forcing, or denial of service attacks)

• Social engineering attacks

• Physical attacks or threats against our staff or users

• Theoretical scenarios that do not demonstrate an impact.  E.g. a tool reporting a weak cipher suite due to lack of Perfect Forward Secrecy.