diff --git a/app/controllers/nonprofits/recurring_donations_controller.rb b/app/controllers/nonprofits/recurring_donations_controller.rb
index 35be402d..0a1f2c37 100644
--- a/app/controllers/nonprofits/recurring_donations_controller.rb
+++ b/app/controllers/nonprofits/recurring_donations_controller.rb
@@ -65,15 +65,15 @@ module Nonprofits
 
     def update
       json_saved UpdateRecurringDonations
-        .update(current_recurring_donation, params[:recurring_donation])
+        .update(current_recurring_donation, recurring_donation_params)
     end
 
     # post /nonprofits/:nonprofit_id/recurring_donations
     def create
-      if params[:recurring_donation][:token]
-        render_json { InsertRecurringDonation.with_stripe(params[:recurring_donation]) }
-      elsif params[:recurring_donation][:direct_debit_detail_id]
-        render JsonResp.new(params[:recurring_donation]) do |_data|
+      if recurring_donation_params[:token]
+        render_json { InsertRecurringDonation.with_stripe(recurring_donation_params) }
+      elsif recurring_donation_params[:direct_debit_detail_id]
+        render JsonResp.new(recurring_donation_params) do |_data|
           requires(:amount).as_int
           requires(:supporter_id, :nonprofit_id, :direct_debit_detail_id).as_int
           optional(:dedication, :designation).as_string
@@ -86,10 +86,14 @@ module Nonprofits
       end
     end
 
-      private
+    private
 
     def current_recurring_donation
       @recurring_donation ||= current_nonprofit.recurring_donations.find params[:id]
     end
+
+    def recurring_donation_params
+      params.require(:recurring_donation).permit(:amount, :active, :paydate, :interval, :time_unit, :start_date, :end_date, :n_failures, :edit_token, :cancelled_by, :cancelled_at, :donation_id, :nonprofit_id, :supporter_id)
     end
+  end
 end
diff --git a/app/models/recurring_donation.rb b/app/models/recurring_donation.rb
index cb453abf..02c40da6 100644
--- a/app/models/recurring_donation.rb
+++ b/app/models/recurring_donation.rb
@@ -4,22 +4,20 @@
 require 'timespan'
 
 class RecurringDonation < ApplicationRecord
-  # TODO:
-  # attr_accessible \
-  #   :amount, # int (cents)
-  #   :active, # bool (whether this recurring donation should still be paid)
-  #   :paydate, # int (fixed date of the month for monthly recurring donations)
-  #   :interval, # int (interval of time, ie the '3' in '3 months')
-  #   :time_unit, # str ('month', 'day', 'week', or 'year')
-  #   :start_date, # date (when to start this recurring donation)
-  #   :end_date, # date (when to deactivate this recurring donation)
-  #   :n_failures, # int (how many times the charge has failed)
-  #   :edit_token, # str / uuid to validate the editing page, linked from their email client
-  #   :cancelled_by, # str email of user/supporter who made the cancellation
-  #   :cancelled_at, # datetime of user/supporter who made the cancellation
-  #   :donation_id, :donation,
-  #   :nonprofit_id, :nonprofit,
-  #   :supporter_id #used because things are messed up in the datamodel
+  # :amount, # int (cents)
+  # :active, # bool (whether this recurring donation should still be paid)
+  # :paydate, # int (fixed date of the month for monthly recurring donations)
+  # :interval, # int (interval of time, ie the '3' in '3 months')
+  # :time_unit, # str ('month', 'day', 'week', or 'year')
+  # :start_date, # date (when to start this recurring donation)
+  # :end_date, # date (when to deactivate this recurring donation)
+  # :n_failures, # int (how many times the charge has failed)
+  # :edit_token, # str / uuid to validate the editing page, linked from their email client
+  # :cancelled_by, # str email of user/supporter who made the cancellation
+  # :cancelled_at, # datetime of user/supporter who made the cancellation
+  # :donation_id, :donation,
+  # :nonprofit_id, :nonprofit,
+  # :supporter_id #used because things are messed up in the datamodel
 
   scope :active,   -> { where(active: true) }
   scope :inactive, -> { where(active: [false, nil]) }