Entity information
Legal name: Recurr Pty Ltd ABN: 31 693 957 809 Entity type: Australian Pty Ltd (proprietary limited company) Jurisdiction of formation: Australia Year of formation: 2025 Banking and remittance details are on the engagement-specific invoice; not published publicly.Insurance posture
Recurr maintains commercial insurance scaled to the ICP band of the customer engagement.| ICP band (customer ARR) | Cyber + Tech E&O combined | Additional coverage |
|---|---|---|
| Pre-customer #1 baseline | 2M aggregate | — |
| Band 2 ($3-10M ARR) | 5M aggregate | — |
| Band 3 ($10-30M ARR) | 5M Tech E&O | Crime coverage |
- Cyber liability — data breach response, regulatory defense, third-party claims arising from data incidents
- Tech E&O (Errors & Omissions) — claims arising from professional services + technology errors
- Crime coverage (Band 3) — employee fidelity, social engineering, funds-transfer fraud
Compliance posture
Current
- GDPR — DPA in place; compliant data-processing posture for EU subscribers
- CCPA — DPA in place; compliant data-processing posture for California subscribers
- PCI DSS — Stripe handles all card-data processing under PCI DSS Level 1. Recurr is not in PCI scope (no card data touches Recurr infrastructure).
- Stripe Connect compliance — Recurr operates as a Stripe Connect platform; Stripe maintains the underlying PCI posture
In progress
- SOC 2 Type I — target alongside customer-#1 deployment
- SOC 2 Type II — target 12 months after Type I
On request (customer-specific)
- HIPAA BAA — available for customers in healthcare-adjacent applications
- Other regulatory addenda — scoped per customer at contract time
Security questionnaire material
Standard questions and where the detailed answers live.Authentication + access
| Question | Answer | Where to find more |
|---|---|---|
| How is administrative access controlled? | Role-based access with MFA required. Audit-logged. | Infrastructure → |
| Are credentials managed by SSO? | Yes — Google Workspace SSO + 1Password for shared credentials | — |
| Is least-privilege enforced? | Yes — production access is per-role, time-bound, audit-logged | Infrastructure → |
Data security
| Question | Answer | Where to find more |
|---|---|---|
| Where does customer data live? | AWS US-East (us-east-1); multi-region scoped post-customer-5 | Data handling → |
| Is data encrypted at rest? | Yes — AES-256 via AWS-managed keys + Supabase encryption | Infrastructure → |
| Is data encrypted in transit? | Yes — TLS 1.2+ for all customer-facing surfaces and webhook delivery | Infrastructure → |
| What is the data retention policy? | Subscription state retained for engagement + 30 days post-termination. Webhook events 90 days default, configurable. | Data handling → |
| How is PII handled in logs? | PII excluded from production logs by default; structured logging with explicit PII redaction | Data handling → |
Operational security
| Question | Answer | Where to find more |
|---|---|---|
| Vulnerability disclosure process? | security@recurr.dev with PGP available on request; 30-day response SLA for in-scope reports | — |
| Penetration testing? | Pre-customer baseline: founder-led internal review. Third-party pen test scheduled alongside customer-#1 deployment. | Compliance posture → |
| Incident response? | Detection → 5min page, response → 15min ack, status page updated within 30min, postmortem within 5 business days | Reliability → |
| Backup + disaster recovery? | Encrypted cross-region backups; RPO 1 hour, RTO 4 hours | Infrastructure → |
Subprocessor list
Processors handling subscriber data (named in the DPA):- Stripe — payment processing
- Supabase — managed Postgres + auth (subscriber records, subscription state)
- Vercel — hosting for customer-facing surfaces (branded checkout, billing portal, help center)
- Resend — transactional email delivery
- AWS — underlying infrastructure
- Sentry — error monitoring; subscriber identifiers excluded from production logs
- PostHog — Recurr-side product analytics for the tenant dashboard; subscriber PII not piped through
- Google Workspace — internal operations
AP / invoicing process
Pilot deposit
- Amount: from $10K, scaled to Migration Program size
- Charged: at signing — this is what reserves the pilot slot
- Payment method: card by default; bank rails (ACH, wire, local rails) available via Airwallex
- Terms: refundable until kickoff (minus payment processing), credited in full against the Migration Program fee
- Currency: USD default; AUD or GBP available
Migration Program fee
- Amount: less than one month of current app-store fees — computed from audited ARR and fixed at signing
- Invoiced: at migration kickoff
- Payment method: Airwallex
- Terms: Net 30 — and the due date extends automatically until your revenue on Recurr has covered the invoice
- Currency: USD default
Platform fee + performance pricing
- Mechanic: deducted at settlement through Stripe Connect (not invoiced)
- Visible on: every Stripe charge as line-item
application_feeentries - Reconciliation: monthly statement from Recurr summarising platform fee and performance pricing deductions
Vendor risk assessment
Dependency profile
- Single-vendor lock-in? No. Subscriptions live in customer’s own Stripe Connect account. Recurr is the operational interface for managing them; if Recurr ceases to operate, subscriptions continue billing through Stripe uninterrupted, and account control transitions to the customer via Stripe’s standard platform-disconnection process. See portability →.
- Single-source-code dependency? Recurr platform yes; payment rail (Stripe) is industry-standard and replaceable in extremis.
- Founder-led delivery during early phase? Yes — bounded operational capacity. As Recurr scales, delivery shifts to engineering team. Customers in early cohort receive higher founder touch as a perk.
Data exit story
- All subscriber + subscription state exports as CSV or JSON via the dashboard
- Historical webhook events replayable via the Replay API
- Stripe Dashboard already holds the complete billing record (Stripe Connect = customer’s account)
- No data lock-in
Termination mechanics
| Termination type | Notice |
|---|---|
| End of term (convenience) | 60 days |
| Material breach (with 30-day cure) | 30 days from cure-period close |
| Customer non-payment | 60 days from payment due date |
| Regulatory / legal mandate | Immediate, with notice |
Reference customers
Customer logos and named case studies will be published as the customer base grows through the Design Partner Program. Interim signals for evaluation:- Founder background and prior subscription-platform work
- Detailed technical + commercial documentation across
docs.recurr.dev - Structural customer protection — subscriptions live in your own Stripe Connect account and continue independently of Recurr’s operational status (see Vendor risk assessment above)
- Industry methodology grounding (Apple developer terms, Stripe Connect documentation)
Cross-references
- Legal → — MSA shape, DPA, IP ownership, indemnification
- Compliance posture → — full regulatory posture
- Reliability → — operational SLAs, incident response
- Risk register → — what could go wrong, full coverage
- Billing + tax operations → — AP/invoicing process detail
- Portability + reversibility → — data exit story