> ## Documentation Index > Fetch the complete documentation index at: https://recurr.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # For your procurement team > Vendor onboarding info for Recurr: entity details, insurance, compliance, security posture, AP and invoicing process. Designed to answer the standard procurement questionnaire. This page consolidates the information procurement and vendor-operations teams typically gather during vendor onboarding. Most of it can be lifted directly into your security-questionnaire response or vendor-risk-assessment template. ## Entity information **Legal name:** Recurr Pty Ltd **ABN:** 31 693 957 809 **Entity type:** Australian Pty Ltd (proprietary limited company) **Jurisdiction of formation:** Australia **Year of formation:** 2025 Banking and remittance details are on the engagement-specific invoice; not published publicly. ## Insurance posture Recurr maintains commercial insurance scaled to the ICP band of the customer engagement. | ICP band (customer ARR) | Cyber + Tech E\&O combined | Additional coverage | | ------------------------ | -------------------------- | ------------------- | | Pre-customer #1 baseline | $2M / $2M aggregate | — | | Band 2 (\$3-10M ARR) | $5M / $5M aggregate | — | | Band 3 (\$10-30M ARR) | $10M Cyber + $5M Tech E\&O | Crime coverage | **Coverage shape:** * **Cyber liability** — data breach response, regulatory defense, third-party claims arising from data incidents * **Tech E\&O (Errors & Omissions)** — claims arising from professional services + technology errors * **Crime coverage** (Band 3) — employee fidelity, social engineering, funds-transfer fraud **Customer named as additional insured** on request. **Certificate of insurance** available during contract negotiation or on procurement-team request. ## Compliance posture ### Current * **GDPR** — DPA in place; compliant data-processing posture for EU subscribers * **CCPA** — DPA in place; compliant data-processing posture for California subscribers * **PCI DSS** — Stripe handles all card-data processing under PCI DSS Level 1. Recurr is not in PCI scope (no card data touches Recurr infrastructure). * **Stripe Connect compliance** — Recurr operates as a Stripe Connect platform; Stripe maintains the underlying PCI posture ### In progress * **SOC 2 Type I** — target alongside customer-#1 deployment * **SOC 2 Type II** — target 12 months after Type I ### On request (customer-specific) * **HIPAA BAA** — available for customers in healthcare-adjacent applications * **Other regulatory addenda** — scoped per customer at contract time ## Security questionnaire material Standard questions and where the detailed answers live. ### Authentication + access | Question | Answer | Where to find more | | ---------------------------------------- | ------------------------------------------------------------- | ----------------------------------------- | | How is administrative access controlled? | Role-based access with MFA required. Audit-logged. | [Infrastructure →](/trust/infrastructure) | | Are credentials managed by SSO? | Yes — Google Workspace SSO + 1Password for shared credentials | — | | Is least-privilege enforced? | Yes — production access is per-role, time-bound, audit-logged | [Infrastructure →](/trust/infrastructure) | ### Data security | Question | Answer | Where to find more | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | | Where does customer data live? | AWS US-East (us-east-1); multi-region scoped post-customer-5 | [Data handling →](/trust/data-handling) | | Is data encrypted at rest? | Yes — AES-256 via AWS-managed keys + Supabase encryption | [Infrastructure →](/trust/infrastructure) | | Is data encrypted in transit? | Yes — TLS 1.2+ for all customer-facing surfaces and webhook delivery | [Infrastructure →](/trust/infrastructure) | | What is the data retention policy? | Subscription state retained for engagement + 30 days post-termination. Webhook events 90 days default, configurable. | [Data handling →](/trust/data-handling) | | How is PII handled in logs? | PII excluded from production logs by default; structured logging with explicit PII redaction | [Data handling →](/trust/data-handling) | ### Operational security | Question | Answer | Where to find more | | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | | Vulnerability disclosure process? | [security@recurr.dev](mailto:security@recurr.dev) with PGP available on request; 30-day response SLA for in-scope reports | — | | Penetration testing? | Pre-customer baseline: founder-led internal review. Third-party pen test scheduled alongside customer-#1 deployment. | [Compliance posture →](/trust/compliance-posture) | | Incident response? | Detection → 5min page, response → 15min ack, status page updated within 30min, postmortem within 5 business days | [Reliability →](/trust/reliability) | | Backup + disaster recovery? | Encrypted cross-region backups; RPO 1 hour, RTO 4 hours | [Infrastructure →](/trust/infrastructure) | ### Subprocessor list **Processors handling subscriber data** (named in the DPA): * **Stripe** — payment processing * **Supabase** — managed Postgres + auth (subscriber records, subscription state) * **Vercel** — hosting for customer-facing surfaces (branded checkout, billing portal, help center) * **Resend** — transactional email delivery * **AWS** — underlying infrastructure **Internal tooling** (operational only, no subscriber PII by default): * **Sentry** — error monitoring; subscriber identifiers excluded from production logs * **PostHog** — Recurr-side product analytics for the tenant dashboard; subscriber PII not piped through * **Google Workspace** — internal operations Updated quarterly. Customers receive 30-day advance notice for changes to the subscriber-data processor list. Internal tooling changes are not subject to notification. ## AP / invoicing process ### Pilot deposit * **Amount**: from \$10K, scaled to Migration Program size * **Charged**: at signing — this is what reserves the pilot slot * **Payment method**: card by default; bank rails (ACH, wire, local rails) available via Airwallex * **Terms**: refundable until kickoff (minus payment processing), credited in full against the Migration Program fee * **Currency**: USD default; AUD or GBP available ### Migration Program fee * **Amount**: less than one month of current app-store fees — computed from audited ARR and fixed at signing * **Invoiced**: at migration kickoff * **Payment method**: Airwallex * **Terms**: Net 30 — and the due date extends automatically until your revenue on Recurr has covered the invoice * **Currency**: USD default ### Platform fee + performance pricing * **Mechanic**: deducted at settlement through Stripe Connect (not invoiced) * **Visible on**: every Stripe charge as line-item `application_fee` entries * **Reconciliation**: monthly statement from Recurr summarising platform fee and performance pricing deductions See [Billing + tax operations →](/working-with/billing-and-tax) for the full flow. ## Vendor risk assessment ### Dependency profile * **Single-vendor lock-in?** No. Subscriptions live in customer's own Stripe Connect account. Recurr is the operational interface for managing them; if Recurr ceases to operate, subscriptions continue billing through Stripe uninterrupted, and account control transitions to the customer via Stripe's standard platform-disconnection process. See [portability →](/trust/portability-and-reversibility). * **Single-source-code dependency?** Recurr platform yes; payment rail (Stripe) is industry-standard and replaceable in extremis. * **Founder-led delivery during early phase?** Yes — bounded operational capacity. As Recurr scales, delivery shifts to engineering team. Customers in early cohort receive higher founder touch as a perk. ### Data exit story * All subscriber + subscription state exports as CSV or JSON via the dashboard * Historical webhook events replayable via the Replay API * Stripe Dashboard already holds the complete billing record (Stripe Connect = customer's account) * No data lock-in See [portability + reversibility →](/trust/portability-and-reversibility). ### Termination mechanics | Termination type | Notice | | ---------------------------------- | ------------------------------ | | End of term (convenience) | 60 days | | Material breach (with 30-day cure) | 30 days from cure-period close | | Customer non-payment | 60 days from payment due date | | Regulatory / legal mandate | Immediate, with notice | Detailed in the MSA — see [Legal →](/for-your-role/legal). ## Reference customers Customer logos and named case studies will be published as the customer base grows through the Design Partner Program. Interim signals for evaluation: * Founder background and prior subscription-platform work * Detailed technical + commercial documentation across `docs.recurr.dev` * Structural customer protection — subscriptions live in your own Stripe Connect account and continue independently of Recurr's operational status (see Vendor risk assessment above) * Industry methodology grounding (Apple developer terms, Stripe Connect documentation) Direct references will be available on an opt-in basis as the customer base grows. ## Cross-references * [Legal →](/for-your-role/legal) — MSA shape, DPA, IP ownership, indemnification * [Compliance posture →](/trust/compliance-posture) — full regulatory posture * [Reliability →](/trust/reliability) — operational SLAs, incident response * [Risk register →](/trust/risk-register) — what could go wrong, full coverage * [Billing + tax operations →](/working-with/billing-and-tax) — AP/invoicing process detail * [Portability + reversibility →](/trust/portability-and-reversibility) — data exit story