Skip to main content

Documentation Index

Fetch the complete documentation index at: https://recurr.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

Honest answers on the compliance posture, including what’s in place today and what’s on the roadmap.

SOC 2

Status: Recurr runs on underlying infrastructure vendors with SOC 2 Type II programs (Vercel, Supabase, Stripe, Resend). Recurr-side SOC 2 Type II audit not yet completed. Trigger to formalize: the first enterprise customer whose security review requires a Recurr-issued SOC 2 attestation. This kicks off the formal audit process (typically 6–9 months end-to-end with a CPA firm). Cost is meaningful at small scale; the framework’s priority is to land the first customer with formal requirements before incurring the cost speculatively. For customers reviewing today: underlying-vendor compliance documentation is available on request. Recurr’s own controls, DPA, sub-processors, and data handling are documented in the MSA package.

GDPR

Status: Compliant by design.
  • Lawful basis: legitimate interest for transactional + migration emails to existing subscribers; explicit consent for any marketing-cadence communications
  • DPA: included in the MSA as a standard appendix
  • Sub-processors: disclosed in the DPA; 30-day notification of changes
  • Subject rights: access, erasure, portability, objection — all supported via the customer’s own channel or directly through Recurr support
  • Data residency: data lives in US regions of the underlying infrastructure (Supabase US-East, Stripe US-based; for EU-required residency, the framework can configure EU regions on request)

CCPA / CPRA

Status: Compliant. Recurr does not “sell” personal information under CCPA’s definition. Subject rights are supported on the same path as GDPR.

PCI DSS

Status: Out of scope for Recurr. Card data is handled exclusively by Stripe via their hosted card entry (Stripe Elements). Card numbers, CVVs, and full payment data never touch Recurr’s infrastructure or the customer’s domain. Recurr is on a Self-Assessment Questionnaire (SAQ) A path for any incidental Stripe interactions; the customer’s Stripe Connect account inherits Stripe’s Level 1 PCI DSS Service Provider status.

HIPAA

Status: Not currently configured. If your app processes Protected Health Information (PHI), Recurr is not the right billing-migration platform without specific BAA configuration. Mention this in the Migration Review; the framework can scope a HIPAA-compatible deployment with the underlying vendors (Stripe, Supabase, Vercel all support HIPAA configurations) but it requires an explicit setup that defaults don’t provide.

Apple App Store / Google Play

Status: Compliant by operational design. Migration runs entirely outside the app binary. Apple App Store Review Guideline 3.1.3(b) explicitly permits the email-based out-of-app communication that the framework uses. Google Play has parallel terms. See Apple compliance and Google Play compliance for the specifics.

EU Digital Markets Act

Status: Compliant; default operates outside any DMA-specific in-app paths. The framework can opt into DMA-permitted in-app communication for EU-heavy apps where there’s a meaningful upside. Default is policy-conservative across all jurisdictions for operational simplicity. See EU DMA.

What enterprise security reviews typically ask

If your security team is running a standard review, the questions and current Recurr answers:
QuestionAnswer
SOC 2 Type IIUnderlying vendors have SOC 2 Type II programs; Recurr-side audit on roadmap
GDPR DPAIncluded in MSA
Sub-processor listIn DPA; 30-day notification on changes
Encryption at restAES-256 (Supabase default)
Encryption in transitTLS 1.2+ enforced
Backup postureSupabase automated daily backups, 30-day retention with point-in-time recovery
Incident response72-hour notification to named contact for confirmed breaches
Penetration testingInherited via vendor pen-test cycles; Recurr-side cycle on roadmap with SOC 2
Bug bounty / vulnerability disclosureDirect disclosure to security@recurr.dev
Service availability99.9% target uptime measured monthly across platform API + checkout. Real-time status: recurr.instatus.com
Data portability on exitSee Portability and reversibility

When the answers don’t match

If your security review needs answers that the current posture doesn’t deliver, the Migration Review is the place to surface that. The framework can prioritize specific compliance work (formal SOC 2 audit kickoff, HIPAA configuration, regional data residency) when there’s a customer-specific reason — that’s how this matures.