// Trust & Security Report

    Recurly, Inc. logo

    Recurly, Inc.

    Subscription Management and Recurring Billing Platform

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI-DSS Level 1
    HELD

    Recurly is PCI-DSS Level 1 compliant, and recognized on the Visa Global Registry of Service Providers. We meet or exceed all industry-standard payment security practices to protect you and your customers.

    Verify on recurly.com
    SOC 1 Type II
    HELD

    Trust Center lists 'SOC 1 Type II Report' and 'SOC 1 Type II Bridge Letter' under 'Independent third-party attestations and certifications that validate Recurly's security and compliance posture.'

    Verify on trust.recurly.com
    SOC 2 Type II
    HELD

    We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements. We engage third party auditors and pentesters to ensure the highest quality standards.

    Verify on recurly.com
    GDPR
    HELD

    Trust Center lists GDPR badge under certifications. Privacy policy includes a full 'General Data Protection Regulation (GDPR)' section. A Data Processing Agreement (DPA) is publicly available.

    Verify on trust.recurly.com
    CCPA
    HELD

    We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements.

    Verify on recurly.com
    PSD2
    HELD

    We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements.

    Verify on recurly.com
    HIPAA
    HELD

    Recurly states 'Recurly's compliance with HIPAA guidelines allows us to securely manage health information' but describes this as 'guidelines' alignment, not a formal certification. Privacy policy explicitly states 'Recurly's website is not intended to collect or process health information protected under HIPAA unless you have a separate agreement with Recurly for HIPAA-covered services.'

    Verify on docs.recurly.com
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 found on any Recurly-owned domain including trust.recurly.com, recurly.com/legal/security/, or recurly.com/product/security-compliance/.

    source: trust.recurly.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary: US (Google Cloud Platform). Processing also occurs in Brazil, Colombia, EU, India, Mexico, Philippines, Ukraine, and the United Kingdom per the Customer Data Processing Locations page (last updated June 18, 2026).

    Recurly Compass (AI product) is explicit: 'No, Recurly does not currently use merchant data for AI training.' The AI system uses Google Vertex AI, Gemini LLM, and a RAG model. Merchant data is anonymized per Recurly's Privacy Policy. Merchant and subscriber data is never shared with competitors.

    // Security controls

    Encryption at rest

    Multiple layers of encryption in a segmented network with no public internet access. Keys managed via Google KMS, rotated on a regular basis.

    recurly.com

    Encryption in transit

    TLS v1.2 or above for all data in transit over public networks.

    recurly.com

    Infrastructure

    Hosted on Google Cloud Platform. Dedicated hosting environment with 24x7 security and strictly segmented private networks.

    recurly.com

    Penetration testing

    Internal and external network penetration tests performed on a regular basis by third parties. A 'Recurly Security PenTest Report' is available via the Trust Center.

    trust.recurly.com

    Access controls

    Two-factor authentication and strong password controls required for administrative access. Supports SAML, SSO, and configurable user role and permission controls. Audit logs reviewed regularly.

    recurly.com

    Bug bounty / responsible disclosure

    No public bug bounty program on HackerOne or Bugcrowd identified. No security.txt file found at recurly.com/.well-known/security.txt (returned 404). Pen test reports available to customers via Trust Center.

    trust.recurly.com

    CAIQ questionnaire

    A CAIQ Security Questionnaire is available for download via the Trust Center.

    trust.recurly.com

    Business continuity

    Recurly Business Continuity Disaster Recovery Plan (TOC) available via Trust Center.

    trust.recurly.com

    // Products & data scope

    Recurly SubscriptionsSubscription management / recurring billing

    data: Cardholder data, subscriber PII, transaction and billing data, plan configurations. PCI-DSS Level 1 scope applies fully. SOC 1 and SOC 2 Type II audited.

    Core product. Handles payment processing, plan management, dunning, revenue recovery. Visa Global Registry of Service Providers listed.

    Recurly CommerceShopify subscription management

    data: Shopify merchant subscriber data, billing events. Same underlying security posture as Subscriptions.

    Native Shopify app for subscription management. Integrates with Recurly billing.

    Recurly EngageIn-app subscriber engagement / retention

    data: Subscriber behavioral data, in-product interaction data. Privacy policy explicitly carves out a separate section for Engage users with distinct data handling.

    Chat features powered by Zendesk and Google Gemini. Privacy policy requires Engage-specific review.

    Recurly RevRecAutomated revenue recognition (ASC-606 / IFRS-15)

    data: Revenue and billing data for compliance reporting. No cardholder data directly handled.

    Closes the books, automates audit-ready revenue compliance reporting.

    Recurly CompassAI-powered subscription analytics

    data: Anonymized merchant and subscriber data used for insights. No training on merchant data. Runs on Google Vertex AI (Gemini LLM + RAG).

    Explicit commitment: merchant data not used for AI model training. Outputs may include inaccurate information per their disclaimer - verify independently.

    // What to watch

    • HIPAA posture is guidelines-based alignment, not a formal HIPAA certification; a Business Associate Agreement (BAA) requires a separate agreement with Recurly - verify before healthcare use
    • No public bug bounty program (HackerOne/Bugcrowd) identified; security.txt returned 404; responsible disclosure path unclear for external researchers
    • ISO 27001 not referenced anywhere on Recurly's own domains despite enterprise scale and payment data handling
    • Recurly Engage has distinct data handling terms - review the product-specific privacy policy section before deploying
    • Data processing occurs in Ukraine per processing-locations page updated June 18, 2026 - assess geopolitical risk for sensitive data workloads
    • Recurly Compass AI disclaimer: outputs 'may include inaccurate information' and require independent verification

    // At a glance

    Pricing model

    SaaS subscription, likely transaction/volume-based tiers. Free sandbox available; demo required for enterprise pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recurly, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.recurly.com

    > Browse all vendor trust reports