// Trust & Security Report
Recurly, Inc.
Subscription Management and Recurring Billing Platform
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on recurly.com“Recurly is PCI-DSS Level 1 compliant, and recognized on the Visa Global Registry of Service Providers. We meet or exceed all industry-standard payment security practices to protect you and your customers.”
Verify on trust.recurly.com“Trust Center lists 'SOC 1 Type II Report' and 'SOC 1 Type II Bridge Letter' under 'Independent third-party attestations and certifications that validate Recurly's security and compliance posture.'”
Verify on recurly.com“We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements. We engage third party auditors and pentesters to ensure the highest quality standards.”
Verify on trust.recurly.com“Trust Center lists GDPR badge under certifications. Privacy policy includes a full 'General Data Protection Regulation (GDPR)' section. A Data Processing Agreement (DPA) is publicly available.”
Verify on recurly.com“We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements.”
Verify on recurly.com“We're SOC II Type 2 and PSD 2 compliant and meet CCPA, GDPR, and HIPAA requirements.”
Verify on docs.recurly.com“Recurly states 'Recurly's compliance with HIPAA guidelines allows us to securely manage health information' but describes this as 'guidelines' alignment, not a formal certification. Privacy policy explicitly states 'Recurly's website is not intended to collect or process health information protected under HIPAA unless you have a separate agreement with Recurly for HIPAA-covered services.'”
> Show 1 unconfirmed / not-held certifications
source: trust.recurly.comNo mention of ISO 27001 found on any Recurly-owned domain including trust.recurly.com, recurly.com/legal/security/, or recurly.com/product/security-compliance/.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary: US (Google Cloud Platform). Processing also occurs in Brazil, Colombia, EU, India, Mexico, Philippines, Ukraine, and the United Kingdom per the Customer Data Processing Locations page (last updated June 18, 2026).
Recurly Compass (AI product) is explicit: 'No, Recurly does not currently use merchant data for AI training.' The AI system uses Google Vertex AI, Gemini LLM, and a RAG model. Merchant data is anonymized per Recurly's Privacy Policy. Merchant and subscriber data is never shared with competitors.
// Security controls
Encryption at rest
Multiple layers of encryption in a segmented network with no public internet access. Keys managed via Google KMS, rotated on a regular basis.
recurly.comInfrastructure
Hosted on Google Cloud Platform. Dedicated hosting environment with 24x7 security and strictly segmented private networks.
recurly.comPenetration testing
Internal and external network penetration tests performed on a regular basis by third parties. A 'Recurly Security PenTest Report' is available via the Trust Center.
trust.recurly.comAccess controls
Two-factor authentication and strong password controls required for administrative access. Supports SAML, SSO, and configurable user role and permission controls. Audit logs reviewed regularly.
recurly.comBug bounty / responsible disclosure
No public bug bounty program on HackerOne or Bugcrowd identified. No security.txt file found at recurly.com/.well-known/security.txt (returned 404). Pen test reports available to customers via Trust Center.
trust.recurly.comCAIQ questionnaire
A CAIQ Security Questionnaire is available for download via the Trust Center.
trust.recurly.comBusiness continuity
Recurly Business Continuity Disaster Recovery Plan (TOC) available via Trust Center.
trust.recurly.com// Products & data scope
data: Cardholder data, subscriber PII, transaction and billing data, plan configurations. PCI-DSS Level 1 scope applies fully. SOC 1 and SOC 2 Type II audited.
Core product. Handles payment processing, plan management, dunning, revenue recovery. Visa Global Registry of Service Providers listed.
data: Shopify merchant subscriber data, billing events. Same underlying security posture as Subscriptions.
Native Shopify app for subscription management. Integrates with Recurly billing.
data: Subscriber behavioral data, in-product interaction data. Privacy policy explicitly carves out a separate section for Engage users with distinct data handling.
Chat features powered by Zendesk and Google Gemini. Privacy policy requires Engage-specific review.
data: Revenue and billing data for compliance reporting. No cardholder data directly handled.
Closes the books, automates audit-ready revenue compliance reporting.
data: Anonymized merchant and subscriber data used for insights. No training on merchant data. Runs on Google Vertex AI (Gemini LLM + RAG).
Explicit commitment: merchant data not used for AI model training. Outputs may include inaccurate information per their disclaimer - verify independently.
// What to watch
- HIPAA posture is guidelines-based alignment, not a formal HIPAA certification; a Business Associate Agreement (BAA) requires a separate agreement with Recurly - verify before healthcare use
- No public bug bounty program (HackerOne/Bugcrowd) identified; security.txt returned 404; responsible disclosure path unclear for external researchers
- ISO 27001 not referenced anywhere on Recurly's own domains despite enterprise scale and payment data handling
- Recurly Engage has distinct data handling terms - review the product-specific privacy policy section before deploying
- Data processing occurs in Ukraine per processing-locations page updated June 18, 2026 - assess geopolitical risk for sensitive data workloads
- Recurly Compass AI disclaimer: outputs 'may include inaccurate information' and require independent verification
// At a glance
Pricing model
SaaS subscription, likely transaction/volume-based tiers. Free sandbox available; demo required for enterprise pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recurly, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.recurly.com