Data Processing Agreement

Effective Date: March 28, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between the entity identified as the customer in the Agreement (“Controller” or “Customer”) and RecoverKit (“Processor”), collectively referred to as the “Parties.”

This DPA sets out the terms under which the Processor processes Personal Data on behalf of the Controller in connection with the RecoverKit service (“Service”), in compliance with Regulation (EU) 2016/679 (the “GDPR”), the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and all other applicable data protection laws.

1. Definitions

In this DPA, unless the context requires otherwise:

“Controller” means the Customer (merchant) who determines the purposes and means of processing Personal Data and on whose behalf the Processor processes Personal Data through the Service.
“Processor” means RecoverKit, which processes Personal Data on behalf of and under the instructions of the Controller.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by the Processor on behalf of the Controller under this DPA.
“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
“Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to the performance of this DPA, including the GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and any applicable national implementing legislation.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data in connection with the provision of the Service, which enables the Controller to recover failed recurring payments through AI-generated email and SMS communications, and to send pre-dunning card expiration alerts to the Controller’s end customers.

2.2 Duration

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Laws.

2.3 Nature of Processing

The processing operations include:

Collection of payment failure event data via the Stripe API
Storage of end-customer contact information and payment context
AI analysis and generation of personalized recovery communications
Automated delivery of recovery emails via Resend
Automated delivery of recovery SMS messages via Twilio
Monitoring of payment method expiration dates for pre-dunning alerts
Aggregation of recovery analytics and reporting

2.4 Purpose of Processing

The Processor processes Personal Data solely for the following purposes:

Recovering failed payments on behalf of the Controller through personalized AI-generated email and SMS communications
Sending pre-dunning card expiration alerts to prevent future payment failures
Providing recovery analytics and reporting to the Controller

2.5 Types of Personal Data

The following categories of Personal Data are processed:

End-customer names (first and last)
End-customer email addresses
End-customer phone numbers
Payment card last four digits
Payment card brand (e.g., Visa, Mastercard)
Payment card expiration date
Invoice amounts
Subscription plan names
Payment failure reason codes

2.6 Categories of Data Subjects

The Data Subjects are end customers of the Controller who have experienced a failed payment or whose payment method is approaching expiration.

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest. The Controller’s instructions are documented in this DPA, the Agreement, and the Controller’s use of the Service configuration settings (tone, custom instructions, channel preferences, and sequence timing).

3.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Service.

3.3 Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. The specific security measures are described in Section 6 of this DPA.

3.4 Sub-processors

The Controller provides the Processor with general authorization to engage Sub-processors as described in Section 4 of this DPA, subject to the notification and objection mechanisms set forth therein.

3.5 Assistance with Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as laid down in Chapter III of the GDPR. The Processor’s obligations regarding Data Subject rights are further described in Section 8 of this DPA.

3.6 Assistance with Security and Breach Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with data protection impact assessments (“DPIAs”) and prior consultation with supervisory authorities where required.

3.7 Deletion or Return of Data

Upon termination of the Agreement, the Processor shall, at the Controller’s election, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage of the Personal Data. The specific terms for deletion and return are described in Section 10 of this DPA.

3.8 Audit and Information Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, as further described in Section 9 of this DPA.

3.9 Notification of Conflicting Instructions

The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

4. Sub-Processors

4.1 Authorized Sub-Processors

The Controller acknowledges and agrees that the Processor may engage the following Sub-processors as of the effective date of this DPA:

Sub-Processor	Purpose	Location	Data Protection Terms
Stripe, Inc.	Payment processing, OAuth account connection, webhook delivery	United States	Stripe DPA
Anthropic, PBC	AI content generation for recovery messages (receives first names, invoice amounts, plan names, failure reasons, and merchant context only — no email addresses, phone numbers, or other direct contact identifiers)	United States	Anthropic Privacy Policy
Resend, Inc.	Transactional email delivery of recovery messages	United States	Resend DPA
Twilio, Inc.	SMS delivery of recovery messages	United States	Twilio DPA
Railway Corp.	Cloud hosting and infrastructure	United States	Railway Privacy Policy

4.2 Obligations with Respect to Sub-Processors

When engaging a Sub-processor, the Processor shall:

Impose on the Sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures;
Remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

4.3 Notification of New Sub-Processors

The Processor shall notify the Controller in writing (including by email) at least 30 days in advance of any intended addition or replacement of Sub-processors, providing the Controller with an opportunity to object to such changes.

4.4 Right to Object

The Controller may object to a new or replacement Sub-processor by notifying the Processor in writing within 14 days of receiving notice. The objection must state reasonable grounds relating to data protection. If the Controller objects:

The Processor shall use commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable change to the Controller’s configuration or use of the Service to avoid processing of Personal Data by the objected-to Sub-processor.
If the Processor is unable to provide such an alternative within 30 days of receiving the Controller’s objection, either party may terminate the portion of the Agreement relating to the Service that cannot be provided without the objected-to Sub-processor by providing written notice to the other party. The Processor shall refund to the Controller any prepaid fees covering the remainder of the term following the effective date of termination.

5. International Data Transfers

5.1 Transfer Mechanism

The Processor is established in the United States and processes Personal Data in the United States. To the extent that the processing of Personal Data involves the transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to the United States, the Parties agree to the following transfer mechanisms:

5.2 Standard Contractual Clauses (EU)

The Parties agree that the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 are hereby incorporated by reference and shall apply to transfers of Personal Data from the EEA to countries not recognized as providing an adequate level of data protection:

Module 2 (Controller to Processor): applies where the Controller transfers Personal Data to the Processor for the provision of the Service.
Module 3 (Processor to Sub-Processor): applies where the Processor engages Sub-processors that process Personal Data outside the EEA on behalf of the Controller.

For the purposes of the SCCs:

The optional docking clause in Clause 7 shall apply.
In Clause 9, Option 2 (General written authorization) shall apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of this DPA.
In Clause 11, the optional language shall not apply.
In Clause 17, Option 1 shall apply, governed by the law of Ireland.
In Clause 18(b), disputes shall be resolved before the courts of Ireland.
Annex I, Annex II, and Annex III of the SCCs are completed by the information set out in this DPA.

5.3 UK International Data Transfer Addendum

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) shall apply, and is hereby incorporated by reference.

5.4 Swiss Data Transfers

For transfers of Personal Data from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including that references to the GDPR shall be understood as references to the Swiss Federal Act on Data Protection.

5.5 EU-US Data Privacy Framework

Where applicable, the Processor and its Sub-processors may rely on the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, or the Swiss-US Data Privacy Framework as an additional transfer mechanism for covered data.

5.6 Transfer Impact Assessments

The Processor maintains transfer impact assessments for each Sub-processor and shall make these available to the Controller upon request. The Processor shall promptly notify the Controller of any legal developments that materially affect the protections afforded to transferred Personal Data.

6. Security Measures (Technical and Organizational)

The Processor implements and maintains the following technical and organizational measures pursuant to Article 32 of the GDPR:

6.1 Encryption

Data in transit: All data transmitted between clients, servers, and Sub-processors is encrypted using TLS 1.2 or higher.
Data at rest: Sensitive tokens and credentials are encrypted using AES-256-GCM. Database storage is encrypted at rest using the hosting provider’s encryption mechanisms.

6.2 Authentication and Access Control

JWT-based authentication for all API access
OAuth 2.0 for Stripe account connections with minimum required scopes
Principle of least privilege applied to all system access
Role-based access controls for internal systems

6.3 Application Security

Input validation and sanitization on all user-supplied and API-received data
AI prompt sanitization with PII stripping: email addresses, phone numbers, and other direct identifiers are removed before data is sent to the AI Sub-processor
Rate limiting on API endpoints to prevent abuse
Webhook signature verification (Stripe HMAC) to ensure data integrity and authenticity

6.4 Monitoring and Logging

Application logging with PII masking (email addresses, phone numbers, and payment details are redacted in logs)
Monitoring of service health, error rates, and anomalous activity
Retention of security-relevant logs for a minimum of 12 months

6.5 Organizational Measures

Regular security assessments and code reviews
Confidentiality obligations for all personnel with access to Personal Data
Documented incident response procedures
Periodic review and update of security measures to address evolving threats

7. Personal Data Breach Notification

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. Notification shall be sent to the email address associated with the Controller’s account, or to such other address as the Controller may designate in writing.

7.2 Content of Notification

The notification shall, to the extent available, include:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;
The name and contact details of the Processor’s point of contact for further information;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

7.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist the Controller in investigating, mitigating, and remediating the Personal Data Breach, and in meeting the Controller’s obligations to notify supervisory authorities and affected Data Subjects under Articles 33 and 34 of the GDPR.

7.4 Breach Register

The Processor shall maintain a register of all Personal Data Breaches, including the facts relating to each breach, its effects, and the remedial actions taken. This register shall be made available to the Controller upon request.

8. Data Subject Rights

8.1 Assistance with Requests

The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise any right under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction of processing, data portability, and objection). The Processor shall not respond to such requests directly except on the Controller’s documented instructions or as required by applicable law.

8.2 Response Timeframe

The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests within 10 business days of receiving the Controller’s instructions regarding the request.

8.3 Technical Measures

The Processor shall maintain technical measures to enable the Controller to fulfill the following Data Subject rights:

Access: Ability to export all Personal Data held about a specific Data Subject.
Rectification: Ability to correct inaccurate Personal Data upon Controller instruction.
Erasure: Ability to delete all Personal Data relating to a specific Data Subject.
Restriction: Ability to restrict processing of a specific Data Subject’s Personal Data while maintaining storage.
Portability: Ability to provide Personal Data in a structured, commonly used, machine-readable format (CSV or JSON).
Objection: Ability to cease processing Personal Data of a specific Data Subject for recovery communications.

9. Audit Rights

9.1 Audit Entitlement

The Controller, or a third-party auditor mandated by the Controller, may conduct an audit of the Processor’s processing activities and compliance with this DPA up to once per calendar year.

9.2 Audit Procedure

The Controller shall provide the Processor with at least 30 days’ written notice of any intended audit.
Audits shall be conducted during regular business hours and shall not unreasonably interfere with the Processor’s business operations.
Any third-party auditor must execute a non-disclosure agreement acceptable to the Processor before being granted access to the Processor’s facilities, systems, or documentation.
The Controller shall bear all costs associated with the audit, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.

9.3 Alternative Audit Mechanisms

At the Processor’s discretion, the Processor may satisfy audit requests by providing:

A summary or copy of the results of any relevant third-party audit or certification (such as SOC 2 Type II) conducted within the preceding 12 months, provided that such audit was performed by a qualified independent auditor; or
Written responses to the Controller’s reasonable audit questions.

10. Deletion and Return of Data

10.1 Data Export

Upon termination of the Agreement, the Controller may request an export of all Personal Data processed under this DPA. The Processor shall make such data available for export in a structured, commonly used, and machine-readable format (CSV or JSON) within 30 days of receiving the Controller’s written request.

10.2 Deletion

Following the expiration of the 30-day export period described in Section 10.1 (or immediately upon termination if no export is requested), the Processor shall delete all Personal Data within 30 days, including all copies in the Processor’s systems and the systems of its Sub-processors, except where applicable law requires continued storage.

10.3 Certification of Deletion

Upon the Controller’s written request, the Processor shall provide written certification that all Personal Data has been deleted in accordance with this Section 10.

10.4 Legal Retention Exceptions

The Processor may retain limited Personal Data beyond the deletion period only where required by applicable law, and only for the following enumerated purposes and durations:

Tax and accounting records: Transaction records required under applicable tax law may be retained for up to 7 years from the date of the transaction.
Fraud prevention: Records necessary for fraud prevention and detection may be retained for up to 2 years from the date of termination.

Any Personal Data retained under these exceptions shall continue to be protected in accordance with this DPA and shall be deleted promptly upon expiration of the applicable retention period.

11. CCPA/CPRA Provisions

11.1 Service Provider Designation

For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Processor is a “Service Provider” as defined in Cal. Civ. Code § 1798.140(ag). The Processor processes Personal Information (as defined by the CCPA/CPRA) on behalf of the Controller solely for the business purposes specified in this DPA and the Agreement.

11.2 Restrictions on Use

The Processor shall not:

Sell or share (as those terms are defined under the CCPA/CPRA) any Personal Information received from the Controller;
Retain, use, or disclose Personal Information for any purpose other than the business purposes specified in this DPA and the Agreement, including for any commercial purpose other than providing the Service;
Retain, use, or disclose Personal Information outside of the direct business relationship between the Processor and the Controller;
Combine Personal Information received from the Controller with Personal Information received from or on behalf of another person or collected from the Processor’s own interactions with consumers, except as expressly permitted by the CCPA/CPRA.

11.3 Compliance Certification

The Processor certifies that it understands the restrictions set forth in this Section 11 and in the CCPA/CPRA, and will comply with them. The Processor shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA/CPRA.

11.4 Right to Monitor

The Controller has the right to take reasonable and appropriate steps to ensure that the Processor uses Personal Information in a manner consistent with the Controller’s obligations under the CCPA/CPRA, including the audit rights set forth in Section 9.

12. Term and Termination

12.1 Effective Date

This DPA shall become effective upon the Controller’s acceptance of the Agreement (Terms of Service) and shall remain in effect for the duration of the Agreement.

12.2 Termination

This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to the survival provisions set forth in Section 12.3.

12.3 Survival

The following provisions shall survive termination of this DPA:

Section 3.2 (Confidentiality) — survives indefinitely
Section 7 (Personal Data Breach Notification) — survives for a period of 2 years following termination
Section 9 (Audit Rights) — survives for a period of 1 year following termination
Section 10 (Deletion and Return of Data) — survives until all Personal Data has been deleted or returned in accordance with its terms
Section 11 (CCPA/CPRA Provisions) — survives for as long as the Processor retains any Personal Information subject to the CCPA/CPRA

13. Governing Law and Jurisdiction

13.1 General

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, consistent with the governing law provisions of the Agreement, without regard to its conflict of laws principles.

13.2 EU/EEA Data Subjects

To the extent that the processing of Personal Data is subject to the GDPR, this DPA shall also be subject to the applicable law of the EU member state in which the Controller is established, or, where the Controller is not established in the EU, the law of the EU member state in which the relevant Data Subjects are located. Where the Standard Contractual Clauses apply, the governing law and jurisdiction provisions of the SCCs shall take precedence over this Section 13 to the extent of any conflict.

13.3 UK Data Subjects

To the extent that the processing of Personal Data is subject to the UK GDPR, the laws of England and Wales shall apply to the relevant provisions of the UK International Data Transfer Addendum.

14. General Provisions

14.1 Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

14.2 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

14.3 Amendments

This DPA may be amended only in writing, signed by both Parties. The Processor may update the list of Sub-processors in accordance with the procedure set out in Section 4.3.

14.4 Entire Agreement

This DPA, together with the Agreement and the Standard Contractual Clauses (where applicable), constitutes the entire agreement between the Parties with respect to the processing of Personal Data in connection with the Service and supersedes all prior negotiations, representations, or agreements relating to this subject matter.

15. Contact Information

RecoverKit — Data Protection Inquiries

Email: privacy@recoverkit.com

General Support: support@recoverkit.com

To request a copy of the Standard Contractual Clauses, the UK International Data Transfer Addendum, or any Sub-processor data protection agreements, contact privacy@recoverkit.com.