Last updated


Last updated: January 23, 2019

About Us

Rebilly is a US-based technology company that offers subscription billing software to increase our customers' (merchants) lifetime value. We enable subscription services to handle payments, invoices, billing disputes, fraud prevention and provide analysis. We have offices in Austin, Montreal and Barbados and other employees based all over the world.

What is the GDPR? The General Data Protection Regulation ('GDPR') is the new comprehensive European Union (EU) data protection law that took effect on May 25, 2018.

The GDPR involved a major overhaul of the data protection law under the old EU Data Protection Directive and strengthened the protection of 'personal data', whilst also giving individuals more control over their personal data. Rebilly has always been dedicated to maintaining the best security for its merchants and their customers and like many organizations, we have taken steps to ensure that we are GDPR-ready.

Does Rebilly process "personal data"?

Inevitably, in the course of providing our services, we will process personal data on behalf of our customers (merchants) and their end customers (people who buy products or services from our customers). In addition, we may collect business contact information and user account information from our customers for the administration of customer accounts, to communicate with our customers and to provide customer support. Check out our Privacy Notice to find out more.

How does the GDPR affect Rebilly?

The GDPR distinguishes between a controller (who collects and owns the data) and a processor (who handles the data on behalf of the controller). Our customers (the merchants) are usually the controller. Rebilly is principally a processor of the personal data it processes when providing its services to customers. This means we can only ever process personal data in accordance with our customer's instructions and must take steps to help them comply with the GDPR.

Under certain limited circumstances, Rebilly acts also as a controller of the data that it collects or processes for its own purposes (e.g. Rebilly is a data controller of its customer's contact details that it uses for customer relation management or billing). Review our Privacy Notice for further info.

What is Rebilly doing to comply with and help its customers comply with the GDPR?

With support from our specialist EU external counsel, we have taken steps to address GDPR compliance, including taking the following actions so we can help our customer's comply with the GDPR:

(1) Data Processing Addendum - any organization engaging third party services (like Rebilly) to process data on their behalf will need appropriate contracts in place to comply with the stricter requirements introduced by the GDPR. We are pleased to be able to offer our customers a Data Processing Addendum that enables both Rebilly and its customers to comply with the GDPR.

(2) Sub-processors - we have reviewed, and where necessary, updated the arrangements we have with our third party sub-processors to ensure that all such arrangements comply with the GDPR. A full list of our current sub-processors is available here.

(3) Privacy Notice - we have reviewed and updated our Privacy Notice for GDPR compliance, including to incorporate the mandatory disclosures required by the GDPR.

(4) Security - we have always been focused on ensuring world-class security and continue to use appropriate and security measures to safeguard any data collected and processed on our systems (see below for further details).

How does Rebilly comply with EU data export laws?

Rebilly is headquartered in the United States, but offers its services and technologies to customers located in the EU. Therefore, Rebilly will process personal data that originates from the EU on its servers and facilities in the United States.

To ensure compliance with EU data export laws, Rebilly has executed an intra-group data transfer agreement incorporating the Standard Contractual Clauses and signs Standard Contractual Clauses (also sometimes called "Model Clauses") with its EU customers or with its customers who have customers located within the EEA.

The Model Clauses are standard form data export terms that have been pre-approved by the European Commission, and by signing them Rebilly commits to protect personal data it receives from its EU customers or their customers to EU data protection standards.

What security measures does Rebilly apply to personal data?

Rebilly is committed to security and privacy, maintaining world-class physical, technical and administrative standards and measures to protect its customers and their customers' personal data.

Such standards and measures include:

  • PCI-DSS compliance: Your merchant bank account requires your business to be PCI compliant, and Rebilly helps you meet those requirements. Rebilly is PCI DSS Level 1 compliant - the payment card industry's most stringent security standard. This means that we have taken extensive security measures that include: physical, electronic, and procedural safeguards; documented security policies; use of strong encryption for data transmission; security monitoring tools; restricted access to personally identifiable information; and regular audits by independent, third party security experts.
  • Protection of sensitive information: Sensitive information is stored using several layers of encryption in a segmented network with no public internet access. New encryption keys are generated on a regular basis, and existing keys are rotated on a regular basis. Sensitive information is encrypted by an SSL connection when in transit over public networks with SSL connections using TLS v1.2 or above.
  • Physical security: Rebilly is hosted in a dedicated hosting environment with 24x7 security. Physical access to the network is strictly limited and monitored. Private networks are strictly segmented according to function. Restrictive firewalls protect communication entering the network and between private networks. All access to Rebilly's network and services is strictly logged. Audit logs are reviewed on a regular basis. Internal and external network penetration tests are performed on a regular basis by third parties. Two-factor authentication and strong password controls are required for administrative access.
  • Service providers: We require all service providers to take appropriate steps to safeguard the security and privacy of your personal information. The service provider must fit into our overall security framework as part of our PCI DSS Level 1 compliance.

Third Party Integrations

You also have the option to enable additional third party integrations (either built-in or through our APIs or webhooks). We do NOT directly evaluate or attest to the GDPR qualifications of integration partners. Each merchant is responsible for evaluating any third party before creating or enabling an integration. You should ensure you establish a direct contractual privacy agreement with any third party that you ask Rebilly to transmit personal data to. These include, but are not limited to:

  • Your chosen Gateway or Payment Processor.
  • Your Email Service Provider.
  • Your Productivity Tool Providers.
  • Your Accounting Software Providers.

Where can I get more information?

If you have any questions or require assistance please contact