This Data Processing Addendum and its Annexes ("DPA") forms part of the Rebilly Subscription Agreement or other written or electronic agreement between Rebilly and Customer for the purchase or use of the Rebilly Services ("Agreement") and reflects the parties' agreement regarding the Processing of Personal Data.
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For purposes of this DPA only, and except where indicated otherwise, "Customer" includes Customer and Controller Affiliates.
If Customer (or an Affiliate) has executed an Order Form, clicked to accept the Agreement, or otherwise uses the Services, this DPA is incorporated by reference and becomes legally binding without further signature.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of more than fifty percent (50%) of the voting securities (or equivalent) of such entity.
"Controller" means an entity that determines the purposes and means of Processing Personal Data.
"Controller Affiliate" means any of Customer's Affiliates that (a) are permitted to use the Services under the Agreement, and (b) are Controllers of Personal Data Processed by Rebilly under the Agreement.
"Customer Data" means any Personal Data that Rebilly Processes as a Processor on behalf of Customer in the course of providing the Services.
"Data Protection Laws" means all data protection and privacy laws and regulations applicable to the Processing of Customer Data under the Agreement, including where applicable the GDPR, the UK GDPR, and the Swiss FADP, and (as applicable) U.S. state privacy laws.
"GDPR" means EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
"Personal Data" means any information relating to an identified or identifiable natural person that is protected as "personal data," "personal information," or similar term under applicable Data Protection Laws.
"Processing" has the meaning given in applicable Data Protection Laws, and "process," "processes," and "processed" are construed accordingly.
"Processor" means an entity that Processes Personal Data on behalf of a Controller.
"Security Incident" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data transmitted, stored, or otherwise Processed by Rebilly or its Sub-processors in connection with the provision of the Services.
"Services" means the Rebilly Services as defined in the Agreement.
"Sub-processor" means any Processor engaged by Rebilly (or its Affiliates) to assist in fulfilling its obligations with respect to providing the Services under the Agreement or this DPA, excluding Rebilly employees and individual contractors.
"UK GDPR" means the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
"Swiss FADP" means the Swiss Federal Act on Data Protection, as may be amended from time to time.
This DPA applies where and only to the extent Rebilly Processes Customer Data as a Processor on behalf of Customer in the course of providing the Services and such Customer Data is subject to Data Protection Laws.
As between Rebilly and Customer, Customer is the Controller of Customer Data and Rebilly is the Processor. Each party will comply with its respective obligations under Data Protection Laws.
Nothing in the Agreement or this DPA prevents Rebilly from using or sharing any data that Rebilly would otherwise collect and process independently of Customer's use of the Services.
Customer represents and warrants that:
- It has provided all required notices and obtained all necessary consents and rights for Rebilly to Process Customer Data to provide the Services;
- It shall comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Customer Data and any Processing instructions it issues to Rebilly; and
- It has the authority to enter into this DPA on behalf of its Controller Affiliates.
Rebilly is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to Rebilly as a service provider.
Rebilly will Process Customer Data only:
- to provide the Services in accordance with the Agreement;
- to perform steps necessary for performance of the Agreement;
- as initiated by authorized Users in their use of the Services; and
- to comply with other documented, lawful instructions from Customer that are consistent with the Agreement.
The Agreement (including this DPA) constitutes Customer's complete and final instructions to Rebilly regarding Processing of Customer Data. Processing outside the scope of these instructions requires prior written agreement between Customer and Rebilly.
The subject matter, nature, purpose, categories of Personal Data, and categories of data subjects are described in Annex A.
To the extent applicable U.S. state privacy laws apply, Rebilly will Process Customer Data as a service provider/processor, will not "sell" or "share" Customer Data (as those terms are defined under such laws), and will Process Customer Data only to provide the Services and as otherwise permitted by the Agreement.
Customer authorizes Rebilly to engage Sub-processors to Process Customer Data. Rebilly's current Sub-processors are listed at: https://www.rebilly.com/legal/sub-processors.
Rebilly will:
- enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA (as applicable); and
- remain responsible for its compliance with this DPA and for acts or omissions of Sub-processors that cause Rebilly to breach this DPA.
Rebilly will provide at least thirty (30) days' advance notice before authorizing a new Sub-processor to Process Customer Data on behalf of customers, except where such notice is not practicable (for example, in cases of emergency security updates or where required by law). Rebilly will notify customers by email to the primary contact email address on file or by posting an update to the Sub-processor page.
If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer must notify Rebilly in writing at legal@rebilly.com within thirty (30) days of receiving notice of the new Sub-processor. Rebilly will work with Customer in good faith to address the objection, which may include:
- providing additional information about the Sub-processor's data protection practices;
- implementing additional safeguards; or
- finding an alternative solution.
If Rebilly cannot address Customer's reasonable concerns and Customer continues to object, Customer may terminate the affected Services by providing written notice to Rebilly as Customer's sole and exclusive remedy under this Section 3.3. Rebilly will provide a pro-rated refund of any prepaid fees for the terminated Services.
The objection and termination rights described above apply only to new Sub-processors added after the effective date of Customer's Subscription Agreement. Existing Sub-processors listed on the Sub-processor page are authorized under Customer's current agreement.
Rebilly will implement and maintain appropriate technical and organizational measures to protect Customer Data against Security Incidents and to preserve the security and confidentiality of Customer Data. These measures are described in Annex B.
Rebilly will ensure persons authorized to Process Customer Data are subject to appropriate confidentiality obligations.
Upon becoming aware of a Security Incident, Rebilly will notify Customer without undue delay and provide timely information as it becomes known or as reasonably requested by Customer. Rebilly will use commercially reasonable efforts to provide an initial notification within seventy-two (72) hours of becoming aware of a Security Incident, and sooner where practicable, subject to law enforcement delays or measures required to prevent further compromise.
Rebilly will take reasonable steps to contain, investigate, and remediate the Security Incident and provide updates as material information becomes available. Rebilly's obligations in this Section apply only to the extent the Security Incident is not caused by Customer's systems, credentials, or Authorized Users.
Rebilly maintains an information security program and undergoes an annual SOC 2 audit. Upon written request and subject to reasonable confidentiality obligations, Rebilly will provide Customer with a copy of its then-current SOC 2 report (or a summary/extract where needed) and will respond to reasonable security questionnaires.
Customer will treat any audit report or security documentation provided under this Section as Rebilly Confidential Information.
To the extent Rebilly Processes payment card data, Rebilly will maintain compliance with the applicable version of the Payment Card Industry Data Security Standard (PCI DSS).
Taking into account the nature of Processing, Rebilly will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights under Data Protection Laws, to the extent Customer cannot access the relevant Customer Data through the Services.
If Rebilly receives a request directly from a data subject relating to Customer Data, Rebilly will (where permitted) notify Customer and will not respond except as required by law.
Rebilly will provide reasonable information and assistance (at Customer's expense, if applicable) to support Customer's data protection impact assessments and, where required, prior consultations with supervisory authorities.
If Rebilly receives a legally binding request to disclose Customer Data, Rebilly will, to the extent legally permitted, provide Customer with prompt written notice and reasonably cooperate with Customer's efforts to seek protective treatment or limit disclosure. Rebilly will disclose only the portion of Customer Data that it is legally required to disclose.
Upon termination or expiration of the Agreement, Rebilly will delete or return Customer Data in accordance with the Agreement and Annex A, except to the extent Rebilly is required by law to retain some or all Customer Data, or retains it in backups in a securely isolated manner until deletion in the ordinary course. Rebilly will certify deletion upon Customer's written request, except where prohibited by law.
Customer acknowledges that Rebilly may Process Customer Data in the United States and other locations where Rebilly, its Affiliates, or its Sub-processors maintain operations, subject to appropriate safeguards as described in this Section 7.
To the extent Customer Data subject to the GDPR is transferred to a country not recognized by the European Commission as providing an adequate level of protection, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor) ("EU SCCs") are incorporated by reference and apply to such transfers.
The EU SCCs are completed as follows:
- Clause 7 (Docking clause): Not applicable.
- Clause 9 (Use of sub-processors): Option 2 (General authorization) applies. The time period for prior notice of sub-processor changes is thirty (30) days.
- Clause 11 (Redress): The optional language does not apply.
- Clause 17 (Governing law): Option 1 applies. The governing law is the law of Ireland.
- Clause 18 (Choice of forum and jurisdiction): The courts of Ireland.
For purposes of the EU SCCs:
- Data exporter: Customer (or its Controller Affiliate, as applicable).
- Data importer: Rebilly Inc.
- Annex I (A): The data exporter is identified in the Agreement.
- Annex I (B): The data importer is Rebilly Inc., 3801 N Capital of Texas Hwy, E240 #72, Austin, TX 78746, United States.
- Annex I (C): The supervisory authority is the data protection authority of the EU member state in which the data exporter is established.
- Annex II: The technical and organizational measures are described in Annex B of this DPA.
- Annex III: The list of Sub-processors is available at https://www.rebilly.com/legal/sub-processors.
To the extent UK GDPR applies, the EU SCCs are supplemented by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) ("UK Addendum"), incorporated by reference.
For purposes of the UK Addendum:
- Table 1: The parties' details are as set forth in the Agreement and Section 7.2 above.
- Table 2: The selected EU SCCs, modules, and clauses are as set forth in Section 7.2 above.
- Table 3: The Appendix information is as set forth in Section 7.2 above.
- Table 4: The UK Addendum applies to transfers to the United States and other countries not recognized by the UK as providing an adequate level of protection.
To the extent Swiss FADP applies, the EU SCCs apply with modifications required under Swiss law, including recognition of the Federal Data Protection and Information Commissioner (FDPIC) as the competent supervisory authority where applicable.
If Rebilly adopts an alternative lawful transfer mechanism recognized under Data Protection Laws (such as certification schemes or codes of conduct), that mechanism will apply instead to the extent applicable, and Rebilly will notify Customer of such change.
Customer enters into this DPA on behalf of its Controller Affiliates, creating a separate DPA between Rebilly and each Controller Affiliate where required by Data Protection Laws. Customer remains responsible for coordinating communications with Rebilly under this DPA.
Each party's liability arising out of or related to this DPA (including the EU SCCs and UK Addendum) is subject to the limitations and exclusions of liability in the Agreement, to the extent permitted by applicable law. Nothing in this Section limits either party's liability for breaches of its data protection obligations under this DPA to the extent such limitation is prohibited by applicable Data Protection Laws.
If there is any conflict between this DPA and the Agreement, this DPA will control with respect to the parties' data protection obligations. Except as modified by this DPA, the Agreement remains in full force and effect.
Rebilly may update this DPA from time to time to reflect changes in Data Protection Laws or Rebilly's practices. Any update that materially reduces Rebilly's obligations or Customer's rights will not apply during Customer's then-current Subscription Term unless required by applicable law. Updated versions will be published at https://www.rebilly.com/legal/dpa (or a successor URL).
The obligations in this DPA will survive termination or expiration of the Agreement to the extent necessary to comply with Data Protection Laws or as otherwise set forth in this DPA.
Last updated: 2026-01-21
Subject matter: Provision of the Services under the Agreement.
Duration: For the Subscription Term and any retention period described in the Agreement and this DPA.
Nature and purpose: Hosting, provision, maintenance, support, and secure operation of the Services; incident response; security monitoring; and other Processing necessary to provide the Services as instructed by Customer.
Categories of data subjects: Customer's Users; Customer's end customers and payers; beneficial owners and KYC subjects; other individuals whose Personal Data Customer submits to the Services.
Categories of Personal Data: Identification and contact data; account and subscription data; transaction and payment-related data; order information; device and usage data (e.g., IP address, logs); and other Personal Data submitted by or on behalf of Customer through the Services.
Special categories of Personal Data: Not intentionally Processed unless Customer chooses to submit such data and it is required for Customer's use case.
Retention/return/deletion: As described in Section 6 and the Agreement.
Rebilly maintains a security program designed to protect Customer Data, including measures such as:
- Access controls and least privilege: Role-based access controls, multi-factor authentication, and principle of least privilege for personnel access to Customer Data.
- Encryption: Encryption in transit (TLS 1.2 or higher) and encryption at rest for Customer Data where applicable.
- Logging, monitoring, and alerting: Comprehensive logging and monitoring of systems Processing Customer Data, with alerting for security events.
- Vulnerability management and patching: Regular security assessments, vulnerability scanning, and timely patching of security vulnerabilities.
- Secure SDLC practices: Security reviews, code scanning, and secure development practices throughout the software development lifecycle.
- Incident response procedures: Documented incident response procedures and regular testing of such procedures.
- Regular independent audit: Annual SOC 2 audit by an independent third party.
- PCI DSS controls: To the extent payment card data is Processed, compliance with the applicable version of the Payment Card Industry Data Security Standard (PCI DSS).
- Physical security: Physical security controls for facilities where Customer Data is Processed, including via cloud provider physical controls.
- Business continuity and disaster recovery: Business continuity and disaster recovery plans designed to maintain availability of the Services.