Recurly Data User Agreement

This Data Use Agreement (the "DUA") is made by and between Recurly, Inc. ("Recurly") and [Customer] ("Customer"). This DUA is incorporated into and forms part of the Recurly Terms of Service or other agreement ("Agreement") between the parties and applies where Recurly processes Personal Information on behalf of Recurly pursuant to the Agreement. This DUA is effective from January 1, 2020 until the Agreement is terminated. This DUA shall control in the event of any inconsistencies between this DUA and the Agreement.

1. Definitions

  1. "Business" means the entity that determines the purposes and means of the processing of Personal Information.

  2. "Data Protection Laws" means applicable laws governing the privacy and security of Personal Information, including without limitation the California Consumer Privacy Act.

  3. "Personal Information" means any information Customer provides to Recurly that relates to or could reasonably be associated with an individual or household and is subject to Data Protection Laws.

  4. "Service" shall have the meaning given that term in the Agreement.

  5. "Service Provider" means an entity that receives Personal Information from a Business and is prohibited from retaining, using, selling, or disclosing such information other than as expressly set forth in this DUA or in the Agreement.

2. Use of Personal Information

  1. Each party’s processing of Personal Information shall comply with Data Protection Laws. The parties agree that Customer is a Business and Recurly is a Service Provider. The parties also agree that Customer provides Personal Information to Recurly as a condition precedent to Recurly’s performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration.

  2. Recurly will not use, retain, sell, transfer, or otherwise disclose Personal Information other than as expressly set forth in this DUA or in the Agreement.

  3. Recurly certifies that it understands and will comply with the restrictions and obligations contained in this DUA.

3. Rights Requests

  1. Customer is responsible for addressing and responding to any rights requests related to Personal Information that are received by either party under Data Protections Laws ("Rights Requests"). If Recurly receives a Rights Request from an individual (the "Requestor"), Recurly will (i) inform the Requestor that Recurly is a Service Provider and (ii) instruct the Requestor to contact Customer to address the Rights Request. Where required by Data Protection Laws, Recurly shall make reasonable efforts to include Customer’s contact information in any response to the Requestor, where feasible to do so based on the Personal Information processed by Recurly and the contact information provided by Customer.

  2. Except as instructed by Customer, Recurly shall not respond to a Rights Request or otherwise communicate with the Requestor.

  3. Recurly agrees to provide Customer with reasonable assistance and cooperation as required by Customer for Customer to respond to Rights Requests in compliance with Data Protection Laws, including providing Customer with access to Personal Information and deleting Personal Information when and as instructed by Customer.

4. Security

  1. Recurly shall implement and maintain physical, technical, and organizational security measures in accordance with industry best practices to protect Personal Information against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, and access.

  2. Recurly shall inform Customer within 48 hours of recognizing a data breach or cyber security incident affecting any Personal Information. Such notice shall describe the breach or incident, when it occurred, the Personal Information affected, and the measures Recurly has taken to contain the breach or incident.