Data Processing Agreement
Last updated: April 1, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between you, the organization using Rebounce ("Controller" or "Customer"), and Rebounce ("Processor" or "we"). This DPA supplements and forms part of the Rebounce Terms of Service.
2. Definitions
- Customer Data — personal data of your end customers that Rebounce processes on your behalf
- End Customer — your customers whose failed payment data is processed by Rebounce
- Processing — any operation performed on Customer Data, including collection, storage, retrieval, and deletion
- Sub-processor — a third-party service provider that processes Customer Data on our behalf
3. Scope of Processing
Rebounce processes Customer Data solely for the purpose of providing the Service, which includes:
- Receiving failed payment webhook notifications from Stripe
- Storing end customer email addresses and names for dunning communications
- Sending recovery emails to end customers on your behalf
- Retrying failed invoice payments via the Stripe API
- Generating payment update links for end customers
- Displaying recovery analytics in your dashboard
4. Categories of Data
We process the following categories of personal data:
- End customer email address and name (from Stripe invoice data)
- Failed payment amount, currency, and failure reason
- Stripe invoice, subscription, and customer identifiers
- Recovery status and dunning interaction history
We do not process credit card numbers, bank account details, social security numbers, or any special category data (health, biometric, etc.).
5. Processor Obligations
- Process Customer Data only on documented instructions from the Controller
- Ensure persons authorized to process the data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 7)
- Engage sub-processors only with prior written consent and under equivalent data protection obligations
- Assist the Controller in responding to data subject access requests
- Delete or return all Customer Data upon termination of the Service
- Make available information necessary to demonstrate compliance with this DPA
6. Sub-processors
We use the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, invoice retry | US / Global |
| Supabase | Database hosting (PostgreSQL) | US / AWS |
| Resend | Transactional email delivery | US |
| Inngest | Background job orchestration | US |
| Vercel | Application hosting | US / Global CDN |
We will notify you before adding or replacing any sub-processor. You may object to a new sub-processor within 30 days of notification.
7. Security Measures
- Stripe OAuth tokens encrypted at rest using AES-256-GCM
- Encryption keys derived via scrypt from application secret
- All data transmitted over HTTPS/TLS
- Database protected by Row Level Security (RLS)
- Webhook endpoints verify Stripe cryptographic signatures
- Rate limiting on all public-facing endpoints
- Payment update links use JWT tokens with 72-hour expiry
- Admin operations require authenticated service role key
8. Data Retention
We retain Customer Data for the duration of your active account. Failed payment records, retry attempt logs, and dunning message logs are maintained while your account is active. Upon account deletion or termination, we delete all Customer Data within 30 days. Anonymized aggregate statistics may be retained indefinitely.
9. Data Subject Rights
If an end customer exercises their data subject rights (access, rectification, erasure, portability), we will assist you in fulfilling these requests. You can delete individual failed payment records from your dashboard, which removes all associated personal data.
10. Breach Notification
In the event of a personal data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken to mitigate the breach.
11. International Transfers
Customer Data may be transferred to and processed in the United States. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate safeguards.
12. Term and Termination
This DPA takes effect when you start using the Service and remains in effect until all Customer Data is deleted or returned. Obligations that by their nature should survive termination will survive.
13. Contact
For DPA-related inquiries, contact us at hello@rebounce.dev.