Skip to content

DPA and SCC terms (self-serve plans)

This page publishes the default privacy terms used for self-serve commercial procurement.

Document controls

  • Owner: RecSys maintainers (contact@recsys.app)
  • Last reviewed: 2026-02-08
  • Next review due: 2026-05-08

Scope

Default terms on this page apply to:

  • Commercial Evaluation
  • Starter
  • Growth

Enterprise plans may override these terms in a signed Order Form.

What is included by default

  • Data Processing Addendum (DPA) terms are incorporated by reference via this page.
  • Standard Contractual Clauses (SCC) handling is documented for cross-border transfer needs.
  • Subprocessor and delivery disclosures are published in: Subprocessors and distribution details

DPA baseline

The default DPA baseline for self-serve plans is:

  • Role model: Customer is controller; Vendor is processor for contracted support and fulfillment activities.
  • Purpose limitation: processing only to deliver licensed artifacts, support, and contract operations.
  • Security baseline: reasonable technical and organizational measures aligned with the public security posture.
  • Deletion/return: contract and legal retention obligations apply; customer runtime data remains customer-controlled.
  • Audit model: documentation-first review via published security and procurement artifacts.

Supporting references:

SCC baseline

If SCCs are required for the transfer scenario, the default approach for self-serve plans is:

  • SCC terms are incorporated by reference to this page and the signed Order Form.
  • Scope is limited to vendor-processed contract/support metadata unless otherwise agreed.
  • Any enterprise-specific SCC rider is negotiated in the Order Form.

When custom terms are needed

Use Enterprise terms if your legal/security policy requires:

  • custom DPA language,
  • custom SCC annexes,
  • additional transfer-risk controls, or
  • controller-to-controller alternatives.

Those customizations are recorded in the signed Order Form.