Skip to main content
Recurr is built on commodity infrastructure with strong default postures. This page lists what’s in the stack and where to look for each component’s security and compliance documentation.

Hosting

  • Vercel for the web application layer (admin dashboard, customer dashboards, branded checkout)
  • Vercel Edge Network for globally-distributed page serving + DNS/SSL termination
  • Vercel’s compliance documentation: vercel.com/legal/dpa (DPA), SOC 2 Type II reports available under NDA

Database + auth

  • Supabase (managed Postgres + auth + RLS)
  • Postgres 17, with row-level security policies enforcing tenant isolation
  • Supabase’s compliance documentation: SOC 2 Type II reports available; HIPAA + GDPR documentation on request
  • Encryption at rest (AES-256) and in transit (TLS 1.2+) by default

Payments

Email delivery

  • Resend for transactional + marketing email send (audit delivery, Migration Review confirmations, migration emails)
  • TLS in transit; sender authentication via DKIM, SPF, and DMARC for the sending domain
  • Resend’s security documentation: resend.com/docs/security

Application code

  • Next.js 15 (App Router) for both the marketing site and product application
  • TypeScript end-to-end
  • Source control on GitHub; deployments via Vercel CI/CD
  • Code review on every change; no direct-to-production paths

What this means for compliance posture

Recurr runs on underlying vendors with SOC 2 Type II programs (Vercel, Supabase, Stripe, Resend). Recurr has not completed its own SOC 2 audit yet. A Recurr-side SOC 2 Type II audit kicks off when customer demand formally requires it. The Migration Review is the right place to surface that requirement so the framework can prioritize accordingly.

Live status

Operational status for the marketing site, customer dashboard, and platform-side integration health is published at recurr.instatus.com — public, real-time, no login required. Data handling →