> ## Documentation Index
> Fetch the complete documentation index at: https://recurr.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Infrastructure

> What runs Recurr — hosting, databases, payments, email — and the security posture of each underlying vendor.

Recurr is built on commodity infrastructure with strong default postures. This page lists what's in the stack and where to look for each component's security and compliance documentation.

## Hosting

* **Vercel** for the web application layer (admin dashboard, customer dashboards, branded checkout)
* **Vercel Edge Network** for globally-distributed page serving + DNS/SSL termination
* Vercel's compliance documentation: [vercel.com/legal/dpa](https://vercel.com/legal/dpa) (DPA), SOC 2 Type II reports available under NDA

## Database + auth

* **Supabase** (managed Postgres + auth + RLS)
* Postgres 17, with row-level security policies enforcing tenant isolation
* Supabase's compliance documentation: SOC 2 Type II reports available; HIPAA + GDPR documentation on request
* Encryption at rest (AES-256) and in transit (TLS 1.2+) by default

## Payments

* **Stripe Connect Standard** for payment processing, with a Stripe account in your company's name
* Stripe is a [Level 1 PCI DSS-compliant service provider](https://stripe.com/docs/security/stripe). Card data never touches Recurr or your infrastructure — Stripe's hosted card entry handles tokenization.
* Stripe's compliance documentation: [stripe.com/docs/security/stripe](https://stripe.com/docs/security/stripe)

## Email delivery

* **Resend** for transactional + marketing email send (audit delivery, Migration Review confirmations, migration emails)
* TLS in transit; sender authentication via DKIM, SPF, and DMARC for the sending domain
* Resend's security documentation: [resend.com/docs/security](https://resend.com/docs/security)

## Application code

* **Next.js 15 (App Router)** for both the marketing site and product application
* TypeScript end-to-end
* Source control on GitHub; deployments via Vercel CI/CD
* Code review on every change; no direct-to-production paths

## What this means for compliance posture

Recurr runs on underlying vendors with SOC 2 Type II programs (Vercel, Supabase, Stripe, Resend). Recurr has not completed its own SOC 2 audit yet.

A Recurr-side SOC 2 Type II audit kicks off when customer demand formally requires it. The Migration Review is the right place to surface that requirement so the framework can prioritize accordingly.

## Live status

Operational status for the marketing site, customer dashboard, and platform-side integration health is published at **[recurr.instatus.com](https://recurr.instatus.com)** — public, real-time, no login required.

[Data handling →](/trust/data-handling)