Sign in Run the audit

Security

Recurr is built on SOC 2 Type II infrastructure, with the security and privacy of customer data as operating constraints.

Security Controls

Application security

HMAC-signed webhooks with replay protection (Stripe, Resend, Airwallex)
Row-level security per tenant on shared Postgres
Bearer-token authentication on cross-app calls

View 3 more ↓

Edge-layer DDoS + rate limiting via Vercel
Zod schema validation at every API boundary
Idempotent webhook + payment-link receipts

Operational security

Append-only audit logs on administrative actions
Vulnerability disclosure to security@recurr.dev
Live operations status at recurr.instatus.com

View 2 more ↓

Code review gate on every merge to production
Automated dependency scanning (GitHub Dependabot)

Access

MFA enforced on production access (admin + vendor consoles)
Service-role privilege gated by explicit admin checks
Production secrets via managed env stores (Vercel + Supabase)

View 3 more ↓

Least-privilege scoped credentials per vendor (no shared keys)
Role-based access controls on /app admin actions
Disk encryption enforced on development devices (FileVault / BitLocker)

Data

AES-256 at rest (Supabase), TLS 1.2+ in transit
Automated backups + point-in-time recovery (Supabase)
Data deletion on request

View 3 more ↓

Soft-delete with reversible operations
US-East default residency; EU region on request
GDPR subject rights honored (access, rectification, erasure, portability)

Compliance

Available today

DPA delivered ahead of pilot kickoff, with customer-jurisdiction adjustments negotiated case-by-case
Standard Contractual Clauses for EU-US data transfers in DPA
Sub-processor list (above) with 30-day change notification
Breach-notification commitment via DPA
Documented incident-response runbook
Sub-processor SOC 2 Type II inheritance across the stack
Cyber liability insurance

On the roadmap

SOC 2 Type I → Type II — trigger-based pursuit (~90 days from trigger to Type I attestation)
Annual penetration test
Compliance monitoring tooling (Vanta / Drata / Secureframe) onboarded at SOC 2 pursuit kickoff

Infrastructure & Subprocessors

Company	Purpose	Location	Cert
Stripe	Payments	United States	SOC 2 Type II · PCI DSS L1
Supabase	Database	United States	SOC 2 Type II
Vercel	Hosting	United States	SOC 2 Type II
Resend	Email	United States	SOC 2 Type II
PostHog	Analytics	United States	SOC 2 Type II
Sentry	Error monitoring	United States	SOC 2 Type II
Airwallex	Invoicing	Australia	SOC 2 Type II · PCI DSS L1
Mintlify	Documentation	United States	SOC 2 Type II
Attio	CRM	United Kingdom	SOC 2 Type II · ISO 27001
Calendly	Scheduling	United States	SOC 2 Type II
PandaDoc	E-signing	United States	SOC 2 Type II
Google Workspace	Productivity	United States	SOC 2 Type II · ISO 27001
Slack	Team communication	United States	SOC 2 Type II · ISO 27001
OpenAI	AI	United States	SOC 2 Type II
Anthropic	AI	United States	SOC 2 Type II

Stripe
Payments
United States · SOC 2 Type II · PCI DSS L1
Supabase
Database
United States · SOC 2 Type II
Vercel
Hosting
United States · SOC 2 Type II
Resend
Email
United States · SOC 2 Type II
PostHog
Analytics
United States · SOC 2 Type II
Sentry
Error monitoring
United States · SOC 2 Type II
Airwallex
Invoicing
Australia · SOC 2 Type II · PCI DSS L1
Mintlify
Documentation
United States · SOC 2 Type II
Attio
CRM
United Kingdom · SOC 2 Type II · ISO 27001
Calendly
Scheduling
United States · SOC 2 Type II
PandaDoc
E-signing
United States · SOC 2 Type II
Google Workspace
Productivity
United States · SOC 2 Type II · ISO 27001
Slack
Team communication
United States · SOC 2 Type II · ISO 27001
OpenAI
AI
United States · SOC 2 Type II
Anthropic
AI
United States · SOC 2 Type II

Reach us at security@recurr.dev