Security
SOC 2 Type II — audit on customer commitment. Controls aligned to the Trust Services Criteria today. Built on SOC 2 Type II infrastructure (Stripe, Supabase, Vercel) with security and privacy of customer data as operating constraints.
Security Controls
Application security
- HMAC-signed webhooks with replay protection (Stripe, Resend, Airwallex)
- Row-level security per tenant on shared Postgres
- Bearer-token authentication on cross-app calls
View 4more ↓Show fewer ↑
- PCI DSS Level 1 boundary at Stripe Connect — no card data on Recurr's perimeter
- Edge-layer DDoS + rate limiting via Vercel
- Zod schema validation at every API boundary
- Idempotent webhook + payment-link receipts
Operational security
- Append-only audit logs on administrative actions
- Vulnerability disclosure to security@recurr.dev
- Live operations status at recurr.instatus.com
View 2more ↓Show fewer ↑
- Code review gate on every merge to production
- Automated dependency scanning (GitHub Dependabot)
Access
- MFA enforced on production access (admin + vendor consoles)
- Service-role privilege gated by explicit admin checks
- Production secrets via managed env stores (Vercel + Supabase)
View 4more ↓Show fewer ↑
- TOTP authenticator-app MFA on /app admin (single-use recovery codes issued at enrollment)
- Least-privilege scoped credentials per vendor (no shared keys)
- Role-based access controls on /app admin actions
- Disk encryption enforced on development devices (FileVault / BitLocker)
Data
- AES-256 at rest (Supabase), TLS 1.3 in transit
- Automated backups + point-in-time recovery (Supabase)
- Data deletion on request
View 4more ↓Show fewer ↑
- Soft-delete with reversible operations
- US-East default residency; EU region on request
- GDPR subject rights honored (access, rectification, erasure, portability)
- 12-month audit-log retention; subscriber data deleted within 14 days of contract termination
Compliance
Available today
- DPA delivered ahead of pilot kickoff, with customer-jurisdiction adjustments negotiated case-by-case
- Standard Contractual Clauses for EU-US data transfers in DPA
- Sub-processor list (above) with 30-day change notification
- Breach-notification commitment via DPA
- Documented incident-response runbook
- Sub-processor SOC 2 Type II inheritance across the stack
- Cyber liability insurance
- 99.9% uptime SLA on subscriber-facing surfaces (checkout, billing portal, help center, migration email delivery), with service credits in the MSA
On the roadmap
- SOC 2 Type I → Type II — trigger-based pursuit (~90 days from trigger to Type I attestation)
- Annual penetration test
- Compliance monitoring tooling (Vanta / Drata / Secureframe) onboarded at SOC 2 pursuit kickoff
Infrastructure & Subprocessors
- Stripe
Payments
United States · SOC 2 Type II · PCI DSS L1
- Supabase
Database
United States · SOC 2 Type II
- Vercel
Hosting
United States · SOC 2 Type II
- Resend
Email
United States · SOC 2 Type II
- PostHog
Analytics
United States · SOC 2 Type II
- Sentry
Error monitoring
United States · SOC 2 Type II
- Airwallex
Invoicing
Australia · SOC 2 Type II · PCI DSS L1
- Attio
CRM
United Kingdom · SOC 2 Type II · ISO 27001
- Calendly
Scheduling
United States · SOC 2 Type II
- PandaDoc
E-signing
United States · SOC 2 Type II
- Google Workspace
Productivity
United States · SOC 2 Type II · ISO 27001
- OpenAI
Insights
United States · SOC 2 Type II
- Anthropic
Insights
United States · SOC 2 Type II