+ Trust portal
What's public,
what's pending.
This page is the index for every formal artifact behind our security and compliance claims. We publish what we have, name what we don't, and date both. The trust posture should be auditable from the outside — by you, your CISO, and your regulator — without taking our word for it.
+ Status legend
Available
Public artifact you can read or download today.
Drafted
Internal text exists; published before first enterprise contract.
Planned
Committed work; no draft yet — date below.
External
Operated by a third party; we link out.
+ Policies you can read today
Plain-language commitments that bind us. Each links to its canonical location on this site.
Sub-processor list
AvailableEvery vendor in the customer data path, with location, purpose, and what they see.
Snapshot — May 2026
View on /securitySub-processor changelog
AvailableAppend-only log of additions, replacements, and removals. 30-day notice before any change.
github.com — empty by design
Email to subscribeData Processing Agreement (template)
AvailablePlain-language standing terms. Counter-signed copy issued with each MSA.
Plain-language preview
View DPAPrivacy policy
AvailableWhat we collect, what we don't, where it lives, and how long we keep it.
Plain-language preview
View privacy policyVulnerability disclosure policy
AvailableHow to report a security issue, scope, response timelines, Hall of Thanks.
ISO 29147-aligned
View disclosure policyIncident response commitments
AvailableNotification windows for personal-data breaches and service incidents, plus public post-mortem cadence.
GDPR Art. 33 + service-level
View commitments+ Formal compliance artifacts
The signature-grade documents an auditor or regulator asks for. Drafts exist internally; publication tracks the GA timeline.
ISO/IEC 27001:2022 Statement of Applicability
DraftedAll 93 Annex A controls scoped to our environment, with implementation status.
Drafted internally — published at GA
Track at GAIceland / CLOUD Act legal opinion
PlannedIndependent legal opinion on Icelandic jurisdiction, EEA data flows, and US extraterritorial reach.
Commissioned at GA
Notify when publishedSOC 2 Type I report
PlannedIndependent attestation of control design across security, availability, and confidentiality.
Audit window opens after first signed customer · ETA Q4 2026
Notify when publishedPenetration test report
PlannedExternal tester findings, remediation timeline, and re-test outcome.
Pre-GA, scoped to public S3 gateway and console
Notify when published+ Operational evidence
What we generate continuously once production traffic exists — designed for auditor consumption.
Hash-chained audit evidence (per tenant)
DraftedDaily Merkle root, signed export bundles. Verifiable proof of immutability for every retained object.
Engineering complete — sample bundles published at GA
How it worksAtlas hosting attestation
ExternalSovereign cloud platform that operates our compute and object storage — audited by them, surfaced to you.
Operated by Atlas
runatlas.is+ How to verify
Auditors, regulators, and security-conscious customers can request unredacted source documents under NDA. Email security@recover.is with your role and we'll route the request — typical turnaround is two business days.
+ Source of truth
This page is the canonical index. The artifacts themselves live where they're already authoritative — policy pages on this site, formal documents in our compliance repository, vendor documents on vendor sites. We don't duplicate; we link.