// Trust & Security Report

    Recursion Pharmaceuticals, Inc. (Exscientia subsidiary) logo

    Recursion Pharmaceuticals, Inc. (Exscientia subsidiary)

    AI-driven drug discovery platform using generative AI for molecular design and automated lab synthesis; combines in silico design with robotics-enabled drug candidate creation.

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance (Posture)
    HELD

    Privacy Notice states 'The legal bases relied upon by Recursion include those enumerated in Articles 6 and 9 of the GDPR', relies on 'Standard Contractual Clauses to protect your Personal Information' via 'contractual clauses under Article 46 GDPR', and enumerates data subject rights to confirm and access, correct, delete, and request portability of Personal Data.

    Verify on recursion.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public vendor-domain evidence of SOC 2. The only attestation language comes from a third-party 10-K tracker quoting 'industry standard attestations, including reports prepared by an independent AICPA-accredited auditor'; this filing does not explicitly name SOC 2 (an AICPA attestation is not equivalent to a SOC 2 report), and no SOC 2 report or attestation is published on the vendor's own domain.

    source: board-cybersecurity.com
    SOC 2 Type 2 (specific)
    NOT CONFIRMED

    10-K filing mentions 'industry standard attestations' via AICPA auditor but does not explicitly name SOC 2 Type 2; specific attestation type not publicly disclosed

    source: board-cybersecurity.com
    ISO 27001
    NOT CONFIRMED

    no public evidence; not mentioned in SEC cybersecurity disclosures, privacy notice, or available public documentation

    HIPAA
    NOT CONFIRMED

    no public evidence of HIPAA certification or compliance program; not mentioned in SEC filings, privacy notices, or publicly available documentation

    ISO 27017 (Cloud Data Protection)
    NOT CONFIRMED

    no public evidence

    ISO 27018 (Cloud PII Protection)
    NOT CONFIRMED

    no public evidence

    PCI DSS
    NOT CONFIRMED

    no public evidence; not applicable as company does not publicly indicate payment card processing

    FedRAMP
    NOT CONFIRMED

    no public evidence

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multi-region; US primary (Salt Lake City HQ), EU transfers via Standard Contractual Clauses, research data handled across multiple jurisdictions per clinical trial sites

    No public documentation found regarding whether Exscientia/Recursion trains AI models on customer drug discovery data. This is material for a biotech AI vendor and should be clarified in terms and data processing agreements.

    // Security controls

    Cybersecurity Framework

    NIST Cybersecurity Framework for risk assessment and InfoSec capability implementation

    board-cybersecurity.com

    Penetration Testing

    Regular penetration tests conducted with independent third-party facilitators

    board-cybersecurity.com

    Incident Response

    Tabletop exercises conducted regularly with third-party facilitators to evaluate incident response capabilities

    board-cybersecurity.com

    InfoSec Roadmap

    Documented roadmap with mitigation measures reviewed quarterly with management and Audit Committee

    board-cybersecurity.com

    Physical, Technical, Administrative Safeguards

    Safeguards in place to protect personal data from loss, misuse, alteration, theft, unauthorized access, and unauthorized disclosure, consistent with legal obligations and industry practices

    recursion.com

    CISO Leadership

    Chief Information Security Officer with 25+ years in biopharmaceutical/life sciences security (prior roles at Genentech, Roche, Jazz Pharmaceuticals); joined 2021

    board-cybersecurity.com

    Audit Committee Oversight

    Cybersecurity governance resides with Audit Committee; CISO provides quarterly briefings on risk and strategy

    board-cybersecurity.com

    Encryption in Transit

    No specific encryption standards documented in public disclosures

    Data Encryption at Rest

    No specific encryption standards documented in public disclosures

    Third-Party Vendor Management

    Service providers must execute agreements including confidentiality requirements; Vendor Expectations Manual exists but specific security requirements not publicly detailed

    recursion.com

    // Products & data scope

    Exscientia Drug Discovery PlatformAI/ML, Biotech, Drug Discovery

    data: Molecular design data, chemical compound libraries, proprietary biological datasets, research data; does NOT include consumer PII unless as research participants

    Core product: AI-driven in silico drug design combined with automated lab synthesis. Processes large proprietary biological datasets (>50 petabytes per parent company). Clinical trial data handled under separate research participant privacy notices.

    Recursion OS (parent company platform)Drug Discovery Platform, Data Processing

    data: Cell imaging data, phenomics, transcriptomics, proteomics, ADME data, de-identified patient data

    Parent company (Recursion) operates the integrated platform; Exscientia now operates as subsidiary contributing to this system post-Nov 2024 merger

    // What to watch

    • NO DEDICATED TRUST CENTER: Company does not maintain a public trust center or security/compliance portal; security information scattered across privacy notice, website, and SEC filings.
    • ATTESTATION TYPE UNSPECIFIED: 10-K mentions 'AICPA-accredited auditor attestations' but does not explicitly state SOC 2 Type 1 vs. Type 2; type, scope, and report availability not disclosed.
    • NO PUBLIC ISO 27001: Despite enterprise maturity and regulated industry, no ISO 27001 certification publicly disclosed.
    • NO PUBLIC HIPAA EVIDENCE: Works with pharma and clinical trial data but no HIPAA certification or BAA documentation publicly available.
    • AI TRAINING POLICY UNDISCLOSED: Critical gap for an AI drug discovery vendor—no public documentation on whether customer proprietary drug designs/data are used to train AI models.
    • PRIVACY NOTICE LIMITATION: Privacy notice explicitly states 'we unfortunately are not able to guarantee security for data collected through our Website.'
    • PAST INCIDENTS DISCLOSED: 10-K confirms company has experienced cyber incidents, though none deemed material; incident details not public.
    • VENDOR EXPECTATIONS MANUAL NOT PUBLIC: Vendor manual exists but full content not publicly available for review of security requirements.
    • IDENTITY MERGE RECENT: Exscientia acquired by Recursion in November 2024; may take time for consolidated security/compliance posture to fully harmonize.

    // At a glance

    Pricing model

    B2B licensing for pharmaceutical partners; no public consumer pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recursion Pharmaceuticals, Inc. (Exscientia subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    recursion.com

    > Browse all vendor trust reports