// Trust & Security Report
Recorded Future, Inc. (a Mastercard company)
Cloud threat intelligence platform (Recorded Future Intelligence Platform) built on an Intelligence Graph, spanning modules for Attack Surface Intelligence, Third-Party Intelligence, Brand Intelligence, Identity Intelligence, Geopolitical Intelligence and SecOps Intelligence, plus Insikt Group human-analyst research and newer AI-driven 'Recorded Future AI' / Autonomous Threat Operations automation features. Acquired by Mastercard in December 2024 (previously majority-owned by Insight Partners).
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on assets.recordedfuture.com“Report on Recorded Future, Inc.'s Recorded Future Intelligence Platform Relevant to Security and Availability Throughout the Period of June 1, 2023 to May 31, 2024 -- SOC 3(R) - SOC for Service Organizations: Trust Services Criteria for General Use Report.”
Verify on recordedfuture.com“ISO Certifications can be found here. ISO/IEC 27001:2022”
Verify on recordedfuture.com“ISO/IEC 27701:2019 ... Is Recorded Future GDPR compliant? Yes. Recorded Future complies with laws applicable to data protection and privacy, including the GDPR and CCPA, and is ISO 27701 certified.”
Verify on recordedfuture.com“ISO Certifications can be found here. ... ISO 9001:2015”
> Show 5 unconfirmed / not-held certifications
source: recordedfuture.comNo public evidence. The vendor's own Security FAQ and GRC FAQ pages (which list ISO 27001, ISO 27701, ISO 9001 and reference SOC 2) do not mention HIPAA or a Business Associate Agreement anywhere.
source: recordedfuture.comNo public evidence that Recorded Future itself holds PCI DSS. The only PCI reference found relates to the underlying AWS infrastructure being PCI DSS certified -- that is the cloud host's certification, not Recorded Future's own.
source: recordedfuture.comNo public evidence. Not mentioned on the vendor's Security FAQ, GRC FAQ, or trust center overview; a FedRAMP Marketplace search returned no confirmed listing for Recorded Future.
source: recordedfuture.comNo public evidence on the vendor's own domain. A third-party aggregator site claims 'CSA Star Level 1' but this could not be corroborated on recordedfuture.com or the CSA STAR registry, so it is not counted here.
source: recordedfuture.comNo public evidence. Despite marketing an 'Autonomous Threat Operations' / 'Recorded Future AI' feature set, no AI-governance-specific certification (ISO 42001, CSA STAR AI) is referenced on the vendor's security or legal pages.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Primarily US-hosted on AWS ('Some of our Services are hosted in the United States'), with data centers described as globally distributed; cross-border transfers from the EEA/UK rely on Standard Contractual Clauses. No dedicated EU-only/regional hosting option is documented publicly.
Security FAQ states Recorded Future uses data in two ways: to deliver the service (queries, alerts, search history) and to use 'unattributed Customer Data' for 'development and improvement, including trend analysis and feature enhancement.' This is generic product-improvement language, not an explicit statement about training the newer 'Recorded Future AI' / Autonomous Threat Operations models, and no opt-out mechanism for this use is described publicly.
// Security controls
Encryption at rest
AES 256-bit encryption; customer data encrypted before database insertion on encrypted AWS EBS volumes with managed key infrastructure.
recordedfuture.comSecure software development
References alignment with NIST SSDF (SP 800-218) secure development practices alongside ISO 27001/9001-certified SDLC processes.
recordedfuture.comAccess control / authentication
Multi-factor authentication, single sign-on support, automated account lockouts, restricted access to authorized personnel only.
recordedfuture.comVulnerability management
Public bug bounty / Vulnerability Reporting Program via HackerOne, automated security scans, and regular penetration testing.
hackerone.comInfrastructure
Hosted on AWS data centers, described as housed separately from Recorded Future's own offices and distributed globally, with two-factor VPN access controls.
recordedfuture.com// Products & data scope
data: Ingests and correlates open web, dark web, technical, and human-source data into an Intelligence Graph; this is the system in scope for the published SOC 3 report.
Core enterprise product; used by 1,900+ customers across 80+ countries per vendor homepage claims.
data: Analyst-authored reports and the annual 'State of Security' report; does not itself process customer data.
Editorial/research arm, distinct data-handling profile from the live platform.
data: AI-assisted correlation, alert triage, and automated response layered on top of the core platform's Intelligence Graph.
Newer product line; no separate published certification or explicit customer-data-training disclosure found for this specific AI layer.
data: Domain, vendor-risk, brand-abuse, and credential-exposure monitoring built on the same core platform and data boundary.
Marketed as modules of the single Intelligence Platform rather than separately certified products.
// What to watch
- Publicly posted SOC 3 report covers only the Security and Availability trust services categories (not Confidentiality, Processing Integrity, or Privacy) for the period June 1, 2023 to May 31, 2024; no more recent public SOC report was found, though a current attestation is likely available via the gated Conveyor trust center (unverified here).
- Host-vs-vendor cert ambiguity: PCI DSS applies to the underlying AWS infrastructure, not to Recorded Future itself -- do not list PCI DSS as a Recorded Future certification.
- Third-party aggregator sites (not the vendor) assert HIPAA, PCI, and CSA STAR Level 1 compliance for Recorded Future; none of this could be corroborated on recordedfuture.com or the relevant registries, so these are graded held=false here. Treat third-party compliance-scanner claims with caution.
- No vendor-published Data Processing Agreement (DPA) or subprocessor list was found on public pages; likely available under contract for enterprise customers but unconfirmed publicly.
- No explicit disclosure of whether the newer 'Recorded Future AI' / Autonomous Threat Operations features train on customer data, despite heavy AI marketing on the homepage; no AI-governance certification (ISO/IEC 42001, CSA STAR AI) held.
- Company was acquired by Mastercard (deal closed December 2024); prior majority owner was Insight Partners. Relevant context for procurement/data-flow questions, not itself a security gap.
// At a glance
Pricing model
Enterprise subscription, quote/demo-based (no public self-serve pricing).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recorded Future, Inc. (a Mastercard company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
app.conveyor.com