// Trust & Security Report

    Recorded Future, Inc. (a Mastercard company) logo

    Recorded Future, Inc. (a Mastercard company)

    Cloud threat intelligence platform (Recorded Future Intelligence Platform) built on an Intelligence Graph, spanning modules for Attack Surface Intelligence, Third-Party Intelligence, Brand Intelligence, Identity Intelligence, Geopolitical Intelligence and SecOps Intelligence, plus Insikt Group human-analyst research and newer AI-driven 'Recorded Future AI' / Autonomous Threat Operations automation features. Acquired by Mastercard in December 2024 (previously majority-owned by Insight Partners).

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Report on Recorded Future, Inc.'s Recorded Future Intelligence Platform Relevant to Security and Availability Throughout the Period of June 1, 2023 to May 31, 2024 -- SOC 3(R) - SOC for Service Organizations: Trust Services Criteria for General Use Report.

    Verify on assets.recordedfuture.com
    ISO/IEC 27001:2022
    HELD

    ISO Certifications can be found here. ISO/IEC 27001:2022

    Verify on recordedfuture.com
    ISO/IEC 27701:2019 (Privacy Information Management)
    HELD

    ISO/IEC 27701:2019 ... Is Recorded Future GDPR compliant? Yes. Recorded Future complies with laws applicable to data protection and privacy, including the GDPR and CCPA, and is ISO 27701 certified.

    Verify on recordedfuture.com
    ISO 9001:2015 (Quality Management)
    HELD

    ISO Certifications can be found here. ... ISO 9001:2015

    Verify on recordedfuture.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence. The vendor's own Security FAQ and GRC FAQ pages (which list ISO 27001, ISO 27701, ISO 9001 and reference SOC 2) do not mention HIPAA or a Business Associate Agreement anywhere.

    source: recordedfuture.com
    PCI DSS
    NOT CONFIRMED

    No public evidence that Recorded Future itself holds PCI DSS. The only PCI reference found relates to the underlying AWS infrastructure being PCI DSS certified -- that is the cloud host's certification, not Recorded Future's own.

    source: recordedfuture.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not mentioned on the vendor's Security FAQ, GRC FAQ, or trust center overview; a FedRAMP Marketplace search returned no confirmed listing for Recorded Future.

    source: recordedfuture.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on the vendor's own domain. A third-party aggregator site claims 'CSA Star Level 1' but this could not be corroborated on recordedfuture.com or the CSA STAR registry, so it is not counted here.

    source: recordedfuture.com
    ISO/IEC 42001:2023 (AI Management System)
    NOT CONFIRMED

    No public evidence. Despite marketing an 'Autonomous Threat Operations' / 'Recorded Future AI' feature set, no AI-governance-specific certification (ISO 42001, CSA STAR AI) is referenced on the vendor's security or legal pages.

    source: recordedfuture.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Primarily US-hosted on AWS ('Some of our Services are hosted in the United States'), with data centers described as globally distributed; cross-border transfers from the EEA/UK rely on Standard Contractual Clauses. No dedicated EU-only/regional hosting option is documented publicly.

    Security FAQ states Recorded Future uses data in two ways: to deliver the service (queries, alerts, search history) and to use 'unattributed Customer Data' for 'development and improvement, including trend analysis and feature enhancement.' This is generic product-improvement language, not an explicit statement about training the newer 'Recorded Future AI' / Autonomous Threat Operations models, and no opt-out mechanism for this use is described publicly.

    // Security controls

    Encryption at rest

    AES 256-bit encryption; customer data encrypted before database insertion on encrypted AWS EBS volumes with managed key infrastructure.

    recordedfuture.com

    Encryption in transit

    TLS 1.2

    recordedfuture.com

    Secure software development

    References alignment with NIST SSDF (SP 800-218) secure development practices alongside ISO 27001/9001-certified SDLC processes.

    recordedfuture.com

    Access control / authentication

    Multi-factor authentication, single sign-on support, automated account lockouts, restricted access to authorized personnel only.

    recordedfuture.com

    Vulnerability management

    Public bug bounty / Vulnerability Reporting Program via HackerOne, automated security scans, and regular penetration testing.

    hackerone.com

    Infrastructure

    Hosted on AWS data centers, described as housed separately from Recorded Future's own offices and distributed globally, with two-factor VPN access controls.

    recordedfuture.com

    // Products & data scope

    Recorded Future Intelligence PlatformThreat Intelligence Platform

    data: Ingests and correlates open web, dark web, technical, and human-source data into an Intelligence Graph; this is the system in scope for the published SOC 3 report.

    Core enterprise product; used by 1,900+ customers across 80+ countries per vendor homepage claims.

    Insikt Group ResearchThreat Research / Intelligence Reporting

    data: Analyst-authored reports and the annual 'State of Security' report; does not itself process customer data.

    Editorial/research arm, distinct data-handling profile from the live platform.

    Recorded Future AI / Autonomous Threat OperationsAI-powered security automation

    data: AI-assisted correlation, alert triage, and automated response layered on top of the core platform's Intelligence Graph.

    Newer product line; no separate published certification or explicit customer-data-training disclosure found for this specific AI layer.

    Attack Surface / Third-Party / Brand / Identity Intelligence modulesSecurity intelligence sub-modules

    data: Domain, vendor-risk, brand-abuse, and credential-exposure monitoring built on the same core platform and data boundary.

    Marketed as modules of the single Intelligence Platform rather than separately certified products.

    // What to watch

    • Publicly posted SOC 3 report covers only the Security and Availability trust services categories (not Confidentiality, Processing Integrity, or Privacy) for the period June 1, 2023 to May 31, 2024; no more recent public SOC report was found, though a current attestation is likely available via the gated Conveyor trust center (unverified here).
    • Host-vs-vendor cert ambiguity: PCI DSS applies to the underlying AWS infrastructure, not to Recorded Future itself -- do not list PCI DSS as a Recorded Future certification.
    • Third-party aggregator sites (not the vendor) assert HIPAA, PCI, and CSA STAR Level 1 compliance for Recorded Future; none of this could be corroborated on recordedfuture.com or the relevant registries, so these are graded held=false here. Treat third-party compliance-scanner claims with caution.
    • No vendor-published Data Processing Agreement (DPA) or subprocessor list was found on public pages; likely available under contract for enterprise customers but unconfirmed publicly.
    • No explicit disclosure of whether the newer 'Recorded Future AI' / Autonomous Threat Operations features train on customer data, despite heavy AI marketing on the homepage; no AI-governance certification (ISO/IEC 42001, CSA STAR AI) held.
    • Company was acquired by Mastercard (deal closed December 2024); prior majority owner was Insight Partners. Relevant context for procurement/data-flow questions, not itself a security gap.

    // At a glance

    Pricing model

    Enterprise subscription, quote/demo-based (no public self-serve pricing).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recorded Future, Inc. (a Mastercard company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.conveyor.com

    > Browse all vendor trust reports