// Trust & Security Report
Recursion Pharmaceuticals, Inc.
Recursion OS, a proprietary AI-driven drug discovery and development platform (phenomics, transcriptomics, proteomics, ADME, and de-identified patient data run through machine learning models on the NVIDIA-built BioHive-2 supercomputer). This is not a self-serve SaaS product with paying end users; Recursion is a NASDAQ-listed clinical-stage TechBio company that uses the platform internally and via pharma/technology partnerships to advance its own drug pipeline (e.g. REC-4881, REC-3565, REC-3964).
Certifications held
1
Maturity
Unknown
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on recursion.com“"If the GDPR applies to our processing of your Personal Data... you have the right to lodge a complaint with a supervisory authority... Recursion has put in place lawful transfer mechanisms and adequate safeguards, in accordance with applicable legal requirements" (Standard Contractual Clauses referenced for non-EEA transfers)”
> Show 8 unconfirmed / not-held certifications
source: recursion.comno public evidence: no trust center, security page, or SOC 2 mention found on recursion.com; not referenced in privacy notice, terms of use, or investor-relations filings
source: recursion.comno public evidence: no ISO 27001 certification, badge, or reference found on any recursion.com page or in SEC filings reviewed
source: recursion.comno public evidence: privacy notices distinguish general website visitors, research participants, and study-site personnel and reference health/medical data handling in a clinical-trial context, but no HIPAA compliance attestation, Business Associate Agreement program, or HIPAA badge is published on recursion.com
source: recursion.comno public evidence: Recursion does not process consumer payment cards as part of its drug-discovery platform; no PCI DSS reference found on vendor domain
source: recursion.comno public evidence found on recursion.com
source: recursion.comno public evidence: no AI-governance certification referenced anywhere on recursion.com
source: recursion.comno public evidence; Recursion is not a government cloud service provider and no FedRAMP reference exists on its site
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not specified on the vendor site; Recursion is headquartered in Salt Lake City, UT (US) and its privacy notice discloses that Personal Data 'may be transferred and maintained outside your state, province, country, or other jurisdiction,' with Standard Contractual Clauses used for transfers out of the EEA/UK where adequacy does not apply.
Recursion's AI models are trained on its own proprietary, internally generated biological/chemical dataset (>50 petabytes of phenomics, transcriptomics, proteomics, ADME, and de-identified patient data) captured by its automated wet lab, not on data uploaded by external SaaS customers. There is no self-serve product where third-party users submit data for model training, so 'trains on customer data' does not map cleanly to this vendor; treat as not applicable rather than a confirmed no. No public opt-out mechanism is described because there is no customer-data-training pipeline to opt out of.
// Security controls
Encryption in transit / at rest
Not publicly specified. Privacy notice states only generic 'physical, technical, and administrative safeguards' with an explicit disclaimer that Recursion 'is not able to guarantee security for data collected through our Website.'
recursion.comSecurity governance
Cybersecurity processes are overseen by the Audit Committee of the Board of Directors, which receives quarterly briefings from senior leadership including the Chief Information Security Officer on information security risk, strategy, and effectiveness. Disclosed as required SEC Item 1C cybersecurity governance disclosure.
sec.govIncident history
10-K discloses the company has experienced cybersecurity incidents in the past but none determined to be material to date.
sec.govVendor/third-party risk management
Third-party service providers acting on Recursion's behalf must execute agreements including confidentiality requirements and may only process Personal Data as necessary to perform their function; a separate 'Vendor Expectations Manual & Resources' is published for Recursion's own suppliers.
recursion.com// Products & data scope
data: Proprietary phenomics/transcriptomics/proteomics/ADME data and de-identified patient data generated by Recursion's automated wet lab; not customer-uploaded data
Core platform combining wet-lab automation, imaging, and machine learning; not sold as a standalone SaaS product to the public.
data: Shared datasets, compute access (e.g. NVIDIA BioHive-2), and co-developed models with named enterprise partners under bespoke contracts
Security/compliance terms for these partnerships are governed by individually negotiated agreements, not published publicly; no evidence available to grade.
data: Research participant health data and study-site personnel data, each covered by a distinct published privacy notice
GDPR-relevant where trials run in the EU; special-category health data processing is acknowledged with additional legal bases described.
// What to watch
- No public trust center, security page, or third-party certification (SOC 2, ISO 27001, HIPAA, ISO 42001, CSA STAR, FedRAMP) found anywhere on recursion.com despite the company being a large, NASDAQ-listed, decade-old organization handling sensitive health/clinical-trial data - notable given its scale and the sensitivity of the data it processes.
- Company is not a conventional B2B SaaS AI tool; it is a publicly traded drug-discovery company that uses AI internally. Listing it alongside typical developer/enterprise AI tools in AIFOXX may need a distinct category or caveat since most compliance fields (pricing, self-hosting, customer DPA) do not map cleanly onto its business model.
- 'Trains on customer data' is not a meaningful question for this vendor in the way it is for SaaS AI tools - there is no customer-data-upload product - so this field is recorded as null/not-applicable rather than a confirmed answer.
- Cybersecurity governance and incident-history disclosures come from SEC 10-K filings (sec.gov), which are the vendor's own regulatory filings but not hosted on the recursion.com domain; treated as supporting context only, not used to grade any certification held=true.
// At a glance
Pricing model
Not applicable in the traditional SaaS sense; Recursion is a publicly traded (NASDAQ: RXRX) clinical-stage biotech that monetizes through its own drug pipeline and negotiated pharma/technology partnerships, not per-seat or usage-based software pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recursion Pharmaceuticals, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
recursion.com