// Trust & Security Report

    Recursion Pharmaceuticals, Inc. logo

    Recursion Pharmaceuticals, Inc.

    Recursion OS, a proprietary AI-driven drug discovery and development platform (phenomics, transcriptomics, proteomics, ADME, and de-identified patient data run through machine learning models on the NVIDIA-built BioHive-2 supercomputer). This is not a self-serve SaaS product with paying end users; Recursion is a NASDAQ-listed clinical-stage TechBio company that uses the platform internally and via pharma/technology partnerships to advance its own drug pipeline (e.g. REC-4881, REC-3565, REC-3964).

    Certifications held

    1

    Maturity

    Unknown

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "If the GDPR applies to our processing of your Personal Data... you have the right to lodge a complaint with a supervisory authority... Recursion has put in place lawful transfer mechanisms and adequate safeguards, in accordance with applicable legal requirements" (Standard Contractual Clauses referenced for non-EEA transfers)

    Verify on recursion.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    no public evidence: no trust center, security page, or SOC 2 mention found on recursion.com; not referenced in privacy notice, terms of use, or investor-relations filings

    source: recursion.com
    ISO 27001
    NOT CONFIRMED

    no public evidence: no ISO 27001 certification, badge, or reference found on any recursion.com page or in SEC filings reviewed

    source: recursion.com
    HIPAA
    NOT CONFIRMED

    no public evidence: privacy notices distinguish general website visitors, research participants, and study-site personnel and reference health/medical data handling in a clinical-trial context, but no HIPAA compliance attestation, Business Associate Agreement program, or HIPAA badge is published on recursion.com

    source: recursion.com
    PCI DSS
    NOT CONFIRMED

    no public evidence: Recursion does not process consumer payment cards as part of its drug-discovery platform; no PCI DSS reference found on vendor domain

    source: recursion.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    no public evidence found on recursion.com

    source: recursion.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    no public evidence: no AI-governance certification referenced anywhere on recursion.com

    source: recursion.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    no public evidence found on recursion.com

    source: recursion.com
    FedRAMP
    NOT CONFIRMED

    no public evidence; Recursion is not a government cloud service provider and no FedRAMP reference exists on its site

    source: recursion.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not specified on the vendor site; Recursion is headquartered in Salt Lake City, UT (US) and its privacy notice discloses that Personal Data 'may be transferred and maintained outside your state, province, country, or other jurisdiction,' with Standard Contractual Clauses used for transfers out of the EEA/UK where adequacy does not apply.

    Recursion's AI models are trained on its own proprietary, internally generated biological/chemical dataset (>50 petabytes of phenomics, transcriptomics, proteomics, ADME, and de-identified patient data) captured by its automated wet lab, not on data uploaded by external SaaS customers. There is no self-serve product where third-party users submit data for model training, so 'trains on customer data' does not map cleanly to this vendor; treat as not applicable rather than a confirmed no. No public opt-out mechanism is described because there is no customer-data-training pipeline to opt out of.

    // Security controls

    Encryption in transit / at rest

    Not publicly specified. Privacy notice states only generic 'physical, technical, and administrative safeguards' with an explicit disclaimer that Recursion 'is not able to guarantee security for data collected through our Website.'

    recursion.com

    Security governance

    Cybersecurity processes are overseen by the Audit Committee of the Board of Directors, which receives quarterly briefings from senior leadership including the Chief Information Security Officer on information security risk, strategy, and effectiveness. Disclosed as required SEC Item 1C cybersecurity governance disclosure.

    sec.gov

    Incident history

    10-K discloses the company has experienced cybersecurity incidents in the past but none determined to be material to date.

    sec.gov

    Vendor/third-party risk management

    Third-party service providers acting on Recursion's behalf must execute agreements including confidentiality requirements and may only process Personal Data as necessary to perform their function; a separate 'Vendor Expectations Manual & Resources' is published for Recursion's own suppliers.

    recursion.com

    // Products & data scope

    Recursion OSInternal AI drug-discovery and development platform

    data: Proprietary phenomics/transcriptomics/proteomics/ADME data and de-identified patient data generated by Recursion's automated wet lab; not customer-uploaded data

    Core platform combining wet-lab automation, imaging, and machine learning; not sold as a standalone SaaS product to the public.

    Pharma & technology partnershipsB2B collaboration / data & compute partnerships

    data: Shared datasets, compute access (e.g. NVIDIA BioHive-2), and co-developed models with named enterprise partners under bespoke contracts

    Security/compliance terms for these partnerships are governed by individually negotiated agreements, not published publicly; no evidence available to grade.

    Clinical trial programsDrug pipeline / clinical research

    data: Research participant health data and study-site personnel data, each covered by a distinct published privacy notice

    GDPR-relevant where trials run in the EU; special-category health data processing is acknowledged with additional legal bases described.

    // What to watch

    • No public trust center, security page, or third-party certification (SOC 2, ISO 27001, HIPAA, ISO 42001, CSA STAR, FedRAMP) found anywhere on recursion.com despite the company being a large, NASDAQ-listed, decade-old organization handling sensitive health/clinical-trial data - notable given its scale and the sensitivity of the data it processes.
    • Company is not a conventional B2B SaaS AI tool; it is a publicly traded drug-discovery company that uses AI internally. Listing it alongside typical developer/enterprise AI tools in AIFOXX may need a distinct category or caveat since most compliance fields (pricing, self-hosting, customer DPA) do not map cleanly onto its business model.
    • 'Trains on customer data' is not a meaningful question for this vendor in the way it is for SaaS AI tools - there is no customer-data-upload product - so this field is recorded as null/not-applicable rather than a confirmed answer.
    • Cybersecurity governance and incident-history disclosures come from SEC 10-K filings (sec.gov), which are the vendor's own regulatory filings but not hosted on the recursion.com domain; treated as supporting context only, not used to grade any certification held=true.

    // At a glance

    Pricing model

    Not applicable in the traditional SaaS sense; Recursion is a publicly traded (NASDAQ: RXRX) clinical-stage biotech that monetizes through its own drug pipeline and negotiated pharma/technology partnerships, not per-seat or usage-based software pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recursion Pharmaceuticals, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    recursion.com

    > Browse all vendor trust reports