Recs Studio

Recs Studio

Sign In

Security

Security is built into the architecture of Recs Studio, not bolted on. Every customer runs in a dedicated Google Cloud project with full infrastructure isolation, least-privilege access controls, encrypted data flows, and customer-managed network access.

Infrastructure Isolation

Recs Studio deploys each customer into a separate Google Cloud project. There is no shared compute, shared storage, or shared database between customers. Each project contains:

  • Dedicated Cloud Run service for the Django application
  • Dedicated Cloud SQL PostgreSQL instance for application metadata
  • Dedicated BigQuery dataset for analytics and training data
  • Dedicated Cloud Storage buckets for training artifacts and pipeline staging
  • Dedicated Vertex AI Pipelines, Model Registry, and training jobs
  • Dedicated Cloud Scheduler jobs and Secret Manager secrets

This model gives customers complete control over their project IAM, audit logs, and data residency while allowing Recs Studio to manage the platform software layer.

Network Security

  • Cloud NAT with static IP: Each customer project is configured with a Cloud NAT gateway and a reserved static external IP. All outbound connections from Recs Studio to customer data sources originate from this predictable IP, which customers can whitelist in their database firewalls.
  • No inbound access to customer databases: Recs Studio does not require any inbound firewall rules or deployed agents inside the customer environment.
  • HTTPS everywhere: All public endpoints and inter-service communication use TLS. The website and platform enforce HTTPS through Cloud Run.

Identity and Access Management

  • Least-privilege IAM: Each service (Django app, ETL runner, TFDV parser, training scheduler) runs under its own dedicated service account with only the roles required for its function.
  • Customer-controlled access: Customers own their GCP project and can audit every permission granted to Recs Studio service accounts.
  • Django authentication: Platform access is protected by Django session authentication with CSRF protection for all state-changing requests.

Credential and Secret Management

Database passwords, API keys, and cloud storage credentials are stored in Google Secret Manager, never in the Django database or configuration files. The platform retrieves secrets at runtime using IAM-restricted service accounts.

Encryption

  • In transit: All data is encrypted with TLS 1.2+ when moving between users, services, databases, and cloud APIs.
  • At rest: Google Cloud automatically encrypts data in Cloud SQL, BigQuery, Cloud Storage, and Secret Manager using Google-managed encryption keys. Customers can enable customer-managed encryption keys (CMEK) in their own project if required.

Data Residency and Processing

Customer projects are provisioned in the Google Cloud region that matches the customer's legal, regulatory, and latency requirements. Recs Studio does not copy customer data outside the customer's own GCP project.

Logging and Monitoring

  • Cloud Logging captures application, audit, and infrastructure logs per customer project.
  • Cloud Monitoring tracks endpoint latency, error rates, container instances, and training job health.
  • Every ETL run and training run is tracked with status, metrics, and error classification in the platform UI.

Compliance and Data Protection

Recs Studio leverages Google Cloud's compliance posture (SOC, ISO 27001, GDPR) through the underlying GCP services. For customers subject to GDPR or similar regulations, a Data Processing Addendum (DPA) incorporating the EU Standard Contractual Clauses (SCCs) is available on request.

To request a DPA or security questionnaire, email support@recs.studio.

Security Inquiries

For security questions, vulnerability reports, or compliance documentation, contact us at support@recs.studio.

© 2026 recs.studio
Home About Pricing Customers Support Security Terms of Service Privacy Policy
Request a Demo
Tell us how to reach you and we'll schedule a walkthrough