Trust Center

Root’s Trust Center provides the information procurement, legal, and security teams need to evaluate Root as a vendor.

Sub-Processors

Root uses the following third-party sub-processors in delivering its services:

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, compute, storage (S3, RDS, ECR), and networking	United States
SendGrid (Twilio)	Transactional email (invitation emails, notifications)	United States

For the most current and complete sub-processor list, contact security@root.io.

Data Residency

Default: Root processes and stores all customer data in AWS US East (us-east-1). Enterprise options: Contact your Root account representative to discuss data residency requirements for European or other regional compliance needs. What data Root stores:

Registry access logs (which images and packages your organization pulled, and when)
Vulnerability and patch metadata for your subscribed artifacts
User account and organization configuration
SBOM, VEX, and provenance artifacts for your subscribed images and packages

Root does not store the contents of your container images or application source code.

Data Retention

Data Type	Retention Period
Registry access logs	90 days
Vulnerability and patch metadata	Duration of subscription
SBOM, VEX, and provenance artifacts	Duration of subscription
User account data	Until account deletion

Upon account termination, Root will delete your organization’s data within 30 days upon written request.

Security FAQ

Is data encrypted at rest? Yes. All data stored by Root uses AES-256 encryption at rest via AWS-managed keys. S3 buckets, RDS databases, and Redis caches are all encrypted. Is data encrypted in transit? Yes. All communication between Root and customers uses TLS 1.2 or higher. Registry credentials are never transmitted in plaintext. How does Root control access to customer data? Root engineers do not have standing access to production customer data. Access is granted on a break-glass basis with logging and requires approval. Does Root have a SOC 2 report? Root’s SOC 2 program is in progress. Contact security@root.io for information about Root’s current security controls documentation. Does Root conduct penetration testing? Yes. Contact security@root.io for information about Root’s penetration testing program. Does Root provide FIPS or STIG documentation? Root has published FIPS and STIG attestation materials at github.com/rootio-avr/fips-attestations. Contact security@root.io for current status and availability.

Legal Documents

For legal and compliance documentation, contact legal@root.io.

Document	How to Access
Data Processing Agreement (DPA)	Email legal@root.io to request
Security questionnaire	Email security@root.io
FIPS attestations	github.com/rootio-avr/fips-attestations

Getting Started

Root Image Catalog

Root Library Catalog

Core Concepts

Reports & Insights

Reference

Trust & Compliance

Trust Center

Sub-Processors

Data Residency

Data Retention

Security FAQ

Legal Documents

Getting Started

Root Image Catalog

Root Library Catalog

Core Concepts

Reports & Insights

Reference

Trust & Compliance

​Sub-Processors

​Data Residency

​Data Retention

​Security FAQ

​Legal Documents

Sub-Processors

Data Residency

Data Retention

Security FAQ

Legal Documents