Sub-Processors
Root uses the following third-party sub-processors in delivering its services:
For the most current and complete sub-processor list, contact security@root.io.
Data Residency
Default: Root processes and stores all customer data in AWS US East (us-east-1). Enterprise options: Contact your Root account representative to discuss data residency requirements for European or other regional compliance needs. What data Root stores:- Registry access logs (which images and packages your organization pulled, and when)
- Vulnerability and patch metadata for your subscribed artifacts
- User account and organization configuration
- SBOM, VEX, and provenance artifacts for your subscribed images and packages
Data Retention
Upon account termination, Root will delete your organization’s data within 30 days upon written request.