> ## Documentation Index > Fetch the complete documentation index at: https://docs.root.io/llms.txt > Use this file to discover all available pages before exploring further. # Trust Center > Sub-processors, data residency, and security FAQ for procurement and legal reviews. Root's Trust Center provides the information procurement, legal, and security teams need to evaluate Root as a vendor. ## Sub-Processors Root uses the following third-party sub-processors in delivering its services: | Sub-Processor | Purpose | Location | | ----------------------------- | --------------------------------------------------------------------- | ------------- | | **Amazon Web Services (AWS)** | Cloud infrastructure, compute, storage (S3, RDS, ECR), and networking | United States | | **SendGrid (Twilio)** | Transactional email (invitation emails, notifications) | United States | For the most current and complete sub-processor list, contact [security@root.io](mailto:security@root.io). ## Data Residency **Default:** Root processes and stores all customer data in AWS US East (us-east-1). **Enterprise options:** Contact your Root account representative to discuss data residency requirements for European or other regional compliance needs. **What data Root stores:** * Registry access logs (which images and packages your organization pulled, and when) * Vulnerability and patch metadata for your subscribed artifacts * User account and organization configuration * SBOM, VEX, and provenance artifacts for your subscribed images and packages Root does not store the contents of your container images or application source code. ## Data Retention | Data Type | Retention Period | | ----------------------------------- | ------------------------ | | Registry access logs | 90 days | | Vulnerability and patch metadata | Duration of subscription | | SBOM, VEX, and provenance artifacts | Duration of subscription | | User account data | Until account deletion | Upon account termination, Root will delete your organization's data within 30 days upon written request. ## Security FAQ **Is data encrypted at rest?** Yes. All data stored by Root uses AES-256 encryption at rest via AWS-managed keys. S3 buckets, RDS databases, and Redis caches are all encrypted. **Is data encrypted in transit?** Yes. All communication between Root and customers uses TLS 1.2 or higher. Registry credentials are never transmitted in plaintext. **How does Root control access to customer data?** Root engineers do not have standing access to production customer data. Access is granted on a break-glass basis with logging and requires approval. **Does Root have a SOC 2 report?** Root's SOC 2 program is in progress. Contact [security@root.io](mailto:security@root.io) for information about Root's current security controls documentation. **Does Root conduct penetration testing?** Yes. Contact [security@root.io](mailto:security@root.io) for information about Root's penetration testing program. **Does Root provide FIPS or STIG documentation?** Root has published FIPS and STIG attestation materials at [github.com/rootio-avr/fips-attestations](https://github.com/rootio-avr/fips-attestations). Contact [security@root.io](mailto:security@root.io) for current status and availability. ## Legal Documents For legal and compliance documentation, contact [legal@root.io](mailto:legal@root.io). | Document | How to Access | | ----------------------------------- | ------------------------------------------------------------------------------------------ | | **Data Processing Agreement (DPA)** | Email [legal@root.io](mailto:legal@root.io) to request | | **Security questionnaire** | Email [security@root.io](mailto:security@root.io) | | **FIPS attestations** | [github.com/rootio-avr/fips-attestations](https://github.com/rootio-avr/fips-attestations) |