Rockset Is Now SOC 2 Type II Compliant

The Rockset team is proud to announce that we have been accredited as SOC 2 Type II compliant. Our customers entrust Rockset with their data, and now they have rigorous, independent assurance that we protect it by following security best practices.

What is SOC 2 Type II?

SOC is one of several System and Organization Controls audits developed by the American Institute of CPAs (AICPA), the world’s largest member association of accountants. Each SOC test evaluates the validity of a business or service provider’s security controls and the operational effectiveness of their systems.

SOC tests differ significantly, however. According to Forbes magazine, SOC 2 “is the most thorough and widely valued of the three SOC reports,” and the Type II accreditation requires “a far more in-depth review” of our data security protocols than the Type I. And MPA (Mortgage Professional America) magazine calls SOC 2 Type II "among the most coveted and hard to obtain information-security certifications."

By achieving SOC 2 Type II compliance, Rockset was able to demonstrate that our information security and data policies, procedures, and practices will protect our customer’s data. It shows that we’ve taken the proper steps to ensure that data is secure.

Scope

What was included in the audit? At a high level, Rockset was assessed on the themes of Security, Confidentiality and Availability for the technical infrastructure and company processes required to produce and support our SaaS service.

• Change management: Updates to the infrastructure, application, UI and API are linked to documented requirements, and merging of new code requires peer review.
• Secrets management: Encryption keys, passwords and other secrets are stored securely in access-controlled vaults with permission granted only on a need basis.
• Metrics-based alerting: Operational performance data feeds into real-time dashboards and alerting systems.
• Security monitoring: Alerts are sent to the security team on a range of events, including unusual outbound connections, anomalous authentication events, and suspicious server processes.
• Hiring, onboarding and off-boarding processes: The People Team ensures the skills and talents of new hires fit the requirements of each open position, conducts screenings during the hiring process, requests appropriate accesses based on role, and confirm these accesses are removed when personnel leave the company.
• Access controls: Access is granted to company resources based on role, and are reviewed on an ongoing basis.
• Vulnerability management: Rockset conducts regular 3rd-party penetration tests and receives vulnerability reports from independent security researchers on an ongoing basis. Security bugs are remediated by priority and tracked to resolution.

What Does This Mean for You?

For enterprises looking to bring on third-party service providers, Rockset’s SOC 2 Type II compliance indicates a level of process maturity that minimizes risk and focuses on the security of customer data.

Rockset’s SOC 2 Type II compliance means that our risk mitigation includes the development of planned policies, procedures, communications and alternative processing solutions to respond to and recover from any business disruption. With this commitment, Rockset is able to ensure the impact of any possible risk to our customers is minimized.

If you want to learn more about what SOC 2 Type II accreditation means for you, check out this comprehensive list from InfoSecurity Magazine.

Our Commitment to Your Data’s Security and Privacy

Before we even founded Rockset, we knew that security and compliance would be front and center when it came to building our data observability platform architecture. In fact, security runs in our DNA. Several of us hail from cybersecurity providers like Palo Alto Networks and/or have cybersecurity certifications.

What is Next?

With SOC 2 Type II, there is no “resting on your laurels.” It is an ongoing commitment. We are constantly striving to exceed the standards, and continually improve our security posture.

If you have questions about Rockset’s SOC 2 Type II compliance, reach out to our team at security@rockset.com. To learn more about Rockset’s Security Design, please visit: https://rockset.com/whitepapers/rockset-security-design

About Martin Englund

Martin Englund is the Information Security Officer at Rockset and member of the Site Reliability Engineering team. He holds a CISSP certification and lives by the motto "The question isn't if you're paranoid, it is if you are paranoid enough".

Martin has over twenty five years of experience in security and automation, and has contributed to numerous open source DevOps tools. Prior to his current role, he has worked as Site Reliability Engineer at Palo Alto Networks and Production Engineer at Facebook.

Before switching fields to Site Reliability Engineering, he was a Principal Security Engineer at Sun Microsystems, where he spent over fifteen years in various security roles throughout the company, co-authored the Solaris Security Essentials book, and authored a security patent.