Rubrik Compliance Program

overview

Completed Certifications & Attestations

At Rubrik, we understand the importance of building solutions with security, privacy and confidentiality in mind. Our products and services are regularly independently verified for compliance, security, and privacy. We have achieved certifications and attestations of compliance against global standards. Our continued investments in compliance and security are illustrated by the certifications and attestations of compliance below.

Company

Data Compliance

Data privacy and protection lies at the heart of what we do. We are committed to complying with these data privacy frameworks and regulations to keep your data safe.

GDPR Compliant

The General Data Protection Regulation is a European regulation to ensure that companies who do business both within and outside the European Union protect the personal data and privacy of EU citizens by giving individuals greater control over their personal data.

Compliance with the GDPR is a top priority here at Rubrik. We are dedicated to ensuring that your data is secure.

CCPA Compliance

Data Privacy Framework

Rubrik has achieved a certification under the Data Privacy Framework (DPF) which covers EU-US, Swiss-US and UK-US data transfers. The DPF certification highlights Rubrik dedication to upholding the highest standards in data privacy and protection. The DPF certification demonstrates that Rubrik's data handling practices fully comply with the rigorous requirements of the DPF, ensuring your information is managed securely and responsibly. By partnering with Rubrik, you can trust that we adhere to globally recognized privacy standards, providing you with peace of mind and a competitive advantage in safeguarding your data across borders.

APEC PRP

APEC PRP

Rubrik has achieved the APEC Privacy Recognition for Processors (PRP) certification, which underscores our commitment to handling your data with the highest privacy standards. This internationally recognized certification ensures that Rubrik's data processing practices meet stringent APEC requirements, providing you with confidence in the security and integrity of your information. By partnering with Rubrik, you benefit from our ability to facilitate secure cross-border data flows within the APEC region, offering a competitive edge through our recognized commitment to data protection.

Rubrik Security Cloud (RSC) and Support Services

Data Management Applications

By investing in and achieving the compliance certifications and standards below for Rubrik Security Cloud (RSC) SaaS platform and services, we are laying out the foundation for a stronger platform, products, and services.

Rubrik Security Cloud (RSC) Products and Support Services

ISO 27001

ISO 27001 is an internationally recognized information security standard that provides the requirements for an information security management system (ISMS), outlines best practices, and details security controls to help manage information risks.

Rubrik Security Cloud SaaS platform is certified as ISO 27001, ISO 27017 and ISO 27018 compliant. The 27001 standard does not require specific information security controls, but it provides a framework upon which Rubrik is constantly building to ensure a comprehensive model of information security controls.

ISO 27017

ISO 27018

ISO 27018 is a reference for selecting personally identifiable information (PII) protection controls when implementing a cloud computing information security management system based on ISO 27001, or as guidance for implementing commonly accepted PII protection controls for organizations acting as public cloud PII processors based on the ISO 27002 standard.

SOC 2 Type II

SOC 2 reports on the controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. At Rubrik, we are SOC 2 Type II certified against the security, confidentiality and availability criteria.

Rubrik Security Cloud SaaS platform and Cluster Software Support Services undergo SOC 2 compliance annually with regards to the security, confidentiality, and availability criteria. Rubrik regularly undergoes a third-party audit to ensure continued compliance with these criteria.

SOC 3

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

Rubrik Security Cloud SaaS platform and Cluster Software Support Services undergo an independent third-party audit review against HIPAA on an at least annual basis.

BSI C5

US Government Solutions

Manage & Protect Your Data

At Rubrik, we continue to invest in US government solutions, and support key standards and frameworks to build a strong foundation that simplifies how you manage and protect government data. For government compliance inquiries reach out to fedramp@rubrik.com.

US Government Solutions

FedRAMP (Moderate)

GovRAMP (Moderate)

GovRAMP promotes cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP’s governance committees adopt policies and procedures that standardize security requirements for providers. GovRAMP’s Program Management Office then verifies that those cloud offerings utilized by government satisfy adopted security requirements through independent audits and continuous monitoring. Products that are working towards or have achieved GovRAMP Authorizations are included on the GovRAMP Authorized Products List. Rubrik Security Cloud - Government (RSC-G) has achieved a Moderate level authorization. The list of participating governments is growing.

TX-RAMP (Level 2)

TX-RAMP (Level 2) (Rubrik Security Cloud - Government)

The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides review of security measures taken by cloud products and services that transmit data to Texas state agencies. Cloud service providers like Rubrik must demonstrate compliance with the security criteria to receive and maintain a TX-RAMP certification for a cloud computing service. Rubrik Security Cloud - Government (RSC-G) has achieved a Level 2 authorization.

CJIS Attestation

CJIS Attestation (Rubrik Security Cloud - Government)

The U.S Federal Government’s Criminal Justice Information Services (CJIS) Security Policy provides participating Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to FBI CJIS systems, and information requirements for the protection and safeguarding of CJI. Rubrik’s third-party Attestation confirms that Rubrik Security Cloud - Government (RSC-G) is maintaining a cyber security program consistent with the applicable federal and state laws, regulations, and standards. States wishing to ensure their full compliance with CJIS policy must also execute an Information Agreement and CJIS Security Addendum between their state’s CJIS Authority and Rubrik.

HIPAA

Rubrik is a Business Associate to Covered Entity Customers under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is focused on ensuring the privacy and security of protected health information of individuals. Rubrik Security Cloud - Government (RSC-G) has a third party Attestation of Compliance with HIPAA Requirements covering HIPAA’s Privacy, Security, and Breach Notification Rules.

FERPA Attestation

The U.S Federal Government’s Family Education Rights and Privacy Act (FERPA) refers to requirements that U.S. academic institutions must adhere to when handling sensitive student data, including educational information and PII. These requirements cover cybersecurity, administrative privacy measures, and disclosures of rights to parents and students.

To the extent Rubrik handles student education records within Rubrik Security Cloud - Government (RSC-G), our cloud service aligns to the limitations and requirements imposed by 34 CFR 99.33(a).

Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) establishes software conformance to the NIST 800-171 standard (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Rubrik Security Cloud - Government has a third party Attestation for CMMC L2. Rubrik Security Cloud - Private / CDM has a Controls Analysis Summary against the CMMC L2 controls set.

DoDIN APL

Common Criteria

FIPS 140

Executive Order 14028

EO14028

Executive Order 14028 on Improving the Nation’s Cybersecurity is intended to enhance federal cybersecurity. In accordance with this EO, Rubrik adheres to certain baseline security standards for development of software sold to the government and supply chain security associated with the software. We maintain Attestations for Rubrik products meeting EO14028 requirements within the government’s Repository for Software Attestations and Artifacts web site.

Learn more

Rubrik Compliance Program

Completed Certifications & Attestations