Security
Customer Trust Portal
overview
Trust Rubrik
At Rubrik, we care about you - Our Customer
To succeed and earn your trust, Rubrik needs to meet your expectations every single day, with every interaction. Rubrik also knows that trust starts with security and transparency. This page will help you find information on Rubrik's security, privacy and compliance practices.
Compliance & Privacy
Compliance Program
Rubrik Security Cloud products and services are regularly and independently verified against industry-leading compliance, privacy, and security standards to help support your organization’s compliance needs. Learn more about Rubrik’s Compliance program by navigating to https://www.rubrik.com/compliance-program.
Privacy Policy
Rubrik maintains a privacy program that monitors regulatory requirements with oversight from dedicated privacy personnel. Learn more about Rubrik’s privacy policy by navigating to https://www.rubrik.com/en/privacy-policy.
Reports
Rubrik’s compliance certifications and attestations are available under NDA. Please reach out to your Rubrik representative to get access to these reports. Kindly reach out to customertrust@rubrik.com for more information about Rubrik’s compliance certifications and programs.
Security Culture
Security Team
Under the leadership of the CISO, Rubrik maintains a dedicated, globally distributed security team that focuses on product and enterprise security capabilities such as secure product development and testing, cloud security, endpoint, user and communications security, vulnerability management, incident management, security culture and training, secure logging and monitoring, security governance, security risk management, supplier risk management, and identity and access management.
Background checks
Background checks are performed upon hire for all Rubrik employees based in the U.S and some other countries based on allowed local laws. Rubrik employees are required to sign confidentiality agreements upon hire.
Security Awareness
Policies
Rubrik has developed a set of security policies covering a broad range of topics relevant to Rubrik’s operating environment based on ISO 27001. In addition to requiring users to acknowledge understanding of these policies upon hire, and through mandated annual training, they are made available on the intranet to all employees and contractors with access to Rubrik information assets.
Training
All employees and contractors with access to Rubrik information assets are required to complete security and privacy awareness training, upon hire and annually thereafter. Rubrik conducts regular phishing campaigns across the company, providing customized role-based training and in-the-moment nano training to relevant users across the company based on identified risk factors.
Product Security & Testing
Secure Product Development
Rubrik secure SDLC spans four stages in the product development lifecycle which includes secure design, secure coding, secure testing and secure release. The Software Development Lifecycle Policy dictates delivery, review and merge processes to minimize rollbacks, downtime, design flaws and security incidents.
Rubrik engineers follow secure code practices that span OWASP Top 10 security risks, common attack vectors and Rubrik security controls. Rubrik leverages secure open-source frameworks with security controls in place to limit exposure to OWASP Top 10 security risks. These inherent controls reduce Rubrik’s exposure to injections, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, missing function level access control, cross-site request forgery (CSRF), unvalidated redirects and forwards among other risks
Quality Assurance
Rubrik has a team responsible for conducting quality assurance (QA) and maintaining systems needed for testing. Application security engineers on staff identify, test and triage security vulnerabilities in code. Testing and staging environments are logically separated from the production environment. Customer data is not used in Rubrik’s development or test environments (e.g., cloud deployments).
Vulnerability Management
Rubrik employs security tooling to continuously and dynamically scan their products and related infrastructure against common security vulnerabilities. Rubrik maintains a dedicated in-house product security team to continuously test and drive remediation of any discovered issues based on internally defined service level agreements (SLAs). The source code repositories for Rubrik platforms are also scanned for security issues.
Vulnerability Reporting
Rubrik recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Rubrik, Inc. (or that would reasonably impact the security of Rubrik, Inc. and our users) using the web form below. The Rubrik, Inc. Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. You can find Rubrik's Vulnerability Disclosure Policy here: https://www.rubrik.com/legal/responsible-disclosure-policy.
Independent Security / Penetration Testing
In addition to the internal vulnerability management and security testing program, independent third-party penetration testers perform application penetration tests prior to general availability (GA) of major product releases which covers OWASP Top 10 and threat modeling of new product features.
Encryption
Encryption in Transit
All communications with Rubrik UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. This ensures that all traffic between customer environments and Rubrik is secure during transit.
Encryption at Rest
Rubrik product offerings support AES-256 key encryption.
Operations Security
Data Center Security
Rubrik hosts internal engineering and product development servers at a co-location service provider with state-of-the-art physical security measures. The co-location provider maintains high SLAs for availability, redundancy, and disaster recovery to support Rubrik’s business continuity plans. Rubrik relies on third party suppliers, such as Microsoft Azure and Google Cloud Platform, for physical security and management of the facilities used in providing services. For information about some of Rubrik's cloud providers Platform's physical security measures, please see these pages for more information:
Rubrik uses third-party SaaS services and co-location data services providers to manage Rubrik’s IT operations. Rubrik’s HR systems, email and calendaring, internal communications, requirements and ticketing management systems use best-of-breed SaaS services. These services offer more than requisite SLAs for availability, reliability and security.
On-Site Security
On-site security at Rubrik’s core working sites (including HQ) includes a number of features such as security guards, badging, cameras, fencing, security feeds, intrusion detection technology, and other security measures.
Supplier Security
Rubrik evaluates suppliers & subcontractors through an established supplier security risk management program. Suppliers are reviewed through Rubrik's Procurement and Supplier Security process, which assesses suppliers based on the criticality of the services they provide. Suppliers are reviewed on an annual basis, and are evaluated for adherence to standards and terms, as described in the contract, which may also include signing Data Processing Addendums.
Rubrik works with multiple third parties to provide the Support and SaaS Services. Information about our sub-processors can be found at https://www.rubrik.com/en/legal/rubrik-subprocessors.
Network Security
Protection
Rubrik’s architecture consists of multiple layers of data security including a DMZ, bastion hosts, and IPtables. The network is protected through the use of firewalls and advanced malware protection. Rubrik also leverages security tooling for SaaS and endpoint based malware prevention. Rubrik’s site reliability, support and engineering teams are globally distributed for 24/7/365 coverage.
Intrusion Detection and Prevention
Rubrik’s intrusion detection tool provides vulnerability protection, network anti-malware and anti-spyware that scans network traffic for threats. The threat prevention service looks for threats at all points within the cyber attack lifecycle, not just when it first enters the network, thus providing a layered defense, zero trust model with prevention at all points.
Security Monitoring and Alerting
Rubrik has security capabilities in place to detect data exfiltration through Rubrik provided laptops, workstations and cloud environments. Rubrik also monitors the on-prem and multi-cloud environment 24x7, detects security threats, investigates and responds to security events and incidents. In addition to capabilities such as log storage, search and indexing, Rubrik’s SIEM solution supports threat detection, monitoring and response, threat hunting, machine learning and digital forensics.
Logical Access
Access to Rubrik’s production environment is restricted on an explicit need-to-know basis, utilizes least privilege, and is logged and monitored. Employees accessing the Rubrik production network are required to use multi-factor authentication. All access to critical applications sit behind SSO with MFA enabled.
Security Incident Response
Rubrik’s Security Incident Response Team (SIRT) is responsible for responding to security incidents. SIRT manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to our products and networks.
In case of a system alert, events are escalated to Rubrik’s 24/7 teams that provide operations, network engineering, and security coverage. Employees are trained on security incident reporting and response processes, including communication channels and escalation paths. In case of a Rubrik related security incident, customers should contact security@rubrik.com.
Availability & Continuity
Uptime/ System Status
Rubrik recognizes the importance of visibility that Rubrik’s customers expect in the system availability, scheduled maintenance, and overall reliability of Rubrik SaaS products. Navigate to status.rubrik.com to get a view into the current system status as well as the historic system up time of the Rubrik SaaS production.
Business Continuity and Disaster Recovery
Rubrik’s business continuity and disaster recovery program is designed to address the risks when Rubrik services are unavailable. Business continuity and disaster recovery plans are reviewed annually and are periodically tested through tabletop tests, functional tests, or actual incidents. Rubrik also leverages leading providers that provide systems and services with high availability and redundancy.
For Rubrik products, which are hosted and managed by customers, Rubrik does not manage or control the use of the products and as such, does not provide a RPO or RTO of the services. For Rubrik products and services that are fully hosted and managed by Rubrik, Rubrik does not provide specific RTO or RPO timelines, but provide service SLAs instead.
AI Principles & FAQs
For years Rubrik has leveraged machine learning to help our customers protect their data. With the advent of modern Generative AI technology, Rubrik continues to innovate and improve our platform to help customers harness the advantages of this powerful technology. For example, Rubrik offers AI-powered features that customers can use to manage and respond to cyberattacks and operational failures in their environments.
Rubrik is committed to safe, secure, transparent, and ethical use of all technology, including Generative AI technology, in line with our core company values of Relentlessness, Integrity, Velocity, Excellence and Transparency (RIVET).
Due to the cutting edge nature of Generative AI, customers often have questions about how Rubrik utilizes this technology in its offerings. In addition, we recognize that different customers may have different preferences around the use of Generative AI. Accordingly, we are committed to providing customer choice, meaning customers will always have the choice whether or not to use Generative AI features in our products. With the below we answer commonly asked questions.
FAQs
Rubrik continues to explore ways to leverage Generative AI to innovate and deliver results for our customers. Rubrik’s generally available Generative AI features are Annapurna and Ruby.
Annapurna is designed to enable AI-driven applications, including those that handle sensitive data, like customer support or finance, that will meet the needs of business and security leaders. With Annapurna, Rubrik customers can create natively built chatbots and API endpoints all within the Rubrik Security Cloud (RSC) UI to securely query their backup data directly through RSC or with downstream applications. Annapurna users currently have the option to leverage Large Language Models (LLMs) from Microsoft Azure OpenAI Service or Amazon Bedrock.
Annapurna is not enabled by default and is available for purchase as a separate offering. To learn more about Annapurna, visit https://www.rubrik.com/products/annapurna.
Ruby is a Generative AI chat companion provided within RSC. Ruby simplifies and enhances user interactions with RSC and makes it easier for our customers to understand, use, and manage RSC features. Ruby currently leverages Microsoft Azure OpenAI Service and Rubrik-provided content (such as our technical documentation) and matches user intent to a defined workflow based on a pre-trained model.
Ruby has multiple skills, and Rubrik intends to continue launching new skills for Ruby over time. Some skills are available for all customers, while some of the more advanced Ruby capabilities require an Enterprise Edition or Proactive Edition license. Currently, Ruby’s skills include: answering questions about RSC configuration and troubleshooting, providing general information about security and RSC, and providing recommendations to remediate cyber incidents using Sensitive Data Monitoring, Threat Containment, and Cyber Recovery. When Ruby recommends actions, its recommendations are based on the Role-Based Access Control (RBAC) permissions of the user account. Actions that do not correlate to user account permissions are not available. Moreover, user confirmation is required before Ruby proceeds with any recovery or quarantine action.
Ruby is not enabled by default and requires opting in. To learn more about Ruby, visit https://www.rubrik.com/products/ai-powered-cyber-recovery.
Predibase by Rubrik is a platform that simplifies the fine-tuning and serving of open-source AI models, including LLMs, enabling organizations to deploy specialized AI solutions quickly, efficiently, and cost-effectively. To learn more about Predibase, visit https://predibase.com/.
Yes.
Rubrik is committed to providing customers with choice around the use of Generative AI features.
Annapurna is not enabled by default and is available for purchase as a separate product that must be enabled in the RSC UI. To learn more about Annapurna, visit https://www.rubrik.com/products/annapurna.
Ruby is disabled by default and will only be available when enabled by a privileged user in the customer’s account. To learn more about Ruby, please visit https://www.rubrik.com/products/ai-powered-cyber-recovery.
Predibase by Rubrik is not available through the RSC UI and is available for purchase as a separate, standalone product. To learn more about Predibase, visit https://predibase.com/.
Annapurna users currently have the option to leverage LLMs from Microsoft Azure OpenAI Service or Amazon Bedrock. Annapurna’s secure embeddings are stored in Pinecone, a third party vector database. To learn more about Annapurna, visit https://www.rubrik.com/products/annapurna.
Ruby currently uses Microsoft Azure OpenAI Service so that all inputs stay within Rubrik’s secure Microsoft Azure instance. To learn more about Ruby, please visit https://www.rubrik.com/products/ai-powered-cyber-recovery.
Predibase by Rubrik leverages a proprietary model hosting system based on LoRA eXchange, an open source framework developers use to serve thousands of fine-tuned AI models on a single GPU. Customers can use Predibase to access and deploy third party models from Hugging Face. Customers can optionally connect to their own Hugging Face account to fine-tune and serve their custom models, or their own OpenAI account to synthetically augment their fine-tuning datasets.
Annapurna and Ruby both currently leverage pre-trained Large Language Models (LLM) provided by Microsoft Azure OpenAI Service. No customer data is used to train or fine-tune the model.
Predibase by Rubrik gives customers access to multiple open source pre-trained LLMs through Hugging Face. Predibase provides an enterprise-grade platform for customers to select, fine-tune, and deploy specialized models of their choice. Customers choose what data they use to fine-tune their own models, which are not shared with other customers and are not used by Rubrik or Predibase.
Annapurna and Ruby both currently leverage pre-trained third party LLMs. Customer queries and prompts are not used to train or fine-tune the model.
Some of our Generative AI features may ask for optional feedback from users and may give users the option of including the chat transcript as part of the feedback. Such feedback is optional; if provided, it may be used by Rubrik for troubleshooting, analytics, and feature improvement but will not be used to train or fine-tune any Generative AI model.
Predibase by Rubrik gives customers access to multiple open source pre-trained LLMs through Hugging Face. Predibase provides an enterprise-grade platform for customers to select, fine-tune, and deploy specialized models of their choice. Customers choose what data they use to fine-tune their own models, which are not shared with other customers and are not used by Rubrik or Predibase.
Chat transcripts generated by use of Ruby and Annapurna by customers are stored in the customer’s tenant-specific database in RSC to provide customers with their chat history. Chat transcripts are stored until deleted by the customer.
Predibase by Rubrik does not store inputs or outputs made to or by customer models by default. Customers may opt-in to logging the requests and responses of their models deployed on Predibase for the purpose of allowing the customer to more easily create new fine-tuning datasets. Logged requests and responses are not used by Rubrik or Predibase.
Rubrik is committed to ensuring that its Generative AI features are safe, secure, and transparent, and is continually working to improve the accuracy and relevance of AI-powered content. Rubrik has evaluated and tested its currently available Generative AI features to assess their accuracy and reliability and continues to explore ways to enhance the accuracy and performance of these features.
Annapurna uses RSC’s built in Role Based Access Controls (RBAC) to provide permissions to view, manage and use chatbots. Roles can be created and managed at the chatbot level to enable these capabilities for the appropriate users. When an end-user or app requests access to data from Annapurna, it reaches out to the corresponding source application to validate the user's permissions to the source data. This way, permission validation is always up-to-date, and revoked permissions on production are reflected in Annapurna.
Before enabling Ruby, a customer’s privileged users are notified that the tool is an AI-powered chatbot and that its use is optional. When users interact with Ruby, recommended actions are based on the RBAC permissions of the user account and will always require user confirmation before proceeding with any recovery or quarantine action. RSC audit logs also indicate the user account that confirmed the specific actions performed using Ruby for monitoring and transparency purposes.
Predibase hosted models are secured by API access tokens that restrict who within a customer’s organization has access to each model. Predibase also offers the capability to securely deploy models within the customer’s Virtual Private Cloud (VPC) and to restrict all requests to the model to VPC peering, enabling customers to ensure that their private models cannot be accessed by unauthorized users or malicious actors outside of their VPC.
Rubrik is continually working on innovative ways to improve cyber resilience and secure our customers’ data.
Rubrik recently launched Annapurna, a solution that is designed to combine secure data access with high-performing AI models to help organizations deploy production-ready Generative AI applications with secure access to data across on-premises, cloud, and SaaS environments. Currently customers can leverage models powered by Microsoft Azure OpenAI Service and Amazon Bedrock, with more leading foundation models to follow.
Stay tuned here for more information as we continue to roll out exciting new developments.
SAFE HARBOR STATEMENT
Any unreleased services or features referenced here are not generally available and may not be made generally available on time or at all, as may be determined in our sole discretion. Any such referenced services or features do not represent promises to deliver, commitments, or obligations of Rubrik, Inc. and may not be incorporated into any contract. Customers should make their purchase decisions based upon services and features that are currently generally available.
If you have questions, comments, or feedback about Rubrik’s Generative AI features and practices, please reach out to ai-legal@rubrik.com. If you have a privacy concern, complaint, or question, please reach out to privacy@rubrik.com
Learn more