Security

Customer Trust Portal

Download security sheet

overview

Trust Rubrik

At Rubrik, we care about you - Our Customer

To succeed and earn your trust, we need to meet your expectations every single day, with every interaction. We also know that trust starts with security and transparency. This page will help you find information on Rubrik's security, privacy and compliance practices.

Compliance & Privacy

Compliance Program

Rubrik Multi-Cloud Data Control™ products and services are regularly and independently verified against industry-leading compliance, privacy, and security standards to help support your organization’s compliance needs.

Learn more

SOC 2 Type II

The System and Organization Controls (SOC) 2 report demonstrates how Rubrik meets specific controls and objectives in accordance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.

SOC 3

The System and Organization Controls (SOC) 3 report demonstrates how Rubrik meets specific controls and objectives in accordance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. It is a general use report for users needing assurance about Rubrik’s controls and practices and for those who do not have use for a SOC 2 report.

ISO 27001

The International Organization for Standardization (ISO) 27001 standard is an internationally recognized standard. Rubrik is ISO 27001:2013 certified.

FIPS 140-2

FIPS 140-2 is a U.S. government security standard that defines security requirements for cryptographic modules. Rubrik provides customers with the option to use FIPS 140-2 Level 2 validated self-encrypting drives.

DoDIN APL

The Department of Defense Information Network (DoDIN) Approved Product List (APL) provides a consolidated list of products that are approved for purchase by the U.S. Department of Defense (DOD). Rubrik’s Cloud Data Management is classified under Cybersecurity Tools (CST) in the DoDIN APL.

Common Criteria EAL2+

Common Criteria is an internationally recognized set of guidelines that define a framework for evaluating security features and capabilities of IT security products. Rubrik’s flagship product, Cloud Data Management is certified under the Common Criteria EAL2+ requirements.

TRUSTe® Privacy Certification Programs

Rubrik has verified that our privacy programs, policies, and practices meet the requirements of EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield with TRUSTe. To learn more about the TRUSTe verification program click on the TRUSTe verification badge.

EU-U.S. and Swiss-U.S. Privacy Shield Certification

Rubrik is certified with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and is listed on the Department of Commerce’s list of self-certified Privacy Shield participants. Learn more about Privacy Shield here.

Privacy Policy

Learn more about Rubrik’s privacy practices here.

Rubrik’s compliance certifications and attestations are available under NDA. Please reach out to compliance@rubrik.com for more information about Rubrik products and services, including questions regarding Rubrik’s compliance certifications and program.

Human Resources

Security Team

We have a dedicated, globally distributed security team that focuses on product and enterprise security capabilities such as secure product development and testing, cloud security, endpoint, user and communications security, vulnerability management, incident management, security culture and training, secure logging and monitoring, security governance, security risk management, vendor risk management, and identity and access management.

Security Culture and Awareness

Policies

Rubrik has developed a set of security policies covering a broad range of topics relevant to Rubrik’s operating environment. In addition to requiring users to acknowledge understanding of these policies through mandated annual training, they are made available on our intranet to all employees and contractors with access to Rubrik information assets.

Training

All employees and contractors (with access to Rubrik information assets) are required to complete security awareness training, upon hire and annually thereafter. Our product security team conducted bimonthly seminars to train engineers on updates to products and related security topics. We conduct regular phishing campaigns across the company, provide customized role-based training and in-the-moment nano training to relevant users across the company based on identified risk factors. We also have an executive sponsored security campaign called #notonmywatch to actively improve security culture and instill positive security behaviors across Rubrik.

Employee Vetting

Background Checks

Rubrik performs background checks on all new employees in accordance with local laws. Rubrik’s vendors are required to perform background checks on all their employees. The background check includes criminal, education and employment verification.

Confidentiality Agreements

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

Product Security & Testing

Secure Product Development

Rubrik engineers follow secure code practices that span OWASP Top 10 security risks, common attack vectors and Rubrik security controls. Rubrik leverages secure open-source frameworks with security controls in place to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among other risks.

Quality Assurance

We have a team responsible for conducting quality assurance (QA) and maintaining systems needed for testing. Application security engineers on staff identify, test and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the production environment. Customer data is not used in our development or test environments and such data resides in customer owned on-premise or virtual data centers (e.g., cloud deployments).

Vulnerability Management

We employ security tooling to continuously and dynamically scan our products and related infrastructure against common security vulnerabilities. We maintain a dedicated in-house product security team to continuously test and drive remediation of any discovered issues based on internally defined service level agreements (SLAs). The source code repositories for our platform are also scanned for security issues.

Independent Security / Penetration Testing

In addition to our internal vulnerability management and security testing program, Rubrik employs independent, third-party security experts to perform penetration tests prior to general availability (GA) of major product releases.

Encryption

Encryption in Transit

All communications with Rubrik UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. This ensures that all traffic between customer environments and Rubrik is secure during transit.

Encryption at Rest

Our product offerings support AES-256 key encryption.

Operations Security

Data Center Security

Rubrik hosts internal engineering and product development servers at a co-location service provider with state-of-the-art physical security measures. The co-location provider maintains high SLAs for availability, redundancy, and disaster recovery to support our business continuity plans.

Rubrik uses third-party SaaS services and co-location data services providers to manage our IT operations. Our HR systems, email and calendaring, internal communications, requirements and ticketing management systems use best-of-breed SaaS services. These services offer more than requisite SLAs for availability, reliability and security.

On-Site Security

On-site security at our core working sites (including HQ) includes a number of features such as security guards, badging, cameras, fencing, security feeds, intrusion detection technology, and other security measures.

Data Hosting Location

Rubrik does not host customer data. Customer data resides in customer owned on-premise or virtual data centers (e.g., cloud deployments). In addition, our SaaS product Polaris is designed to only operate on customer metadata such as cluster capacity, number of nodes, object IP address, object capacity, etc.

Network Security

Protection

Our network is protected through the use of next-generation firewalls and advanced malware protection. In addition, we use best of- breed-tools for SaaS and endpoint based malware prevention.

Intrusion Detection and Prevention

Our intrusion detection tool provides vulnerability protection, network anti-malware and anti-spyware that scans all traffic for threats. The threat prevention service looks for threats at all points within the cyber attack lifecycle, not just when it first enters the network, thus providing a layered defense, zero trust model with prevention at all points.

Security Monitoring and Alerting

Rubrik has security capabilities in place to detect data exfiltration through Rubrik provided laptops, workstations and cloud environments. We also monitor our on-prem and multi-cloud environment 24x7, detect security threats, investigate and respond to security events and incidents. In addition to capabilities such as log storage, search and indexing, our SIEM solution supports threat detection, monitoring and response, threat hunting, machine learning and digital forensics.

Logical Access

Access to Rubrik’s production environment is restricted on an explicit need-to-know basis, utilizes least privilege, and is frequently audited and monitored. Employees accessing the Rubrik production network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams that provide operations, network engineering, and security coverage. Employees are trained on security incident reporting and response processes, including communication channels and escalation paths. In case of a Rubrik related security incident, customers should contact security@rubrik.com.

Availability & Continuity

Uptime

Rubrik is currently working on a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.

Business Continuity and Disaster Recovery

Rubrik’s business continuity and disaster recovery program is designed to address the risks when Rubrik services are unavailable. Business continuity and disaster recovery plans are reviewed annually and are periodically tested through tabletop tests, functional tests, or actual incidents. Rubrik also leverages leading providers that provide systems and services with high availability and redundancy.

Resources

Cloud Data Management (CDM) data sheet

Get a brief overview of the security capabilities of the CDM product, and the various security measures that we undertake to secure the underlying infrastructure.

View data sheet

Polaris data sheet

Get a brief overview of the security capabilities of the Polaris SaaS product, and the various security measures that we undetake to secure the underlying infrastructure.

View data sheet

Learn more

Don't backup. Go Forward.

InfoSec program summary Contact Us