overview
Trust Rubrik
At Rubrik, we care about you - Our Customer
To succeed and earn your trust, we need to meet your expectations every single day, with every interaction. We also know that trust starts with security and transparency. This page will help you find information on Rubrik's security, privacy and compliance practices.
Compliance & Privacy
Compliance Program
Rubrik Multi-Cloud Data Control™ products and services are regularly and independently verified against industry-leading compliance, privacy, and security standards to help support your organization’s compliance needs.
SOC 2 Type II
The System and Organization Controls (SOC) 2 report demonstrates how Rubrik meets specific controls and objectives in accordance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.
SOC 3
The System and Organization Controls (SOC) 3 report demonstrates how Rubrik meets specific controls and objectives in accordance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. It is a general use report for users needing assurance about Rubrik’s controls and practices and for those who do not have use for a SOC 2 report.
ISO 27001
The International Organization for Standardization (ISO) 27001 standard is an internationally recognized standard. Rubrik is ISO 27001:2013 certified.
FIPS 140-2
FIPS 140-2 is a U.S. government security standard that defines security requirements for cryptographic modules. Rubrik provides customers with the option to use FIPS 140-2 Level 2 validated self-encrypting drives.
DoDIN APL
The Department of Defense Information Network (DoDIN) Approved Product List (APL) provides a consolidated list of products that are approved for purchase by the U.S. Department of Defense (DOD). Rubrik’s Cloud Data Management is classified under Cybersecurity Tools (CST) in the DoDIN APL.
Common Criteria EAL2+
Common Criteria is an internationally recognized set of guidelines that define a framework for evaluating security features and capabilities of IT security products. Rubrik’s flagship product, Cloud Data Management is certified under the Common Criteria EAL2+ requirements.
Swiss-U.S. Privacy Shield Certification
Rubrik is certified with the Swiss-U.S. Privacy Shield framework and is listed on the Department of Commerce’s list of self-certified Privacy Shield participants. Learn more about Privacy Shield here.
Privacy Policy
Learn more about Rubrik’s privacy practices here.
Rubrik’s compliance certifications and attestations are available under NDA. Please reach out to compliance@rubrik.com for more information about Rubrik products and services, including questions regarding Rubrik’s compliance certifications and program.
Security Culture
Security Team
We have a dedicated, globally distributed security team that focuses on product and enterprise security capabilities such as secure product development and testing, cloud security, endpoint, user and communications security, vulnerability management, incident management, security culture and training, secure logging and monitoring, security governance, security risk management, vendor risk management, and identity and access management.
Security Awareness
Policies
Rubrik has developed a set of security policies covering a broad range of topics relevant to Rubrik’s operating environment. In addition to requiring users to acknowledge understanding of these policies through mandated annual training, they are made available on our intranet to all employees and contractors with access to Rubrik information assets.
Training
All employees and contractors (with access to Rubrik information assets) are required to complete security awareness training, upon hire and annually thereafter. Our product security team conducted bimonthly seminars to train engineers on updates to products and related security topics. We conduct regular phishing campaigns across the company, provide customized role-based training and in-the-moment nano training to relevant users across the company based on identified risk factors. We also have an executive sponsored security campaign called #notonmywatch to actively improve security culture and instill positive security behaviors across Rubrik.
Product Security & Testing
Secure Product Development
Rubrik engineers follow secure code practices that span OWASP Top 10 security risks, common attack vectors and Rubrik security controls. Rubrik leverages secure open-source frameworks with security controls in place to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among other risks.
Quality Assurance
We have a team responsible for conducting quality assurance (QA) and maintaining systems needed for testing. Application security engineers on staff identify, test and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the production environment. Customer data is not used in our development or test environments and such data resides in customer owned on-premise or virtual data centers (e.g., cloud deployments).
Vulnerability Management
We employ security tooling to continuously and dynamically scan our products and related infrastructure against common security vulnerabilities. We maintain a dedicated in-house product security team to continuously test and drive remediation of any discovered issues based on internally defined service level agreements (SLAs). The source code repositories for our platform are also scanned for security issues.
Independent Security / Penetration Testing
In addition to our internal vulnerability management and security testing program, Rubrik employs independent, third-party security experts to perform penetration tests prior to general availability (GA) of major product releases.
Encryption
Encryption in Transit
All communications with Rubrik UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. This ensures that all traffic between customer environments and Rubrik is secure during transit.
Encryption at Rest
Our product offerings support AES-256 key encryption.
Operations Security
Data Center Security
Rubrik hosts internal engineering and product development servers at a co-location service provider with state-of-the-art physical security measures. The co-location provider maintains high SLAs for availability, redundancy, and disaster recovery to support our business continuity plans.
Rubrik uses third-party SaaS services and co-location data services providers to manage our IT operations. Our HR systems, email and calendaring, internal communications, requirements and ticketing management systems use best-of-breed SaaS services. These services offer more than requisite SLAs for availability, reliability and security.
On-Site Security
On-site security at our core working sites (including HQ) includes a number of features such as security guards, badging, cameras, fencing, security feeds, intrusion detection technology, and other security measures.
Network Security
Protection
Our network is protected through the use of next-generation firewalls and advanced malware protection. In addition, we use best of- breed-tools for SaaS and endpoint based malware prevention.
Intrusion Detection and Prevention
Our intrusion detection tool provides vulnerability protection, network anti-malware and anti-spyware that scans all traffic for threats. The threat prevention service looks for threats at all points within the cyber attack lifecycle, not just when it first enters the network, thus providing a layered defense, zero trust model with prevention at all points.
Security Monitoring and Alerting
Rubrik has security capabilities in place to detect data exfiltration through Rubrik provided laptops, workstations and cloud environments. We also monitor our on-prem and multi-cloud environment 24x7, detect security threats, investigate and respond to security events and incidents. In addition to capabilities such as log storage, search and indexing, our SIEM solution supports threat detection, monitoring and response, threat hunting, machine learning and digital forensics.
Logical Access
Access to Rubrik’s production environment is restricted on an explicit need-to-know basis, utilizes least privilege, and is frequently audited and monitored. Employees accessing the Rubrik production network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams that provide operations, network engineering, and security coverage. Employees are trained on security incident reporting and response processes, including communication channels and escalation paths. In case of a Rubrik related security incident, customers should contact security@rubrik.com.
Availability & Continuity
Uptime
Rubrik is currently working on a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.
Business Continuity and Disaster Recovery
Rubrik’s business continuity and disaster recovery program is designed to address the risks when Rubrik services are unavailable. Business continuity and disaster recovery plans are reviewed annually and are periodically tested through tabletop tests, functional tests, or actual incidents. Rubrik also leverages leading providers that provide systems and services with high availability and redundancy.
Resources
Cloud Data Management (CDM) data sheet
Get a brief overview of the security capabilities of the CDM product, and the various security measures that we undertake to secure the underlying infrastructure.
Rubrik Polaris data sheet
Get a brief overview of the security capabilities of the Rubrik Polaris SaaS product, and the various security measures that we undetake to secure the underlying infrastructure.
M365 Whitepaper
Get a brief overview of Rubrik’s Microsoft 365 data management offering which provides information pertaining to protecting Microsoft 365 and it's functionality.
Learn more