At Rubrik, we care about you - Our Customer
To succeed and earn your trust, we need to meet your expectations every single day, with every interaction. We also know that trust starts with security and transparency. This page will help you find information on Rubrik's security, privacy and compliance practices.
Compliance & Privacy
Rubrik Multi-Cloud Data Control™ products and services are regularly and independently verified against industry-leading compliance, privacy, and security standards to help support your organization’s compliance needs. Learn more about Rubrik’s Compliance program by navigating to https://www.rubrik.com/compliance-program.
Rubrik’s compliance certifications and attestations are available under NDA. Please reach out to your Rubrik representative to get access to these reports. Kindly reach out to firstname.lastname@example.org for more information about Rubrik’s compliance certifications and programs.
Under the leadership of the CISO, Rubrik maintains a dedicated, globally distributed security team that focuses on product and enterprise security capabilities such as secure product development and testing, cloud security, endpoint, user and communications security, vulnerability management, incident management, security culture and training, secure logging and monitoring, security governance, security risk management, supplier risk management, and identity and access management.
Background checks are performed upon hire for all Rubrik employees based in the U.S and some other countries based on allowed local laws. Rubrik employees are required to sign confidentiality agreements upon hire.
Rubrik has developed a set of security policies covering a broad range of topics relevant to Rubrik’s operating environment based on ISO 27001. In addition to requiring users to acknowledge understanding of these policies upon hire, and through mandated annual training, they are made available on the intranet to all employees and contractors with access to Rubrik information assets.
All employees and contractors with access to Rubrik information assets are required to complete security and privacy awareness training, upon hire and annually thereafter. Rubrik conducts regular phishing campaigns across the company, providing customized role-based training and in-the-moment nano training to relevant users across the company based on identified risk factors.
Product Security & Testing
Secure Product Development
Rubrik secure SDLC spans four stages in the product development lifecycle which includes secure design, secure coding, secure testing and secure release. The Software Development Lifecycle Policy dictates delivery, review and merge processes to minimize rollbacks, downtime, design flaws and security incidents.
Rubrik engineers follow secure code practices that span OWASP Top 10 security risks, common attack vectors and Rubrik security controls. Rubrik leverages secure open-source frameworks with security controls in place to limit exposure to OWASP Top 10 security risks. These inherent controls reduce Rubrik’s exposure to injections, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, missing function level access control, cross-site request forgery (CSRF), unvalidated redirects and forwards among other risks
Rubrik has a team responsible for conducting quality assurance (QA) and maintaining systems needed for testing. Application security engineers on staff identify, test and triage security vulnerabilities in code. Testing and staging environments are logically separated from the production environment. Customer data is not used in Rubrik’s development or test environments (e.g., cloud deployments).
Rubrik employs security tooling to continuously and dynamically scan their products and related infrastructure against common security vulnerabilities. Rubrik maintains a dedicated in-house product security team to continuously test and drive remediation of any discovered issues based on internally defined service level agreements (SLAs). The source code repositories for Rubrik platforms are also scanned for security issues.
Rubrik recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Rubrik, Inc. (or that would reasonably impact the security of Rubrik, Inc. and our users) using the web form below. The Rubrik, Inc. Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. You can find Rubrik's Vulnerability Disclosure Policy here: https://www.rubrik.com/contact-us/responsible-disclosure-policy
Independent Security / Penetration Testing
In addition to the internal vulnerability management and security testing program, independent third-party penetration testers perform application penetration tests prior to general availability (GA) of major product releases which covers OWASP Top 10 and threat modeling of new product features.
Encryption in Transit
All communications with Rubrik UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. This ensures that all traffic between customer environments and Rubrik is secure during transit.
Encryption at Rest
Rubrik product offerings support AES-256 key encryption.
Data Center Security
Rubrik hosts internal engineering and product development servers at a co-location service provider with state-of-the-art physical security measures. The co-location provider maintains high SLAs for availability, redundancy, and disaster recovery to support Rubrik’s business continuity plans. Rubrik relies on third party suppliers, such as Microsoft Azure and Google Cloud Platform, for physical security and management of the facilities used in providing services. For information about some of Rubrik's cloud providers Platform's physical security measures, please see these pages for more information:
Rubrik uses third-party SaaS services and co-location data services providers to manage Rubrik’s IT operations. Rubrik’s HR systems, email and calendaring, internal communications, requirements and ticketing management systems use best-of-breed SaaS services. These services offer more than requisite SLAs for availability, reliability and security.
On-site security at Rubrik’s core working sites (including HQ) includes a number of features such as security guards, badging, cameras, fencing, security feeds, intrusion detection technology, and other security measures.
Rubrik evaluates suppliers & subcontractors through an established supplier security risk management program. Suppliers are reviewed through Rubrik's Procurement and Supplier Security process, which assesses suppliers based on the criticality of the services they provide. Suppliers are reviewed on an annual basis, and are evaluated for adherence to standards and terms, as described in the contract, which may also include signing Data Processing Addendums.
Rubrik works with multiple third parties to provide the Support and SaaS Services. Information about our sub-processors can be found at https://www.rubrik.com/en/legal/rubrik-subprocessors.
Rubrik’s architecture consists of multiple layers of data security including a DMZ, bastion hosts, and IPtables. The network is protected through the use of firewalls and advanced malware protection. Rubrik also leverages security tooling for SaaS and endpoint based malware prevention. Rubrik’s site reliability, support and engineering teams are globally distributed for 24/7/365 coverage.
Intrusion Detection and Prevention
Rubrik’s intrusion detection tool provides vulnerability protection, network anti-malware and anti-spyware that scans network traffic for threats. The threat prevention service looks for threats at all points within the cyber attack lifecycle, not just when it first enters the network, thus providing a layered defense, zero trust model with prevention at all points.
Security Monitoring and Alerting
Rubrik has security capabilities in place to detect data exfiltration through Rubrik provided laptops, workstations and cloud environments. Rubrik also monitors the on-prem and multi-cloud environment 24x7, detects security threats, investigates and responds to security events and incidents. In addition to capabilities such as log storage, search and indexing, Rubrik’s SIEM solution supports threat detection, monitoring and response, threat hunting, machine learning and digital forensics.
Access to Rubrik’s production environment is restricted on an explicit need-to-know basis, utilizes least privilege, and is logged and monitored. Employees accessing the Rubrik production network are required to use multi-factor authentication. All access to critical applications sit behind SSO with MFA enabled.
Security Incident Response
Rubrik’s Security Incident Response Team (SIRT) is responsible for responding to security incidents. SIRT manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to our products and networks.
In case of a system alert, events are escalated to Rubrik’s 24/7 teams that provide operations, network engineering, and security coverage. Employees are trained on security incident reporting and response processes, including communication channels and escalation paths. In case of a Rubrik related security incident, customers should contact email@example.com.
Availability & Continuity
Uptime/ System Status
Rubrik recognizes the importance of visibility that Rubrik’s customers expect in the system availability, scheduled maintenance, and overall reliability of Rubrik SaaS products. Navigate to status.rubrik.com to get a view into the current system status as well as the historic system up time of the Rubrik SaaS production.
Business Continuity and Disaster Recovery
Rubrik’s business continuity and disaster recovery program is designed to address the risks when Rubrik services are unavailable. Business continuity and disaster recovery plans are reviewed annually and are periodically tested through tabletop tests, functional tests, or actual incidents. Rubrik also leverages leading providers that provide systems and services with high availability and redundancy.
For Rubrik products, which are hosted and managed by customers, Rubrik does not manage or control the use of the products and as such, does not provide a RPO or RTO of the services. For Rubrik products and services that are fully hosted and managed by Rubrik, Rubrik does not provide specific RTO or RPO timelines, but provide service SLAs instead.