Security Compliance Program

A security compliance program is a structured approach implemented by organizations to ensure adherence to relevant laws, regulations, standards, and best practices related to information security and privacy. Rocket.Chat is committed to maintaining the highest standards of information security and regulatory compliance and understands that such programs are essential for safeguarding sensitive data, protecting systems and networks from cyber threats, and maintaining the trust of customers, partners, and stakeholders.

Roles and responsibilities

The security compliance program is primarily the responsibility of our Governance, Risk, and Compliance (GRC) team. They oversee the development, implementation, and monitoring of policies and procedures to ensure compliance with relevant regulations and standards. They also work closely with executive leadership to align security initiatives with business goals and priorities.

Additionally, successful adherence to the security compliance program requires collaboration and assistance from various departments:

• The security team contributes expertise in implementing technical controls and addressing specific security threats.

• The engineering and SRE teams ensure that security measures are integrated into the development and maintenance of our systems and infrastructure.

• The executive team provides strategic direction, resources, and support for security initiatives, ensuring that security is integrated into the organization's overall business strategy and objectives.

• Legal provides guidance on regulatory requirements, privacy laws, and contractual obligations.

• The people team plays a vital role in promoting a culture of security awareness and accountability among employees through training, communication, and policy enforcement.

• All employees are responsible for adhering to security policies and procedures, reporting potential risks or incidents, and actively participating in training and awareness programs.

Security compliance program

The key components taken into consideration by Rocket.Chat are the following:

Compliance framework

The company has adopted the ISO 27001 framework, which is an internationally recognized standard for information security management systems (ISMS). This framework provides a systematic approach for managing and protecting sensitive information assets.

Policies and sub-policies

A comprehensive security policy is in place, complemented by sub-policies that address specific security topics such as access control, vulnerability management, data protection, incident response, business continuity, and more. These sub-policies provide detailed guidance on implementing best practices in various areas of information security.

Operational procedures

In addition to our security policies, Rocket.Chat maintains operational procedures documentation for its main processes. This includes procedures, runbooks, and playbooks to provide clear guidance and instructions for our teams, ensuring consistency and effectiveness in our operations.

Internal controls

The company has established an internal controls policy to establish and maintain effective information security controls that safeguard the confidentiality, integrity, and availability of Rocket.Chat’s assets and operations. It also describes the mechanisms for implementing and monitoring controls to ensure the effectiveness of the information security management system. This policy covers areas such as access controls, data protection, incident response, and business continuity planning.

Risk assessment and management

The company conducts regular risk assessments to identify potential threats and vulnerabilities to its information assets. Based on the results of these assessments, appropriate risk mitigation measures are implemented to minimize the likelihood and impact of security incidents.

Annual internal audit

Rocket.Chat conducts annual internal audits to assess the effectiveness of its security controls, policies, and procedures in accordance with the ISO 27001 standard. These audits are performed to evaluate the company's compliance with established security requirements, identify areas for improvement, and recommend corrective actions as needed.

Vendor management

Thorough assessments of our vendors and service providers are conducted to ensure they meet our security standards and adhere to applicable regulations, mitigating risks associated with third-party relationships.

Continuous improvement

The company is committed to continuous improvement of its information security practices and processes. Findings from internal audits are used to identify opportunities for enhancement, and corrective actions are implemented to address any deficiencies or non-conformities identified during the audit process.

Employee training and awareness

Rocket.Chat provides regular training and awareness programs to educate employees about security policies, procedures, and best practices. Employees are encouraged to promptly report any security incidents or concerns, fostering a culture of security awareness throughout the organization.

Documentation and record-keeping

The company maintains thorough documentation of its security policies, internal controls, audit findings, and corrective actions taken. This documentation serves as evidence of compliance with ISO 27001 requirements and facilitates transparency and accountability in security governance.

Certification pursuit strategy

Rocket.Chat actively strategizes and pursues certifications that align with our business objectives and provide tangible benefits and the utmost credibility and assurance regarding the security and quality of our products and services. We remain vigilant in assessing the evolving landscape of certifications and their relevance to our industry and customer needs. Rocket.Chat certifications are available on the Compliance Resources page.

Contact us

To communicate with our compliance team, please email [email protected].