June 2021

Rocket Software, Inc. and its subsidiaries (“Rocket Software”) are committed to protecting the information of its customers and preventing unauthorized disclosure, use, modification, or access to such information stored within Rocket Software services. We recognize the importance of appropriate information security policies and procedures to protect the security of customer data. This document describes Rocket Software’s Security Program (policies, procedures, and technologies) and summarizes the controls embodied in the program, including some specific information concerning encryption, access control, and authentication.

Rocket Software maintains different types of documentation in support of its security program such as:

  • Policies, including the Rocket Software Security Program, which are statements regarding Rocket Software’s commitment to certain goals and statements of high-level security requirements
  • Procedures, which are documented methods showing how Rocket Software meets the requirements set in policies and provides for auditability
  • Standards, which detail the specifications for the technology or facilities that Rocket Software uses to prevent, discover, mitigate, and predict security incidents
  • Guidelines and other training materials, which provide information to educate workers and users about following the program to meet our customers’ and partners’ expectations
  • An ISO27001 certification attesting to the soundness and resiliency of the Information Security Management System
  • A Type II SOC 1 for our SaaS products
  • A Type I SOC 2 for various other products

By “customer information,” we are referring to information and data we receive, process, create, store, or transmit on behalf of a customer or partner when delivering a Rocket Software online service to a customer, or information and data customers otherwise provide to Rocket Software for the purposes of support and professional services engagements. Rocket limits the use of personally identifiable data when possible and complies with privacy regulations.

Rocket Software protects customer information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction by employing industry standard safeguards to implement the control objectives described in the Rocket Software Security Program. More specifically, Rocket Software intends to maintain reasonable and appropriate administrative, physical, and technical safeguards to:

  • Provide assurances of the integrity and confidentiality of customer information
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of customer information, and unauthorized uses or disclosures of customer information
  • Maintain compliance with the legal framework of requirements for the privacy and security of customer information

Administrative safeguards

Rocket Software maintains and periodically will update the Rocket Software Security Program and associated documentation described above to govern the security of its services.

Rocket Software trains its employees, contractors and - as applicable, vendors with access to customer information - to understand and comply with the security program and associated documentation.

Rocket Software regularly assesses threats to confidentiality, integrity, and availability of customer information; managing such risks by implementing safeguards that are reasonable and appropriate.

Rocket Software has designated a Chief Information Security Officer to be the single individual to be the primary coordinator of, and accountable for, information security within the company. Rocket Software has established security-relevant roles and responsibilities and holds its personnel accountable for performing them. Such accountability includes imposing consequences for violations of security policies and procedures up to and including termination.

Rocket Software uses appropriate agreements with members of its workforce and service providers acting as subcontractors in order to require them to protect the confidentiality of customer information. Under such agreements, Rocket Software requires any workers or service providers receiving customer information to maintain security controls over such customer information consistent with this security statement.

Rocket Software maintains policies concerning the acceptable uses of computing devices and media used to collect, use, store, archive, and dispose of customer information. With this, removable media such as USB attached storage are prohibited on the Rocket network.

Members of the Rocket Software workforce with access to customer information have trusted roles within the company. Rocket Software implements screening procedures to provide assurances that workers hired to carry out trusted roles are trustworthy and competent for the roles they perform.

Rocket Software limits access to customer information. Workers with trusted roles are given access to customer information only to perform their job responsibilities. Members of Rocket Software’s workforce with limited access to customer information include personnel that provide customer support or professional services. On, at least, an annual basis, a review and attestation of access levels is performed.

Rocket Software maintains a program of security awareness and training for its workforce. Such training is required for all employees and contractors at least annually. In addition to this training, Rocket utilizes an automated phishing service for verifying the effectiveness of the training and awareness program.

Rocket Software maintains termination procedures so that upon termination of a worker or service provider, Rocket Software will promptly remove all rights to access customer information, and obtain the return of assets that contain customer information.

Through appropriate agreements and management oversight, Rocket Software oversees the security of activities undertaken by service providers on behalf of Rocket Software. Rocket Software currently uses a variety of industry-leading third-party hosting and colocation facilities as providers of storage and platform services. Our hosting and colocation providers have been certified as meeting the requirements under ISO 27001, as well as SSAE 16 SOC 1 / ISAE 3402 (SAS 70/Type II) and SOC 2.

Rocket Software will maintain and implement procedures to facilitate timely, effective, and orderly reporting and response to suspected or known information security incidents or breaches.

Rocket Software will maintain and periodically test disaster recovery and business continuity plans and procedures for responding to man-made threats and natural disasters that could damage systems that contain customer information or make unavailable services and customer support.

Rocket Software will audit or otherwise assess the security of Rocket Software’s information systems containing customer information on a regular basis and check for compliance with the Security Policy, procedures implemented pursuant to the Security Policy, and technical standards.

Physical and environmental controls

As mentioned above, Rocket Software uses a variety of industry-leading third-party data hosting and colocation companies to provide services. These data centers maintain infrastructure in secured zones in accordance with the service providers’ physical security control standards. Our services leverage scalable, high-performance, and high resilience data centers with infrastructure protected from physical intrusion, loss, theft, damage, and reasonably anticipated natural disasters, such as floods and storms.

Rocket Software’s offices, in which personnel may access customer information using their workstations and computing devices are protected by physical security barriers as well as alarms backed by third-party security services, in accordance with Rocket Software’s Security Program. Rocket Software trains its workers to prevent the theft or loss of computers, mobile devices, and media holding customer information, as well as unauthorized access to such devices and media.

Rocket Software maintains and enforces procedures and technical standards for the secure deletion of customer information from servers, computers, mobile devices, and media before it disposes of them or otherwise repurposes them – regardless of location (Rocket Software office, third-party hosting, or colocation data center).

Compliance controls

Rocket Software maintains various certifications of compliance to attest to the overall health and resiliency of our security program. Rocket’s policies and program are backed up by our ISO 27001 certification as the result of audits performed by an accredited, independent, third-party audit firm. In addition to this, our secure coding program follows the ISO 20243 standard. Our SaaS products maintain a Type II SOC 1 to attest to the rigid security processes we have in place to protect our customer’s data. Various Rocket products throughout the organization also go through an annual Type I SOC 2. Our security program is rooted in the best practices from various NIST frameworks.

Technical security controls

Rocket Software maintains technical standards and procedures for hardware and software procurement and operations to minimize the risk of malicious software. Rocket Software will also use software and maintain procedures to prevent, detect, and recover from security incidents involving malicious software. Rocket Software’s security awareness and training also covers these procedures.

Rocket Software maintains controls used to update system and application software.

Rocket Software uses appropriate hardware and software, in accordance with its technical standards, to protect its networks against intrusion and data loss.

Rocket Software maintains the capability for its systems collecting, using, storing, and archiving customer information to produce and maintain audit logs of user activities, exceptions, and information security-relevant events.

Rocket Software maintains reasonable and appropriate access control and authentication safeguards to control access to customer information. These safeguards provide assurances that only those Rocket Software personnel given access to customer information by management can access such data. Information processing facilities will authenticate users seeking to obtain access to customer information in accordance with the procedures and technical mechanisms consistent with Rocket Software’s authentication procedures and technical standards.

Rocket Software’s services permit customers to control access to customer information by its users. Data in Rocket Software services are protected by permissions that can be set on a user-by-user basis. Rocket Software services have built-in integration with SAML-based SaaS Single Sign On (SSO) services replacing the traditional password-based authentication when logging into the Rocket Software services for administration and management.

Rocket Software maintains technical specifications for technology and will maintain procedures to provide assurances of the integrity of customer information over time to maintain the data’s reliability and authenticity. Such technology and procedures will be used to protect customer information from undetected alteration, corruption, loss, or destruction.

All data sent / received via Rocket Software services is through an encrypted transport layer security by default for both internal and external destinations. Where encrypted transport is not default and requires additional configuration for the customer, encrypted transport is optional. Encryption algorithms and key lengths will be consistent with Rocket Software’s policies on encryption:

  • We use TLS/SSL sessions to secure its data transmissions by default
  • The default certificates for these sessions have RSA-2048 keys, use SHA-256 digests, and facilitate AES-256 symmetric key encryption

In addition to encryption of data in transit, Rocket Software services also require encryption of all data at rest.

Although we provide our services on a centralized basis to allow our customers to share our infrastructure, the Rocket Software services keep each customer’s information separate from the customer information of every other customer by our implemented access control policies. Our security controls provide assurances against unauthorized access to customers’ accounts, whether by those who do not use the Rocket Software services or other Rocket Software customers.

Rocket Software manages the security lifecycle of the application supporting the Rocket Software Services and all other developed software in order to prevent, detect, and correct security weaknesses.

Contact information and resolving disputes

If you would like to discuss this security statement or provide us with feedback, questions, or concerns about our security statement, please contact us by email at [email protected].  You may also write us at:

Rocket Software, Inc.
77 Fourth Avenue, Suite 100
Waltham, Massachusetts 02451
Attn: Information Security

If you have a complaint about our customer information security practices, you may submit a complaint to us at the above contact information. Our security and compliance team will investigate your complaint and provide a response. You will need to provide sufficient information for us to evaluate your complaint and we may ask you to provide additional information as a condition of evaluation.

Rocket Software Vulnerability Disclosure Policy.

Changes to this security statement

We reserve the right to make changes to this security statement from time to time. If we make a change to the security statement, we will post a new copy of it on our website. Your continued use of the Rocket Software services after such notification indicates your continued agreement to the terms of this security statement as amended. Please review this security statement to review the latest information about our security practices for handling customer information.