| description |
|---|
This page outlines the key elements of Rocket.Chat's compliance program. |
A security compliance program is a structured approach implemented by organizations to ensure adherence to relevant laws, regulations, standards, and best practices related to information security and privacy. Rocket.Chat is committed to maintaining the highest standards of information security and regulatory compliance amd understand that such programs are essential for safeguarding sensitive data, protecting systems and networks from cyber threats, and maintaining the trust of customers, partners, and stakeholders.
The security compliance program primarily falls under the responsibility of our Governance, Risk, and Compliance (GRC) team, who oversee the development, implementation, and monitoring of policies and procedures to ensure compliance with relevant regulations and standards. They work closely with executive leadership to align security initiatives with business goals and priorities.
Additionally, successful adherence to the security compliance program requires collaboration and assistance from various departments:
- The security team contributes expertise in implementing technical controls and addressing specific security threats.
- The engineering and SRE teams ensure that security measures are integrated into the development and maintenance of our systems and infrastructure.
- The executive team provides strategic direction, resources and support for security initiatives, ensuring that security is integrated into the organization's overall business strategy and objectives.
- Legal provides guidance on regulatory requirements, privacy laws, and contractual obligations.
- The people team plays a vital role in promoting a culture of security awareness and accountability among employees through training, communication, and policy enforcement.
- Ultimately, all employees are responsible for adhering to security policies and procedures, reporting potential risks or incidents, and actively participating in training and awareness programs.
The key components taken into consideration by Rocket.Chat are the following:
The company has adopted the ISO 27001 framework, which is an internationally recognized standard for information security management systems (ISMS). This framework provides a systematic approach for managing and protecting sensitive information assets.
A comprehensive security policy is in place, complemented by sub-policies that address specific security topics such as access control, vulnerability management, data protection, incident reponse, business continuity and more. These sub-policies provide detailed guidance on implementing best practices in various areas of information security.
In addition to our security policies, Rocket.Chat maintains operational procedures documentation for its main processes. This includes procedures, runbooks, and playbooks to provide clear guidance and instructions for our teams, ensuring consistency and effectiveness in our operations.
The company has established an internal controls policy to establish and maintain effective information security controls that safeguard the confidentiality, integrity, and availability of Rocket.Chat’s assets and operations. Describing also the mechanisms for implementing and monitoring controls to ensure the effectiveness of the information security management system. This policy covers areas such as access controls, data protection, incident response, and business continuity planning.
The company conducts regular risk assessments to identify potential threats and vulnerabilities to its information assets. Based on the results of these assessments, appropriate risk mitigation measures are implemented to minimize the likelihood and impact of security incidents.
Rocket.Chat conducts annual internal audits to assess the effectiveness of its security controls, policies, and procedures in accordance with the ISO 27001 standard. These audits are performed to evaluate the company's compliance with established security requirements, identify areas for improvement, and recommend corrective actions as needed.
Thorough assessments of our vendors and service providers are conducted to ensure they meet our security standards and adhere to applicable regulations, mitigating risks associated with third-party relationships.
The company is committed to continuous improvement of its information security practices and processes. Findings from internal audits are used to identify opportunities for enhancement, and corrective actions are implemented to address any deficiencies or non-conformities identified during the audit process.
Rocket.Chat provides regular training and awareness programs to educate employees about security policies, procedures, and best practices. Employees are encouraged to report any security incidents or concerns promptly, fostering a culture of security awareness throughout the organization.
The company maintains thorough documentation of its security policies, internal controls, audit findings, and corrective actions taken. This documentation serves as evidence of compliance with ISO 27001 requirements and facilitates transparency and accountability in security governance.
Rocket.Chat actively strategize and pursue certifications that align with our business objectives and provide tangible benefits and the utmost credibility and assurance regarding the security and quality of our products and services. We remain vigilant in assessing the evolving landscape of certifications and their relevance to our industry and customer needs. Rocket.Chat certifications are available at Compliance Resources page.
To communicate with our compliance team, please email [email protected] .