Rocket Software, Inc., and its affiliates (“Rocket Software”) are committed to protecting the information of its customers and preventing unauthorized disclosure, use, modification, or access to such information stored within Rocket Software services. We recognize the importance of appropriate information security policies and procedures to protect the security of customer data. We maintain an enterprise-level holistic Cybersecurity program for Rocket Software’s IT and infrastructure . This page describes Rocket Software’s Security Program (policies, procedures, and technologies) and summarizes the controls embodied in the program, including some specific information concerning encryption, access control, and authentication. This program is structured off several leading industry security standards and frameworks such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).

Our Certifications

Rocket Software’s security program is reviewed annually and consistently through a combination of internal and external audit activities. We maintain several certifications of compliance to attest to the overall health and resiliency of our security program. Documentation of certification can be delivered upon request.

Rocket Software’s policies and program are backed up by our ISO 27001 certification as the result of audits performed by an accredited, independent, third-party audit firm. In addition to this, our secure coding program follows the ISO 20243 standard.

Our SaaS products maintain a Type II SOC 1 to attest to the rigid security processes we have in place to protect our customer’s data. Various Rocket Software products throughout the organization also go through an annual Type I SOC 2.

Rocket Software, Inc. has obtained Trusted Information Security Assessment Exchange (TISAX) certification which confirms our company’s information security management systems complies with Industry defined security levels. TISAX is an assessment and exchange mechanism for information security in the automotive industry.

Controls follow NIST Cybersecurity Framework to NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organization.

Product Security in Rocket

Product Security controls are of utmost importance at Rocket Software, Inc. Our software development lifecycle embeds security through every iteration. We incorporate the use of static and dynamic testing and open-source analysis tools.

Our product security controls follow Supply-chain Levels for Software Artifacts, or SLSA ("salsa") framework. This framework includes controls standards and controls around prevent tampering, improve integrity, and secure packages and infrastructure.

Technical Vulnerability Management

An established vulnerability management process that is documented and regularly reviewed based on business and information security requirements.

Detection, prevention, and recovery controls to protect against malware are implemented, combined with appropriate user awareness.

Annual external penetration testing is performed or when significant changes are made.

A Vulnerability Disclosure Policy is in place. More information can be found by clicking the following link: Vulnerability Disclosure Program.

Data Protection

By “customer information,” we are referring to information and data we receive, process, store, or transmit as part of our services to customers on Prem and also our SaaS-based products or partner when delivering a Rocket Software online service to a customer, or information and data customers otherwise provide to Rocket Software for the purposes of support and professional services engagements. We limit the use of personal information when possible and comply with privacy regulations.

Rocket Software protects customer information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction by applying industry standard safeguards to implement the control objectives described in the Rocket Software Security Program.

Encryption

All data sent / received via Rocket Software services is through an encrypted transport layer security by default for both internal and external destinations. Encryption algorithms and key lengths will be consistent with Rocket Software’s policies on encryption.

Data Transfer Controls

Data transfer controls ensure that any customer information cannot be read, copied, altered, or removed without authorization during transport (electronically or physically). Information transferred is appropriately protected and encrypted.

Enterprise-wide Security Controls at Rocket

Rocket Software has implemented Enterprise-wide security policies, procedures, and practices to manage and mitigate security risks across all its operations and functions. These controls are designed to ensure compliance with regulations, protect assets, and maintain data integrity and achieve operational efficiency throughout the organization.

Incident Management

Rocket Software maintains and implement procedures to facilitate timely, effective, and orderly reporting and response to suspected or known information security incidents or breaches. In accordance with industry practice, we aim to provide prompt notifications the latest within 48 hours. An established incident management policy and a corresponding incident management process are documented, regularly reviewed, and assessed based on business and information security requirements. A dedicated Cybersecurity Incident Response Plan is also in place.

Business Continuity and Disaster Recovery

Rocket Software maintains and periodically test disaster recovery and business continuity plans and procedures for responding to man-made threats and natural disasters that could damage or disrupt systems that contain customer information or services unavailable and customer support.

Physical and Environmental Security

Rocket Software uses a variety of industry-leading third-party data hosting and colocation companies to provide services. These data centers maintain infrastructure in secured zones in accordance with the service providers’ physical security control standards. Our services leverage scalable, high-performance, and high resilience data centers with infrastructure protected from physical intrusion, loss, theft, damage, and anticipated natural disasters, such as floods and storms.

Access Control and Authentication

Rocket Software limits access to customer information. Workers with trusted roles are given access to customer information only to perform their job responsibilities. Members of Rocket Software’s workforce with limited access to customer information include personnel that provide customer support or professional services.

Network Security

Rocket Software uses appropriate hardware and software, in accordance with its technical standards, to protect its networks against intrusion and data loss.

Cloud Security

Rocket Software currently uses a variety of industry-leading third-party hosting and colocation facilities as providers of storage and platform services. Our hosting and colocation providers have been certified as meeting the requirements under ISO 27001, SSAE 16 SOC 1 / ISAE 3402 (SAS 70/Type II) and SOC 2.

Artificial Intelligence (AI) Governance Board

The AI Governance Board oversees the ethical and responsible development and use of AI systems across the organization. The board ensures alignment with Rocket Software's AI Principles, applicable laws and regulations, and AI best practices.

Contact Information

If you would like to discuss this security statement or provide us with feedback, questions, or concerns about our security statement, please contact us by email at [email protected]. You may also write us at:

Rocket Software, Inc.  
77 Fourth Avenue, Suite 100  
Waltham, Massachusetts 02451  
Attn: Information Security

If you have a complaint about our customer information security practices, you may submit a complaint to us at the above contact information. Our security and compliance team will investigate your complaint and provide a response. You will need to provide sufficient information for us to evaluate your complaint and we may ask you to provide additional information as a condition of evaluation.