Data Governance
What data does Rockhopper store?
Understanding exactly what data Rockhopper holds is important for any security evaluation. Here's a clear breakdown:
Data Rockhopper stores
User profile
Name and email address (sourced from Microsoft or Google account)
Identify users, display names, enable @mentions
Team membership
Which users belong to which teams, and their roles
Access control and collaboration
File metadata
File names, drive/file IDs, enrollment timestamps
Track which files are managed by Rockhopper
Version snapshots
Point-in-time copies of enrolled spreadsheets
Enable version comparison and revert
Change records
Which cells changed, old/new values, who made the change, when
Change tracking and audit trail
Comments
Comment text, author, timestamps, version associations
Team collaboration
Review records
Review requests, reviewer assignments, approval status
Formal review workflow
Activity logs
Who did what and when (audit trail)
SOC 2 compliance and traceability
Data Rockhopper does NOT store
User passwords or credentials — Authentication is fully delegated to Microsoft or Google
Email, calendar, or contacts — Rockhopper only accesses files, not other Microsoft 365 or Google Workspace data
Spreadsheet contents beyond change tracking — Rockhopper does not index, search, or analyze the contents of your files
Data classification
Rockhopper classifies all data into three tiers to ensure appropriate handling, storage, and access controls:
Sensitive
The most restricted data, with access strictly limited
Passwords, encryption keys, authentication tokens
Confidential
Business information intended for use solely by Rockhopper and/or its customers
Personally identifiable information (PII), customer financial data, audit reports
Public
Information that does not fit into the above classifications
Marketing content, published documentation
Each tier has specific requirements for storage, transmission, access control, and disposal. The classification policy is reviewed annually by management.
Non-production environments
Customer data is prohibited from use in development and test environments by policy. Production and non-production environments are segregated at the network level, and all production data is sanitized before any use in non-production contexts.
Data retention
Data is maintained for the duration of the contractual agreement with your organization:
Version snapshots are retained indefinitely (including discarded and reverted versions) to preserve the audit trail
Comments and reviews are retained for the life of the file
User accounts persist until the organization requests removal
At the end of a contract, all data associated with your organization is purged.
Data export
You can request a full export of your organization's data at any time. Contact [email protected] and we'll provide the export within one week.
Data deletion
Rockhopper can perform a complete purge of specified accounts or data upon request. Contact [email protected] to initiate. After an export is provided, all associated data is purged within 24 hours.
Secure disposal
When data reaches the end of its retention period or is no longer required, Rockhopper securely disposes of it using industry-accepted methods for secure deletion. All disposal actions are tracked through a ticketing system to maintain a documented chain of custody.
Personal data protection
Rockhopper collects only the personal information necessary for operation — names and email addresses from your identity provider. The platform does not collect or store personal data outside this scope.
Last updated