# Trust & Verification

This page summarizes the independent assessments, formal policies, and security programs that govern how Rockhopper protects your data. It is intended for IT and security professionals conducting vendor due diligence.

## SOC 2 Type II attestation

Rockhopper has completed a SOC 2 Type II examination covering the **Security** and **Confidentiality** trust service categories.

| Detail                       | Value                                                              |
| ---------------------------- | ------------------------------------------------------------------ |
| **Auditor**                  | Laika Compliance LLC (Arlington, Virginia)                         |
| **Audit period**             | January 1 -- June 30, 2025                                         |
| **Trust service categories** | Security, Confidentiality                                          |
| **Opinion**                  | Unqualified (clean) -- no exceptions noted                         |
| **Subservice organization**  | AWS (carved out; Rockhopper reviews the AWS SOC 2 report annually) |

The audit evaluated the design and operating effectiveness of controls across the AICPA Trust Services Criteria, including control environment, risk assessment, monitoring, logical access, system operations, change management, and confidentiality.

**Requesting the report.** The full SOC 2 Type II report is available to current and prospective customers under NDA. Contact <privacy@rockhopper.co> to request a copy.

## Penetration testing

Rockhopper engages an independent, qualified third party to perform penetration testing at least annually.

* Testing follows a **gray-box methodology** based on the OWASP Web Security Testing Guide (WSTG)
* Both the web application and API are in scope
* The testing firm validates that the staging environment mirrors production before testing
* All identified findings are remediated and **retested by the penetration tester** to confirm resolution
* The most recent test was completed in **2025** with all findings remediated and verified

An executive summary of the most recent penetration test is available to prospective customers under NDA. Contact <privacy@rockhopper.co> to request it.

## Vulnerability management

Rockhopper operates a continuous vulnerability management program to identify, prioritize, and remediate security risks.

**Continuous scanning.** Internal and external vulnerability scans run continuously across production infrastructure. Results are reviewed by the engineering and security teams.

**Severity-based remediation SLAs.** Vulnerabilities are classified using the OWASP Risk Rating Methodology and remediated within defined timelines:

| Severity     | Remediation timeline  |
| ------------ | --------------------- |
| Critical     | Immediately to 7 days |
| High         | Within 14 days        |
| Medium / Low | Within 30 days        |

**Patch management.** Infrastructure patches are deployed at least monthly. Critical and zero-day patches are escalated and applied as soon as possible, following an impact assessment.

**Anti-malware.** Endpoint and server anti-malware solutions are deployed, automatically updated, and configured for periodic scanning.

## Security governance

Rockhopper maintains a formal **Information Security Policy** that is reviewed and approved by management at least annually. The policy covers ten security domains:

1. Security Organization and Management
2. Risk Management
3. People Security
4. Access Control
5. Network and System Security
6. Vulnerability Management
7. Monitoring
8. Change Management
9. Incident Management
10. Vendor Management

### Risk oversight

A **Risk Committee** with at least one independent member provides governance and oversight of the security program. The committee meets quarterly, maintains formal meeting minutes, and is responsible for approving the Information Security Policy and overseeing the annual risk assessment.

### Annual risk assessment

A formal risk assessment is conducted at least annually, or when significant changes occur. The assessment identifies threats and vulnerabilities, rates their likelihood and impact, and informs the selection of controls and mitigation strategies. Fraud risk is explicitly considered as part of the process.

## Incident response

Rockhopper maintains a documented **Incident Response Plan** that defines procedures for detecting, containing, remediating, and communicating security incidents.

* An Incident Response Team (IRT) with defined roles and responsibilities leads the response process
* The incident response plan is **tested annually** through tabletop exercises
* Post-incident reviews are conducted after any significant operational issue to identify root causes and preventive actions
* Customers and authorities are notified when required

## Business continuity and disaster recovery

Rockhopper maintains a documented **Business Continuity and Disaster Recovery (BC/DR) Plan** that is tested annually through simulated service disruptions.

| Measure                    | Detail                                                                           |
| -------------------------- | -------------------------------------------------------------------------------- |
| **Database backups**       | Automated daily backups with point-in-time recovery                              |
| **Backup retention**       | 60 days                                                                          |
| **High availability**      | Multi-AZ database configuration with automatic failover                          |
| **Version snapshots**      | Stored in S3 with 99.999999999% durability, replicated across availability zones |
| **Infrastructure as code** | Services can be redeployed from version-controlled definitions                   |

BC/DR test results are documented, and findings are used to improve recovery procedures and assess performance against defined KPIs.

## Employee security

Rockhopper enforces security requirements throughout the employee lifecycle:

* **Background checks** are performed on all individuals prior to their start date
* **Confidentiality agreements** must be signed before access to any company systems is granted
* **Security awareness training** is completed within 30 days of hire and at least annually thereafter, covering threat identification, phishing, incident reporting, and data protection
* **Performance reviews** are conducted at least annually by managers
* **Access deprovisioning** is completed within 24 hours of termination

## Change management

All changes to production systems follow a controlled change management process:

* Changes are developed in environments segregated from production
* All code changes undergo peer review by a second engineer
* Automated testing validates changes before deployment
* A staging environment that mirrors production is used for final validation
* Major changes require CTO approval
* Failed deployments are automatically rolled back
* All changes are tracked in version control with full audit history

## Vendor management

Rockhopper assesses and manages risks from third-party vendors through a formal vendor management program:

* Vendors are assigned a **criticality rating** (Critical, High, Medium, Low) based on operational dependency, business impact, and relevance to the software product
* **Formal agreements** are in place with all critical vendors, including commitments to information security standards
* **Annual reviews** of SOC 2 or equivalent attestation reports are conducted for all vendors rated critical or high risk, with exceptions evaluated for impact on the service
* AWS, the primary infrastructure provider, is reviewed annually and its SOC 2 report is assessed for any exceptions relevant to Rockhopper's service

## Requesting reports and completing questionnaires

Rockhopper is happy to support your vendor evaluation process. The following are available upon request:

| Document                           | Availability |
| ---------------------------------- | ------------ |
| SOC 2 Type II report               | Under NDA    |
| Penetration test executive summary | Under NDA    |
| Security questionnaire completion  | On request   |

Contact <privacy@rockhopper.co> for any of the above or for additional security questions.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rockhopper.co/security-and-compliance/trust-and-verification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.