Ctrlk

Trust & Verification

This page summarizes the independent assessments, formal policies, and security programs that govern how Rockhopper protects your data. It is intended for IT and security professionals conducting vendor due diligence.

SOC 2 Type II attestation

Rockhopper has completed a SOC 2 Type II examination covering the Security and Confidentiality trust service categories.

Detail
Value

Auditor

Laika Compliance LLC (Arlington, Virginia)

Audit period

January 1 -- June 30, 2025

Trust service categories

Security, Confidentiality

Opinion

Unqualified (clean) -- no exceptions noted

Subservice organization

AWS (carved out; Rockhopper reviews the AWS SOC 2 report annually)

The audit evaluated the design and operating effectiveness of controls across the AICPA Trust Services Criteria, including control environment, risk assessment, monitoring, logical access, system operations, change management, and confidentiality.

Requesting the report. The full SOC 2 Type II report is available to current and prospective customers under NDA. Contact [email protected] to request a copy.

Penetration testing

Rockhopper engages an independent, qualified third party to perform penetration testing at least annually.

  • Testing follows a gray-box methodology based on the OWASP Web Security Testing Guide (WSTG)

  • Both the web application and API are in scope

  • The testing firm validates that the staging environment mirrors production before testing

  • All identified findings are remediated and retested by the penetration tester to confirm resolution

  • The most recent test was completed in 2025 with all findings remediated and verified

An executive summary of the most recent penetration test is available to prospective customers under NDA. Contact [email protected] to request it.

Vulnerability management

Rockhopper operates a continuous vulnerability management program to identify, prioritize, and remediate security risks.

Continuous scanning. Internal and external vulnerability scans run continuously across production infrastructure. Results are reviewed by the engineering and security teams.

Severity-based remediation SLAs. Vulnerabilities are classified using the OWASP Risk Rating Methodology and remediated within defined timelines:

Severity
Remediation timeline

Critical

Immediately to 7 days

High

Within 14 days

Medium / Low

Within 30 days

Patch management. Infrastructure patches are deployed at least monthly. Critical and zero-day patches are escalated and applied as soon as possible, following an impact assessment.

Anti-malware. Endpoint and server anti-malware solutions are deployed, automatically updated, and configured for periodic scanning.

Security governance

Rockhopper maintains a formal Information Security Policy that is reviewed and approved by management at least annually. The policy covers ten security domains:

  1. Security Organization and Management

  2. Risk Management

  3. People Security

  4. Access Control

  5. Network and System Security

  6. Vulnerability Management

  7. Monitoring

  8. Change Management

  9. Incident Management

  10. Vendor Management

Risk oversight

A Risk Committee with at least one independent member provides governance and oversight of the security program. The committee meets quarterly, maintains formal meeting minutes, and is responsible for approving the Information Security Policy and overseeing the annual risk assessment.

Annual risk assessment

A formal risk assessment is conducted at least annually, or when significant changes occur. The assessment identifies threats and vulnerabilities, rates their likelihood and impact, and informs the selection of controls and mitigation strategies. Fraud risk is explicitly considered as part of the process.

Incident response

Rockhopper maintains a documented Incident Response Plan that defines procedures for detecting, containing, remediating, and communicating security incidents.

  • An Incident Response Team (IRT) with defined roles and responsibilities leads the response process

  • The incident response plan is tested annually through tabletop exercises

  • Post-incident reviews are conducted after any significant operational issue to identify root causes and preventive actions

  • Customers and authorities are notified when required

Business continuity and disaster recovery

Rockhopper maintains a documented Business Continuity and Disaster Recovery (BC/DR) Plan that is tested annually through simulated service disruptions.

Measure
Detail

Database backups

Automated daily backups with point-in-time recovery

Backup retention

60 days

High availability

Multi-AZ database configuration with automatic failover

Version snapshots

Stored in S3 with 99.999999999% durability, replicated across availability zones

Infrastructure as code

Services can be redeployed from version-controlled definitions

BC/DR test results are documented, and findings are used to improve recovery procedures and assess performance against defined KPIs.

Employee security

Rockhopper enforces security requirements throughout the employee lifecycle:

  • Background checks are performed on all individuals prior to their start date

  • Confidentiality agreements must be signed before access to any company systems is granted

  • Security awareness training is completed within 30 days of hire and at least annually thereafter, covering threat identification, phishing, incident reporting, and data protection

  • Performance reviews are conducted at least annually by managers

  • Access deprovisioning is completed within 24 hours of termination

Change management

All changes to production systems follow a controlled change management process:

  • Changes are developed in environments segregated from production

  • All code changes undergo peer review by a second engineer

  • Automated testing validates changes before deployment

  • A staging environment that mirrors production is used for final validation

  • Major changes require CTO approval

  • Failed deployments are automatically rolled back

  • All changes are tracked in version control with full audit history

Vendor management

Rockhopper assesses and manages risks from third-party vendors through a formal vendor management program:

  • Vendors are assigned a criticality rating (Critical, High, Medium, Low) based on operational dependency, business impact, and relevance to the software product

  • Formal agreements are in place with all critical vendors, including commitments to information security standards

  • Annual reviews of SOC 2 or equivalent attestation reports are conducted for all vendors rated critical or high risk, with exceptions evaluated for impact on the service

  • AWS, the primary infrastructure provider, is reviewed annually and its SOC 2 report is assessed for any exceptions relevant to Rockhopper's service

Requesting reports and completing questionnaires

Rockhopper is happy to support your vendor evaluation process. The following are available upon request:

Document
Availability

SOC 2 Type II report

Under NDA

Penetration test executive summary

Under NDA

Security questionnaire completion

On request

Contact [email protected] for any of the above or for additional security questions.

PreviousMicrosoft PermissionsNextPrerequisites

Last updated