Security Policy
Introduction and general guidelines
We have created a general information security policy and specific policies for related topics and are continuously working to put them in place. These policies are necessary to set up secure processes and demonstrate our compliance with industry standards towards our customers. You can also find the annual acknowledgment forms here.
In case of any questions, contact the security team. More information on this page
Do you want a short summary? You can find a security one-pager here!
Mandatory Acknowledgment & Secure Configuration
Because we all must follow our security policies, we have set up a Zoho Sign term that must be filled out and signed by all Rocketeers.
Policy Acknowledgment, an acknowledgment of our current policies. Mandatory to all employees and contractors.
Note: If you have already signed it during the onboarding training, no need to sign again.
And to set yourself up securely, please follow the guidelines and fill out the form provided in the link below::
Security configuration a checklist to set up a basic secure configuration of your tools. Mandatory to all employees and contractors.
Overall Security Policy
Overall Management intention on security and baseline for our security management system.
Purpose
Rocket.Chat places a great emphasis on protecting its information. Such information includes e.g. information we manage on behalf of our customers, personnel files, and our intellectual property.
At Rocket.Chat, we aim to ensure at all times that the information we manage is appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information.
Objectives
Our objectives are:
We will meet all applicable requirements in properly protecting our information, including laws, regulations, industry standards, and contractual commitments
The protections we apply to information assets will be in proportion to the value and sensitivity of the information, and will balance the sensitivity of the information against the cost of controls, the impact of the controls on the effectiveness of business operations, and the risks against confidentiality, integrity and availability of the information
We will ensure that these controls are accepted by all employees, vendors, service providers, representatives, and associates of our company who may have access to our information. This includes ensuring that all personnel at all levels are aware of, and are held accountable for safeguarding information assets.
We will identify and mitigate any breaches to this policy.
We aim to improve our security practices over time continually.
Applicability and Ratification
This information security policy provides management direction and support for information security across the organization. Specific, subsidiary information security policies, procedures and guidelines are considered an integral part of this information security policy, because only when followed in its entirety, we can ensure the objectives of this policy are met. This policy has been ratified by Rocket.Chat´s management team and forms part of its policies and procedures. It is applicable to and will be communicated to our staff, contractors, students and other relevant parties.
Responsibilities
Everyone handling Rocket.Chat information has the responsibility to keep the information safe, no matter where the information is located. This includes our staff members, contractors, students, etc., but also our suppliers (e.g. those that provide us with our tools to work) and other recipients of that information.
To determine the appropriate levels of security measures applied to information systems, a process of risk assessment is carried out to identify the probability and impact of security failures.
To manage information security within the organization, an information security oversight is led by Rocket.Chat´s Security Lead in conjunction with senior members of our relevant teams. Regular meetings are held between Security Lead and CTO to ensure that there is clear direction and visible management support for security initiatives. This oversight group shall promote security through appropriate commitment and adequate resourcing. The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the head of the department managing that information system.
Specialist advice on information security is available throughout the organization. Any member of the organization can contact his manager or Rocket.Chat´s Security Lead directly.
Rocket.Chat will establish and maintain appropriate contacts with other organizations, law enforcement authorities, regulatory bodies, and network and telecommunications operators.
Violations of our policies will be handled in accordance with the severity of the violation and applicable rules and regulations, including up to termination of the contract for severe violations.
Organization
We maintain a RASCI-chart that contains the responsibilities around information security. Conflicts of interest in these responsibilities must be avoided and tasks that create these conflicts be assigned to different persons. Where this is not possible, compensating controls (e.g. four-eyes principle) should be considered.
Current conflicting roles identified:
The company maintains relevant contacts with authorities and agencies, those relevant for Rocket.Chat being mostly:
Data protection agencies - outlined at
NIST
ISO
Open Source Community
In project management, the project leads are responsible to ensure security is properly addressed in a project.
Review
This policy is reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, our other policies or contractual obligations. We will inform relevant parties about the updates.
The implementation of the information security policy shall be reviewed independently of those charged with its implementation.
Security Special Policies
The following are sub-policies related to specific areas and supplement the general policy.
Personnel Security
All personnel are screened before entering a position and subject to Terms of employment, including a duty of confidentiality. The screening process is in relation to the applicable laws and regulations as well as the requirements of the position. All personnel are subject to contractual terms that describe their duties. The Information Security Team ensures that all personnel are aware of Rocket.Chat´s Security policies.
The details of these processes are implemented and the records kept by the People Team.
Internal Controls Policy
This internal controls policy is to establish and maintain effective information security controls that safeguard the confidentiality, integrity, and availability of Rocket.Chat’s assets and operations.
It is everyone’s responsibility to familiarize yourselves with the company’s internal controls and comply with its requirements. See Internal Controls policy for details.
Asset Management and Acceptable Use
An asset is something of value for Rocket.Chat such as, but not limited to, information itself, a device, intellectual property.
Asset Management policy cover important security aspects and guidelines that help rocketeers to protect and avoid any misuse of company owned assets.
The lists of assets can be found here.
Authentication and Password Policy
Authentication is the process of verifying the identity of a user or system entity. It is a security mechanism that helps to ensure that only authorized individuals or systems are granted access to a particular resource, such as a system, network, or application.
Here you can find our detailed Authentication and Password policy
Access Control Policy
Access to sensitive or internal systems is critical for the security and confidentiality of Rocket.Chat.
Refer to this link to access policy and procedure.
Network Security Policy
This document applies to all individuals and entities who have authorized access to the organization's resources for work-related purposes.
Please refer to this link .
Homeoffice / Remote Work Policy
Rocket.Chat primarily is a remote and global company and this policy outlines the security guidelines, clear screen and security requirements for remote workers to follow.
Please refer to Remote work policy.
Porto Alegre’ office building is available for those in that location. It does not contain or house critical assets or operations. To have access to it, please contact Patricia Ferreira for guidance. Make sure the rules pinned in the office are followed.
Cryptography and Key management
Cryptography is the practice of securing information by transforming it into an unreadable format, which can only be understood by those who have the key to unlock it. Cryptography is used in various applications, such as secure communication, digital signatures, and data protection.
Key management is the practice of protecting and managing the cryptographic keys used in encryption and decryption. It involves generating, storing, exchanging, and revoking keys to ensure that the encryption and decryption process remains secure. Proper key management is essential for maintaining the confidentiality, integrity, and availability of information that is encrypted using cryptographic algorithms. Key management also includes ensuring the authenticity of the keys, so that the right person or entity can access the encrypted information.
For detailed information and guidelines refer to Cryptography and Key management page.
Data Classification & Lifecycle Policy
To ensure data is classified and handled appropriately and securely throughout its lifecycle, check the policies below:
Data Classification and Management
Data Retention and Disposal
Secure Data Transfer
Accessing Customer Data
For access to customer data, you must adhere to the following: You may only access customer data if
The customer specifically requests it (e.g. support request) or
When it is necessary for us to fulfill our contractual obligations (e.g. to act proactively to prevent an instance from failing)
Access is strictly limited to the data needed to fulfill the request. You may not access data of other customers. No customer data may be extracted unless this is strictly requested by the customer. All data extracted must be stored safely and deleted when it is no longer necessary.
You must terminate the session immediately after the reason for your access has been resolved.
You must as soon as possible inform the customer of the outcome of your access.
Important: The use of sensitive or customer data in non-production environments is strictly prohibited.
Non-production environments, including development, testing, and staging, must not be used for any purpose involving sensitive or customer data.
Secure Development & Change Management
Secure engineering basic principles:
Features or changes involving components that could affect overall system security (e.g. authentication, encryption, access control) should consider the following steps:
have a thoroughly documented PR explaining the change
the PR must pass all checks, alerts must be remediated before merging
be subject to the regular tests (including security tests) before a release and not be introduced after these tests
should check if documentation needs to be updated and if so, update it
Changes to assets should only occur when a change is necessary. All changes must be controlled. All changes related to source code must occur through the authorized version control system (e.g. GitHub). In case a change is urgent, the change control process may be shortened by decision of management, in order to mitigate potential damages to the organization.
Please consult our Secure Development policy and Change Management session.
Vulnerability and Patch Management
This policy applies to all software applications and infrastructure components utilized by our company, including those hosted on SaaS platforms, AWS (Amazon Web Services), and OVH bare metals.
Software administrators, SRE and security teams must be aware of this policy and their roles in having it implemented.
Details available in this link .
Incident Management
An incident is any event that has the potential to affect the confidentiality, integrity or availability of Rocket.Chat information, in any format, or IT systems in which this information is held. Violations of laws, policies, contractual obligations or also external requests should also be considered as incidents in this sense.
Examples of incidents include:
Lost devices
A suspicious and successful log in
Malware incident
Ransomware attack
Email with confidential data sent to wrong recipient
Law enforcement requests to disclose data of customers
The Rocket.Chat's incident response plan is an internal document and access to it is restricted to authorized personnel.
The plan is tested annually to ensure effectiveness and promptness in the event of an incident. In the event of actual incidents within the year, we consider our annual testing requirement fulfilled, ensuring that our Incident Response Plan remains regularly assessed and validated. If there are no actual incidents, we shall conduct simulated testing to ensure ongoing readiness and effectiveness.
In addition to that we also have in place an Incident Communication protocol available in this link.
Business Continuity and Disaster Recovery
The purpose of this policy is to outline the components and steps necessary to ensure the continuity of Rocket.Chat operations in the event of a disaster or disruptive event.
Please check the Business Continuity and Disaster Recovery page.
Supplier Relationship and Procurement
This policy applies to the security and compliance of supplier relationships. It includes guidelines you shall be aware of when making a procurement decision on behalf of Rocket.Chat. For details please refer to the Supplier Relationship and Procurement page.
In addition to that, it is recommended that you check if the system or solution you are interested in meets the recommendations outlined in our Information Security Requirements guide.
Security Awareness and Training
All new employees are required to complete basic security training as part of their onboarding process. Please refer to Awareness and Training session
Auditing
The design and implementation of these policies will be audited on a regular basis, with a focus on risks identified in the risk management process. Where a potential conflict of interest takes place, the audit will be delegated to another individual with such conflict or other compensating controls be taken.
Compliance and Enforcement
Rocket.Chat will conduct periodic reviews and audits to ensure compliance with this policy. These reviews may include code inspections, security assessments, and process evaluations. Monitoring may also involve the use of automated tools or manual checks.
Any suspected or observed non-compliance with this policy should be promptly reported to the policy owner, GRC team or through the designated reporting channels.
Non-compliance with this policy may result in disciplinary actions, including but not limited to verbal or written warnings, suspension, termination of employment or engagement, and legal actions as deemed needed.