Rokt Minimum Security Measures
Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement or DPA.
| ID | Control title | Description |
| Security & Privacy Governance (GOV) | ||
| GOV-01 | Information security policy | Rokt’s information security policy covers all Rokt employees, contractors, service providers and external parties who access a controller’s personal data in Rokt’s possession, custody, or control. It covers personal data in transit, accessed or stored in any form (physical or electronic media), and covers all devices, workstations and servers (both virtual and physical) owned by Rokt and/or potentially connected to any part of Rokt’s environment. The security policy is regularly reviewed and updated in line with applicable laws and best industry practices. |
| GOV-02 | Defined roles & responsibilities | Rokt has established an Information Security Management System (ISMS) with clear allocation of roles, each with defined responsibilities and authorities. Each of these roles are allocated to specific individuals or groups. Overall responsibility for security is owned at an executive level by our Managing Director – APAC and Chief Technology Office, supported by our VP, Cybersecurity and others comprising our Information Security Steering Group. |
| GOV-03 | General compliance audit | Management of records in relation to information security standards implemented by Rokt and regular review of these information security standards and Rokt's compliance against such standards. |
| GOV-04 | Information security standards | Rokt maintains appropriate certifications and accreditations in compliance with industry standards, including ISO/IEC 27001 and AICPA SOC 2, and has aligned its ISMS with CIS benchmarks and OSWASP guidelines. |
| Identification & Authentication (IAC) | ||
| IAC-01 | Physical access controls | There is no physical access by Rokt Staff since all personal data is hosted in secured locations at Amazon Web Services (AWS)[1]. The primary data center is based in Oregon (USA), with additional data centers located in the international markets in which Rokt operates, where personal data may be cached to improve performance. |
| IAC-02 | Unique identifiers and least privilege | The Rokt email address is the unique identifier that all systems authenticate. Individual (per-user) logins are required for all systems. All Rokt core applications utilise Google’s single sign-on and enforced two-factor authentication. Rokt employs the principle of least privilege account management. Access to personal data is only provided to those users who require it and only to the extent needed to perform specific duties. Access is revoked if no longer required. Regular user access audits and an automated employee exit process are in place to ensure ongoing compliance. |
| IAC-03 | Password policy | All staff must use an approved password manager to randomly generate strong passwords and to avoid credential re-use and unsafe handling. All passwords must be at least 16 characters long and include at least one uppercase, one lowercase and one special character. |
| Cryptographic Protections (CRY) | ||
| CRY-01 | Secure data storage | Rokt hosts all its infrastructure in AWS data centers. All personal data is encrypted in the application layer using AES-256 prior to being written to storage. Envelope encryption is used with different encryption keys per consumer and per client. Consumer encryption keys are in turn encrypted with a master key using AES-256. |
| CRY-02 | Secure data transfer | All transfers of personal data occur over secure protocols. Web traffic is over HTTPS/TLS 1.2, SFTP or IPSec VPN. Any unencrypted connection request is either upgraded to use a secure connection or dropped subsequently. |
| CRY-03 | Key management | Cryptographic keys are stored in AWS KMS (HMAC) or AWS Secrets with IAM policies for least privilege access. Former keys are stored in a secure password vault with limited access by selected engineers. All keys are rotated on a regular schedule. Passwords are never stored or transmitted in plain text. |
| Physical & Environmental Security (PES) | ||
| PES-01 | Working in secure areas | All Rokt offices are located in secure CBD buildings with security guards, CCTV surveillance, visitor sign-in, receptionists during and swipe card access outside of business hours. |
| PES-02 | Clear desk & clear screen policy | Rokt’s onboarding includes training on a “clear desk and clear screen” policy, so that sensitive information, both in digital and physical format (e.g. notebooks, mobile phones, tablets) are not left unprotected. |
| PES-03 | Confidential data disposal | Confidential information in printed form must be protected and securely destroyed using the designated paper shredders. Any devices are reset to factory settings and securely wiped prior to disposal. |
| Security Operations (OPS) | ||
| OPS-01 | Endpoint security | All workstations have antivirus/anti-malware software installed, have disk encryption enabled, are regularly patched, have a strong password and automatic screen-lock with password prompt after a short period of inactivity. Regular device audits are conducted to ensure full compliance. |
| OPS-02 | Logging and monitoring | Real-time monitoring of local networks, as well as monitoring of hardware and software configurations. Recording and monitoring of all user management and system access logs in a centralised platform for managing and analysing such data and retained indefinitely. |
| OPS-03 | Vulnerability management | Vulnerability assessments such as penetration tests are performed quarterly on web applications and annually on critical infrastructure by an independent external security firm. In addition, security scans are automatically performed weekly with multiple vulnerability management software packages. |
| OPS-04 | Patch management | Regular system updates and security patches are carried out to remedy any bugs and vulnerabilities against internals SLAs based on severity. |
| Network Security (NET) | ||
| NET-01 | Virtual Private Cloud (VPC) | Each AWS operating environment has a single VPC network with a non-overlapping IP address range and each such VPC has two logical segments to provide security from external Internet sources. |
| NET-02 | Internal segmentation | This segment does not allow traffic originating from the Internet but does allow traffic originating from our servers to the Internet via AWS network address translation gateways. Application servers are deployed to the internal segment and have multiple subnets, one for each availability zone in use. |
| NET-03 | Demilitarized zone (DMZ) segmentation | This segment allows both network traffic originating from the Internet to our servers and vice versa via an AWS Internet Gateway (IGW). Any of our applications that require access from the public Internet will create an elastic load balancing (ELB) in the DMZ segment, in multiple subnets, one for each availability zone in use. This allows Internet traffic to reach the ELB in the DMZ segment, which forwards the traffic to the application server in the Internal subnet. |
| NET-04 | Web Application Firewalls (WAF) | All Internet-facing web applications and APIs have a Web Application Firewall (WAF) enabled that detects and blocks common application layer attacks such as Cross-Site Scripting (XSS) and SQL injection (SQLi). |
| Technology Development & Acquisition (TDA) | ||
| TDA-01 | Secure development | Rokt has established a secure software development life cycle (SSDLC). |
| TDA-02 | Environment segregation | Production and non-production environments are completely segregated and equally secured. |
| TDA-03 | Non-production test data | Production data is never used for testing in non-production environments. |
| TDA-04 | Vulnerability detection | Automated tools for vulnerability detection during the development lifecycle are in place. |
| Incident Response (IRO) | ||
| IRO-01 | Information security incident management | Rokt has an incident response procedure and related data breach response plan in place to ensure the appropriate identification, containment, eradication, recovery, prevention and notification steps are undertaken. The incident management process includes a “learnings and improvements” step that feeds back into our risk register and ISMS review process. |
| Human Resources Security (HRS) | ||
| HRS-01 | Employee screening | All Rokt employees and contractors undergo adequate screening prior to gaining access to information, including but not limited to criminal history checks. |
| HRS-02 | Non-disclosure | All Rokt employees and contractors must sign a work agreement including non-disclosure and acknowledgement of all information security requirements for their role. |
| HRS-03 | Awareness training | As part of Rokt’s onboarding procedure, all new starters must complete security and privacy awareness training with modules relevant to all staff and engineering specific ones; awareness training must be renewed annually. |
| HRS-04 | Disciplinary process | Rokt has an established disciplinary process for misconduct or severe non-compliance. |
| Business Continuity & Disaster Recovery (BCD) | ||
| BCD-01 | BC/DR plan | Rokt has business continuity and disaster recovery plans for critical infrastructure in place. |
| BCD-02 | Regular backups | Regular backups are automatically maintained and all backup data is encrypted. |
| BCD-03 | Regular plan testing | Plans are regularly evaluated for their suitability and effectiveness in an ever-changing threat landscape. |
| Third-Party Management (TPM) | ||
| TPM-01 | Third-party risk assessments | Material suppliers are assessed for their inherent risk profile, followed by a due diligence procedure where assurance documentation (e.g., industry-standard certifications, penetration tests, proof of cyber insurance) is obtained to determine the supplier’s security posture; significant findings lead to a remediation plan or rejection of the supplier. |
| TPM-02 | Legal contract review | Supplier contracts are subject to a legal review to ensure minimum requirements are met. |
| TPM-03 | Regular supplier review | Material suppliers are reviewed annually for possible changes in their risk profile and to request updated assurance documentation. |
- [1] Refer to https://aws.amazon.com/compliance/data-center/controls about AWS’ data center controls.