Security and trust

Your data security is our top priority at Rossum. We meet the highest industry standards, ensuring the confidentiality of your documents.

Free Demo

Security badges with gradient

For Rossum, processing critical business data for enterprises worldwide is bread and butter. We are dedicated to upholding the highest standards of security, privacy, and compliance for customer data.

To this end, we have developed and implemented a comprehensive set of policies, procedures, and controls to ensure appropriate confidentiality, integrity, and availability of your data as further described below.

Dedicated Security, Legal, and Compliance Teams

We have dedicated security, privacy, and compliance teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They also provide domain-specific consulting services and guidance to our engineering teams.

We perform periodic internal audits and assessments by accredited third parties. Further, Rossum appoints a Data Protection Officer and implements personal data handling policies, including data processing, retention, and disposal policies in line with the GDPR. If you have any questions related to Rossum’s privacy policy, privacy practices, and GDPR compliance, please get in touch with our Data Protection Officer:

Data Protection Measures

We maintain appropriate technical and organizational measures, internal controls, and information security routines following the best industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure, or access or unlawful destruction. Such measures include, without limitation, ensuring the reliability of employees having access to your data and providing for limited access rights and access controls; strong authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of data; technical protection of devices where data is stored; etc.


Rossum adheres to the ISO 27001 / SOC2 standards, and we carry out thorough audits on our applications, systems, and networks, thereby guaranteeing your data’s continuous protection.

Rossum security

ISO 27001 Certification

Rossum is certified and accredited by a third-party privacy organization and holds ISO/IEC 27001:2013. In line with the above-mentioned certification, Rossum developed and implemented a comprehensive set of policies, procedures, and technologies to ensure appropriate confidentiality, integrity, and availability of your data, including penetration tests, vulnerability scans, secure development frameworks, access management, supplier management, compliance processes, and employee security awareness.

SOC 2 Type II Report

Rossum successfully completed a Service Organization Controls (SOC) 2 Type II audit of its platform. Report based on the Trust Service Criteria relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, with the last report covering throughout the period of July 27, 2022 – July 14, 2023.

Texas Risk and Authorization Management Program (TX-RAMP)

Rossum successfully completed certification for the Texas Risk and Authorization Management Program (TX-RAMP) Level 1 certification (certificate ID TX1114698).


We offer a HIPAA compliant environment and Business Associate Agreement (BAA) as a commercial option.

Data Processing and Transfers

Data collected from you may be transferred to, stored and processed in, the European Union, Ireland, and the Czech Republic. Another option is possible as a commercial option. See the Data Date Center Location below for specifications and the possibility of deploying EU and US locations.

We regularly update our Terms and Conditions as well as our Privacy Policy and our internal data processing policies to reflect regulatory developments and ensure compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other applicable privacy laws and industry standards. The updates aim to give you more information and more control over your data.

Vendor and Supplier Ecosystem

We evaluate and qualify each vendor based on our Supplier Management Policy. We onboard new vendors only after a rigorous risk assessment. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of its controls.

We have robust data processing agreements in place with all data sub-processors that cover standard contractual clauses for GDPR compliance and set out Rossum’s audit rights, detail minimum security standards and measures (including state of the art encryption), and require access to their security audits and certificates (e.g. SOC2, ISO 27001). We also contractually require our vendors to provide us with prompt notice of any data breach, security incident concerning processed data, or request for compelled disclosure of processed personal data.

Data Center Locations

We store customer data primarily on servers provided by Amazon Web Services (AWS). AWS is the trusted hosting provider both for established internet services like Netflix, and enterprises like Pfizer and Siemens. AWS maintains the highest security standards and has a range of certifications. Our data is located in data centers that are specifically SOC-1, 2, 3 and ISO/IEC 27001:2013 compliant and periodically audited. More information on AWS Cloud security can be found here.

We offer an option of different AWS regions based on your data residency requirements. Within each region, our platform operates across multiple Availability Zones (physical data centers) to ensure high availability.

Europe Data Center (default):

  • Primary site: AWS region: eu-west-1 (Europe – Ireland)
  • Primary site for new customers: AWS region: eu-central-1 (Europe – Frankfurt)
  • Data backup: AWS region: eu-central-1 (Europe – Frankfurt)
  • Recovery site: AWS region: eu-central-1 (Europe – Frankfurt)

US Data Center:

  • Primary site: AWS region: us-east-1 (N. Virginia)
  • Data backup: AWS region: us-west-1 (N. California)
  • Recovery site: AWS region: us-west-1 (N. California)

Our architecture is multi-tenant by default; therefore, data is logically separated at rest, and we are using strict security filters that are applied to all database queries by default. A single-tenant deployment with a dedicated database is available as a commercial option.

Ready to get started?

Begin your journey to a more secure way to process your documents. See why hundreds of companies use Rossum to improve operating efficiencies, drive revenue, and reduce risk.


  • What security features are available across the Rossum platform? Does Rossum comply with data regulations?

    Granular data control: Rossum provides you with the flexibility to define data location (jurisdiction), retention periods (individual document, aggregate, and time limits), and usage for AI training purposes. This granular control allows you to tailor data handling practices to meet the specific requirements of regulations like GDPR and CCPA.

    Data processing workflow control: Maintain robust control over data processing workflows with user roles and fine-grained permissions that enforce need-to-know access. Additionally, Rossum offers auditable access logs for all data manipulations and access attempts, allowing for comprehensive monitoring and auditing of data usage purposes. Smart workflows further enhance control by dynamically adjusting processing steps (personnel involved or data retention) based on pre-defined criteria, such as document type or identified PII.

    Cloud compliance guarantees: Rossum prioritizes data security and adheres to the highest industry standards. We maintain a valid ISO 27001 certification and SOC 2 type II audit report, demonstrating a commitment to robust information security governance, processes, and systems. Regular external penetration testing further strengthens our security posture. Rossum utilizes high-grade encryption for data at rest and in transit, and adheres to strict physical security protocols for both data centers and employee devices. We provide customers with audit rights and notification options in the event of security incidents or compelled data requests.

    Compliance with data privacy regulations: Rossum acts as a data sub-processor and fulfills all requirements for compliant processing of sensitive data, adhering to regulations like GDPR and CCPA. Compliance measures include maintaining a Data Protection Officer, implementing personal data handling policies (including processing, retention, and disposal), and offering Data Processing Agreements with Standard Contractual Clauses. Additionally, Rossum follows data subprocessor requirements of GDPR, ensuring all our subprocessors (e.g., cloud providers) meet the same stringent security standards.

  • How does Rossum protect against security threats like phishing and malware?

    Keeping your data secure is our top priority at Rossum. That’s why we’ve built robust security measures right into our platform.

    When it comes to emails, we use a combination of DMARC checks and configurable filtering to stop spoofing attempts and filter out potentially risky messages before they reach your inbox.

    We also understand the potential risks associated with AI. That’s why Rossum’s models are built completely in-house, eliminating the chance of data leaks to third-party models.

    Finally, Rossum’s system is designed to process only the data points you define. Any invalid or suspicious content gets automatically removed, further protecting you from malware and other security threats.

  • Is my data secure when transferred between Rossum and other systems (e.g., SAP, Coupa, Workday)?

    Rossum’s AI converts image-based files into text strings, which are then passed into the downstream system. There is no way for a file to be hidden in the system, and the AI only looks for defined fields. The system will kick out anything that is not valid, implying that the data is secure when transferred between Rossum and other systems.