Security and trust

Your data security is our top priority at Rossum. We meet the highest industry standards, ensuring the confidentiality of your documents.

Free Demo

Security badges with gradient

For Rossum, processing critical business data for enterprises worldwide is bread and butter. We are dedicated to upholding the highest standards of security, privacy, and compliance for customer data.

To this end, we have developed and implemented a comprehensive set of policies, procedures, and controls to ensure appropriate confidentiality, integrity, and availability of your data as further described below.

Dedicated Security, Legal, and Compliance Teams

We have dedicated security, privacy, and compliance teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They also provide domain-specific consulting services and guidance to our engineering teams.

We perform periodic internal audits and assessments by accredited third parties. Further, Rossum appoints a Data Protection Officer and implements personal data handling policies, including data processing, retention, and disposal policies in line with the GDPR. If you have any questions related to Rossum’s privacy policy, privacy practices, and GDPR compliance, please get in touch with our Data Protection Officer: privacy@rossum.ai.

Data Protection Measures

We maintain appropriate technical and organizational measures, internal controls, and information security routines following the best industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure, or access or unlawful destruction. Such measures include, without limitation, ensuring the reliability of employees having access to your data and providing for limited access rights and access controls; strong authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of data; technical protection of devices where data is stored; etc.

Compliance

Rossum adheres to the ISO 27001 / SOC2 standards, and we carry out thorough audits on our applications, systems, and networks, thereby guaranteeing your data’s continuous protection.

Rossum security

ISO 27001 Certification

Rossum is certified and accredited by a third-party privacy organization and holds ISO/IEC 27001:2013. In line with the above-mentioned certification, Rossum developed and implemented a comprehensive set of policies, procedures, and technologies to ensure appropriate confidentiality, integrity, and availability of your data, including penetration tests, vulnerability scans, secure development frameworks, access management, supplier management, compliance processes, and employee security awareness.

SOC 2 Type II Report

Rossum successfully completed a Service Organization Controls (SOC) 2 Type II audit of its platform. Report based on the Trust Service Criteria relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, with the last report covering throughout the period of July 27, 2022 – July 14, 2023.

Texas Risk and Authorization Management Program (TX-RAMP)

Rossum successfully completed certification for the Texas Risk and Authorization Management Program (TX-RAMP) Level 1 certification (certificate ID TX1114698).

HIPAA

We offer a HIPAA compliant environment and Business Associate Agreement (BAA) as a commercial option.

Data Processing and Transfers

Data collected from you may be transferred to, stored and processed in, the European Union, Ireland, and the Czech Republic. Another option is possible as a commercial option. See the Data Date Center Location below for specifications and the possibility of deploying EU and US locations.

We regularly update our Terms and Conditions as well as our Privacy Policy and our internal data processing policies to reflect regulatory developments and ensure compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other applicable privacy laws and industry standards. The updates aim to give you more information and more control over your data.

Vendor and Supplier Ecosystem

We evaluate and qualify each vendor based on our Supplier Management Policy. We onboard new vendors only after a rigorous risk assessment. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of its controls.

We have robust data processing agreements in place with all data sub-processors that cover standard contractual clauses for GDPR compliance and set out Rossum’s audit rights, detail minimum security standards and measures (including state of the art encryption), and require access to their security audits and certificates (e.g. SOC2, ISO 27001). We also contractually require our vendors to provide us with prompt notice of any data breach, security incident concerning processed data, or request for compelled disclosure of processed personal data.

Data Center Locations

We store customer data primarily on servers provided by Amazon Web Services (AWS). AWS is the trusted hosting provider both for established internet services like Netflix, and enterprises like Pfizer and Siemens. AWS maintains the highest security standards and has a range of certifications. Our data is located in data centers that are specifically SOC-1, 2, 3 and ISO/IEC 27001:2013 compliant and periodically audited. More information on AWS Cloud security can be found here.

We offer an option of different AWS regions based on your data residency requirements. Within each region, our platform operates across multiple Availability Zones (physical data centers) to ensure high availability.

Europe Data Center (default):

  • Primary site: AWS region: eu-west-1 (Europe – Ireland)
  • Primary site for new customers: AWS region: eu-central-1 (Europe – Frankfurt)
  • Data backup: AWS region: eu-central-1 (Europe – Frankfurt)
  • Recovery site: AWS region: eu-central-1 (Europe – Frankfurt)

US Data Center:

  • Primary site: AWS region: us-east-1 (N. Virginia)
  • Data backup: AWS region: us-west-1 (N. California)
  • Recovery site: AWS region: us-west-1 (N. California)

Our architecture is multi-tenant by default; therefore, data is logically separated at rest, and we are using strict security filters that are applied to all database queries by default. A single-tenant deployment with a dedicated database is available as a commercial option.

Ready to get started?

Begin your journey to a more secure way to process your documents. See why hundreds of companies use Rossum to improve operating efficiencies, drive revenue, and reduce risk.