Security and trust
Your data security is our top priority at Rossum. We meet the highest industry standards, ensuring the confidentiality of your documents.
Table of Contents
For Rossum, processing critical business data for enterprises worldwide is bread and butter. We are dedicated to upholding the highest standards of security, privacy, and compliance for customer data.
To this end, we have developed and implemented a comprehensive set of policies, procedures, and controls to ensure appropriate confidentiality, integrity, and availability of your data as further described below.
Dedicated Security, Legal, and Compliance Teams
We have dedicated security, privacy, and compliance teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They also provide domain-specific consulting services and guidance to our engineering teams.
We perform periodic internal audits and assessments by accredited third parties. Further, Rossum appoints a Data Protection Officer and implements personal data handling policies, including data processing, retention, and disposal policies in line with the GDPR. If you have any questions related to Rossum’s privacy policy, privacy practices, and GDPR compliance, please get in touch with our Data Protection Officer: [email protected].
Data Protection Measures
We maintain appropriate technical and organizational measures, internal controls, and information security routines following the best industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure, or access or unlawful destruction. Such measures include, without limitation, ensuring the reliability of employees having access to your data and providing for limited access rights and access controls; strong authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of data; technical protection of devices where data is stored; etc.
Compliance
Rossum adheres to the ISO 27001 / ISO 42001 standards and completed SOC 2 Type II, and we carry out thorough audits on our applications, systems, and networks, thereby guaranteeing your data’s continuous protection.
For more details and documentation, please visit our Compliance Trust Center.
ISO 27001 Certification
Rossum is certified and accredited by a third-party privacy organization and holds ISO/IEC 27001:2022. In line with the above-mentioned certification, Rossum developed and implemented a comprehensive set of policies, procedures, and technologies to ensure appropriate confidentiality, integrity, and availability of your data, including penetration tests, vulnerability scans, secure development frameworks, access management, supplier management, compliance processes, and employee security awareness.
ISO 42001 Certification
Rossum is certified and accredited by a third-party privacy organization and holds ISO/IEC 42001:2023 certification. We have developed and implemented robust governance frameworks for artificial intelligence technologies to manage AI systems transparently, protect data privacy, reduce bias, and ensure AI governance aligned with the latest regulations such as the EU AI Act.
SOC 2 Type II Report
Rossum successfully completed a Service Organization Controls (SOC) 2 Type II audit of its platform. Report based on the Trust Service Criteria relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, with the last report covering throughout the period of June 15, 2024 – June 24, 2025.
Rossum successfully completed certification for the Texas Risk and Authorization Management Program (TX-RAMP) Level 1 certification (certificate ID TX1114698).
Data Processing and Transfers
Data collected from you may be transferred to, stored and processed in, the European Union, Ireland, and the Czech Republic. Another option is possible as a commercial option. See the Data Date Center Location below for specifications and the possibility of deploying EU and US locations.
We regularly update our Terms and Conditions as well as our Privacy Policy and our internal data processing policies to reflect regulatory developments and ensure compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other applicable privacy laws and industry standards. The updates aim to give you more information and more control over your data.
Vendor and Supplier Ecosystem
We evaluate and qualify each vendor based on our Supplier Management Policy. We onboard new vendors only after a rigorous risk assessment. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of its controls.
We have robust data processing agreements in place with all data sub-processors that cover standard contractual clauses for GDPR compliance and set out Rossum’s audit rights, detail minimum security standards and measures (including state of the art encryption), and require access to their security audits and certificates (e.g. SOC2, ISO 27001). We also contractually require our vendors to provide us with prompt notice of any data breach, security incident concerning processed data, or request for compelled disclosure of processed personal data.
Data Center Locations
We store customer data primarily on servers provided by Amazon Web Services (AWS). AWS is the trusted hosting provider both for established internet services like Netflix, and enterprises like Pfizer and Siemens. AWS maintains the highest security standards and has a range of certifications. Our data is located in data centers that are specifically SOC-1, 2, 3 and ISO/IEC 27001:2022 compliant and periodically audited. More information on AWS Cloud security can be found here.
We offer an option of different AWS regions based on your data residency requirements. Within each region, our platform operates across multiple Availability Zones (physical data centers) to ensure high availability.
Europe Data Center (Default site for new customers) AWS region eu-central-1:
- Primary site: AWS region: eu-central-1 (Europe – Frankfurt)
- Data backup: AWS region: eu-west-1 (Europe – Ireland)
- Recovery site: AWS region: eu-west-1 (Europe – Ireland)
Europe Data Center AWS region eu-west-1:
- Primary site: AWS region: eu-west-1 (Europe – Ireland)
- Data backup: AWS region: eu-central-1 (Europe – Frankfurt)
- Recovery site: AWS region: eu-central-1 (Europe – Frankfurt)
US Data Center:
- Primary site: AWS region: us-east-1 (N. Virginia)
- Data backup: AWS region: us-west-1 (N. California)
- Recovery site: AWS region: us-west-1 (N. California)
Japan Data Center:
- Primary site: AWS region: ap-northeast-1 (Japan – Tokyo)
- Data backup: AWS region: ap-northeast-3 (Japan – Osaka)
- Recovery site: AWS region: ap-northeast-3 (Japan – Osaka)
Our architecture is multi-tenant by default; therefore, data is logically separated at rest, and we are using strict security filters that are applied to all database queries by default. A single-tenant deployment with a dedicated database is available as a commercial option.
FAQ
What security features are available across the Rossum platform? Does Rossum comply with data regulations?
Granular data control: Rossum provides you with the flexibility to define data location (jurisdiction), retention periods (individual document, aggregate, and time limits), and usage for AI training purposes. This granular control allows you to tailor data handling practices to meet the specific requirements of regulations like GDPR and CCPA.
Data processing workflow control: Maintain robust control over data processing workflows with user roles and fine-grained permissions that enforce need-to-know access. Additionally, Rossum offers auditable access logs for all data manipulations and access attempts, allowing for comprehensive monitoring and auditing of data usage purposes. Smart workflows further enhance control by dynamically adjusting processing steps (personnel involved or data retention) based on pre-defined criteria, such as document type or identified PII.
Cloud compliance guarantees: Rossum prioritizes data security and adheres to the highest industry standards. We maintain a valid ISO 27001 certification and SOC 2 type II audit report, demonstrating a commitment to robust information security governance, processes, and systems. Regular external penetration testing further strengthens our security posture. Rossum utilizes high-grade encryption for data at rest and in transit, and adheres to strict physical security protocols for both data centers and employee devices. We provide customers with audit rights and notification options in the event of security incidents or compelled data requests.
Compliance with data privacy regulations: Rossum acts as a data sub-processor and fulfills all requirements for compliant processing of sensitive data, adhering to regulations like GDPR and CCPA. Compliance measures include maintaining a Data Protection Officer, implementing personal data handling policies (including processing, retention, and disposal), and offering Data Processing Agreements with Standard Contractual Clauses. Additionally, Rossum follows data subprocessor requirements of GDPR, ensuring all our subprocessors (e.g., cloud providers) meet the same stringent security standards.
How does Rossum protect against security threats like phishing and malware?
Keeping your data secure is our top priority at Rossum. That’s why we’ve built robust security measures right into our platform.
When it comes to emails, we use a combination of DMARC checks and configurable filtering to stop spoofing attempts and filter out potentially risky messages before they reach your inbox.
We also understand the potential risks associated with AI. That’s why Rossum’s models are built completely in-house, eliminating the chance of data leaks to third-party models.
Finally, Rossum’s system is designed to process only the data points you define. Any invalid or suspicious content gets automatically removed, further protecting you from malware and other security threats.
Is my data secure when transferred between Rossum and other systems (e.g., SAP, Coupa, Workday)?
Rossum’s AI converts image-based files into text strings, which are then passed into the downstream system. There is no way for a file to be hidden in the system, and the AI only looks for defined fields. The system will kick out anything that is not valid, implying that the data is secure when transferred between Rossum and other systems.
