Security and Trust

For Rossum, processing critical business data for enterprises worldwide is bread and
butter. We are dedicated to upholding the highest standards of security, privacy, and
compliance for customer data.

To this end, we have developed and implemented a comprehensive set of policies,
procedures, and controls to ensure appropriate confidentiality, integrity, and availability
of your data as further described below.

Dedicated Security, Legal, and Compliance Teams

We have dedicated security, privacy, and compliance teams that implement and manage
our security and privacy programs. They engineer and maintain our defense systems,
develop review processes for security, and constantly monitor our networks to detect
suspicious activity. They also provide domain-specific consulting services and guidance
to our engineering teams.

We perform periodic internal audits and assessments by accredited third parties.
Further, Rossum appoints a Data Protection Officer and implements personal data
handling policies, including data processing, retention, and disposal policies in line with
the GDPR. If you have any questions related to Rossum’s privacy policy, privacy
practices, and GDPR compliance, please get in touch with our Data Protection Officer:
privacy@rossum.ai.

Data Protection Measures

We maintain appropriate technical and organizational measures, internal controls, and
information security routines following the best industry practice while keeping in mind
the state of technological development in order to protect your data against accidental
loss, destruction, alteration, unauthorized disclosure, or access or unlawful destruction.
Such measures include, without limitation, ensuring the reliability of employees having
access to your data and providing for limited access rights and access controls; strong
authentication; personnel training; regular back up; data recovery and incident
management procedures; restrictions on storing, printing and disposal of data; technical
protection of devices where data is stored; etc.

ISO 27001 Certification

Rossum is certified and accredited by a third-party privacy organization and holds
ISO/IEC 27001:2013. In line with the above-mentioned certification, Rossum developed
and implemented a comprehensive set of policies, procedures, and technologies to
ensure appropriate confidentiality, integrity, and availability of your data, including
penetration tests, vulnerability scans, secure development frameworks, access
management, supplier management, compliance processes, and employee security
awareness.

SOC 2 Type II Report

Rossum successfully completed a Service Organization Controls (SOC) 2 Type II audit of
its platform performed by an independent and accredited auditing firm. Report based on
the Trust Service Criteria relevant to Security, Availability, Processing Integrity,
Confidentiality and Privacy set forth in TSP section 100, 2017 Trust Services Criteria for
Security, Availability, Processing Integrity, Confidentiality and Privacy, with the last report
covering throughout the period November 17, 2021 to July 27, 2022.

HIPAA

We offer a HIPAA compliant environment and Business Associate Agreement (BAA) as a
commercial option.

Data Processing and Transfers

Data collected from you may be transferred to, stored and processed in, the
European Union, Ireland, and the Czech Republic. Another option is possible as a commercial
option. See the Data Date Center Location below for specifications and the possibility of deploying EU and US locations.

We regularly update our Terms and Conditions as well as our Privacy Policy and our
internal data processing policies to reflect regulatory developments and ensure
compliance with the EU General Data Protection Regulation (GDPR), the California
Consumer Privacy Act (CCPA) and other applicable privacy laws and industry standards.
The updates aim to give you more information and more control over your data.

Vendor and Supplier Ecosystem

We evaluate and qualify each vendor based on our Supplier Management Policy.
We onboard new vendors only after a rigorous risk assessment. We take appropriate
steps to ensure our security stance is maintained by establishing agreements that require
the vendors to adhere to confidentiality, availability, and integrity commitments we have
made to our customers. We monitor the effective operation of the organization’s process
and security measures by conducting periodic reviews of its controls.

We have robust data processing agreements in place with all data sub-processors that
cover standard contractual clauses for GDPR compliance and set out Rossum’s audit
rights, detail minimum security standards and measures (including state of the art
encryption), and require access to their security audits and certificates (e.g. SOC2, ISO
27001).
We also contractually require our vendors to provide us with prompt notice of any data
breach, security incident concerning processed data, or request for compelled disclosure
of processed personal data.

Data Center Locations

We store customer data primarily on servers provided by Amazon Web Services (AWS).
AWS is the trusted hosting provider both for established internet services like Netflix, and
enterprises like Pfizer and Siemens. AWS maintains the highest security standards and
has a range of certifications. Our data is located in data centers that are specifically
SOC-1, 2, 3 and ISO/IEC 27001:2013 compliant and periodically audited. More
information on AWS Cloud security can be found here.

We offer an option of different AWS regions based on your data residency requirements.
Within each region, our platform operates across multiple Availability Zones (physical
data centers) to ensure high availability.

Europe Data Center (default):

• Primary site: AWS region: eu-west-1 (Europe – Ireland)
• Data backup: AWS region: eu-central-1 (Europe – Frankfurt)
• Recovery site: AWS region: eu-central-1 (Europe – Frankfurt)

US Data Center:

• Primary site: AWS region: us-east-1 (N. Virginia)
• Data backup: AWS region: us-west-1 (N. California)
• Recovery site: AWS region: us-west-1 (N. California)

Our architecture is multi-tenant by default; therefore, data is logically separated at rest, and we are using strict security filters that are applied to all database queries by default.
A single-tenant deployment with a dedicated database is available as a commercial
option.