Rokt Minimum Security Measures
Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement or DPA.
| ID | Control title | Description |
| Security & Privacy Governance (GOV) | ||
| GOV-01 | Information security policy | Rokt’s information security policy covers all Rokt employees, contractors, service providers and external parties who access a controller’s personal data in Rokt’s possession, custody, or control. It covers personal data in transit, accessed or stored in any form (physical or electronic media), and covers all devices, workstations and servers (both virtual and physical) owned by Rokt and/or potentially connected to any part of Rokt’s environment. |
| GOV-02 | Defined roles & responsibilities | Rokt has established an Information Security Management System (ISMS) with clear allocation of roles, each with defined responsibilities and authorities. Each of these roles is allocated to specific individuals or groups. Our Chief Security Officer (CSO) is responsible for security at an executive level, supported by our VP, Cybersecurity - GRC, and others comprising our Information Security Steering Group. |
| GOV-03 | Periodic review & update of cybersecurity & data protection program | Periodic compliance audits are conducted to verify alignment with regulatory and organizational security standards. Findings are documented and addressed to ensure ongoing adherence and continuous improvement in compliance practices. |
| Identification & Authentication (IAC) | ||
| IAC-01 | Physical access controls | Rokt staff does not have physical access since all personal data is hosted in secured locations at Amazon Web Services (AWS). The primary data center is based in Oregon (USA), with additional data centers located in the international markets where Rokt operates, where personal data may be cached to improve performance. |
| IAC-02 | Unique identifiers and least privilege | The Rokt email address is the unique identifier that all systems authenticate. Individual (per-user) logins are required for all systems. All Rokt core applications utilize Google’s single sign-on and enforced two-factor authentication. Rokt employs the principle of least privilege account management. Access to personal data is only provided to those users who require it and only to the extent needed to perform specific duties. Access is revoked if no longer required. Regular user access audits and an automated employee exit process are in place to ensure ongoing compliance. |
| IAC-03 | Password policy | All staff must use an approved password manager to randomly generate strong passwords and avoid credential re-use and unsafe handling. Passwords must be at least 16 characters long and include at least one uppercase, lowercase, and special character. |
| IAC-04 | User provisioning & de-provisioning | Rokt conducts regular access reviews to ensure user permissions are appropriate and aligned with their current roles and responsibilities. This process helps identify and mitigate risks associated with unauthorized access, maintaining the principle of least privilege. |
| Cryptographic Protections (CRY) | ||
| CRY-01 | Secure data storage | Rokt hosts all its infrastructure in AWS data centers. All personal data is encrypted in the application layer using AES-256 before being written to storage. Envelope encryption is used with different encryption keys per consumer and client. Consumer encryption keys are, in turn, encrypted with a master key using AES-256. |
| CRY-02 | Secure data transfer | All transfers of personal data occur over secure protocols. Web traffic is over HTTPS/TLS 1.2, SFTP, or IPSec VPN. Any unencrypted connection request is either upgraded to use a secure connection or dropped subsequently. |
| CRY-03 | Key management | Cryptographic keys are stored in AWS KMS (HMAC) or AWS Secrets with IAM policies for least privilege access. Former keys are stored in a secure password vault with limited access by selected engineers. All keys are rotated on a regular schedule. |
| Physical & Environmental Security (PES) | ||
| PES-01 | Working in secure areas | All Rokt offices are located in secure CBD buildings with security guards, CCTV surveillance, visitor sign-in, receptionists during and swipe card access outside business hours. |
| Security Operations & Vulnerability Management (OPS & VPM) | ||
| OPS-01 | Endpoint security | All workstations have antivirus/anti-malware software installed, disk encryption enabled, are regularly patched, have a strong password, and automatically screen lock with a password prompt after a short inactivity. Regular device audits are conducted to ensure full compliance. |
| OPS-02 | Security event log monitoring | All user management and system access activities are recorded in a centralized platform for managing and analyzing such data and retained indefinitely. |
| OPS-03 | Vulnerability management | An independent external security firm performs quarterly vulnerability assessments on web applications and critical infrastructure annually. In addition, security scans are automatically performed weekly. |
| Vulnerability Patch Management (VPM) | ||
| VPM-01 | Vulnerability & patch management | Regular system updates and security patches are carried out to remedy any bugs and vulnerabilities against internal SLAs based on severity. |
| Network Security (NET) | ||
| NET-01 | Virtual Private Cloud (VPC) | Each AWS operating environment has a single VPC network with a non-overlapping IP address range, and each VPC has two logical segments that provide security from external Internet sources. |
| NET-02 | Internal segmentation | This segment does not allow traffic originating from the Internet but does allow traffic originating from our servers to the Internet via AWS network address translation gateways. Application servers are deployed to the internal segment and have multiple subnets, one for each available zone. |
| NET-03 | Demilitarized zone (DMZ) segmentation | This segment allows network traffic from the Internet to our servers and vice versa via an AWS Internet Gateway (IGW). Any of our applications that require access from the public Internet will create an elastic load balancing (ELB) in the DMZ segment in multiple subnets, one for each availability zone in use. This allows Internet traffic to reach the ELB in the DMZ segment, which forwards the traffic to the application server in the Internal subnet. |
| NET-04 | Web Application Firewalls (WAF) | All Internet-facing web applications and APIs have a Web Application Firewall (WAF) enabled that detects and blocks common application layer attacks such as Cross-Site Scripting (XSS) and SQL injection (SQLi). |
| Technology Development & Acquisition (TDA) | ||
| TDA-01 | Secure development | Rokt has established a secure software development life cycle (SSDLC). |
| TDA-02 | Environment segregation | Production and non-production environments are completely segregated and equally secured. |
| TDA-03 | Non-production test data | Production data is never used for testing in non-production environments. |
| TDA-04 | Vulnerability detection | Automated tools for vulnerability detection during the development lifecycle are in place. |
| Incident Response (IRO) | ||
| IRO-01 | Information security incident management | Rokt has an incident response procedure and related data breach response plan to ensure the appropriate identification, containment, eradication, recovery, prevention, and notification steps are undertaken. The incident management process includes a “learnings and improvements” step that feeds into our risk register and ISMS review process. |
| Human Resources Security (HRS) | ||
| HRS-01 | Employee screening | All Rokt employees and contractors undergo adequate screening, including criminal history checks, before gaining access to information. |
| HRS-02 | Non-disclosure | All Rokt employees and contractors must sign a work agreement that includes non-disclosure and acknowledgment of all information security requirements for their role. |
| HRS-03 | Awareness training | As part of Rokt’s onboarding procedure, all new starters must complete security and privacy awareness training, which includes modules relevant to all staff and engineering-specific ones. Awareness training must be renewed annually. |
| HRS-04 | Disciplinary process | Rokt has an established disciplinary process for misconduct or severe non-compliance. |
| HRS-05 | Clear desk & clear screen policy | Rokt’s onboarding includes training on a ‘clear desk and clear screen’ policy to protect sensitive information on both digital and physical devices (e.g., laptops, mobile phones, tablets). |
| Business Continuity & Disaster Recovery (BCD) | ||
| BCD-01 | BC/DR plan | Rokt has business continuity and disaster recovery plans for critical infrastructure in place. |
| BCD-02 | Regular plan testing | Plans are regularly evaluated for suitability and effectiveness in an ever-changing threat landscape. |
| BCD-03 | Data backups | Regular backups are automatically maintained, and all backup data is encrypted. |
| Third-Party Management (TPM) | ||
| TPM-01 | Third-party risk assessments | Material suppliers are assessed for their inherent risk profile, followed by a due diligence procedure where assurance documentation (e.g., industry-standard certifications, penetration tests, proof of cyber insurance) is obtained to determine the supplier’s security posture; significant findings lead to a remediation plan or rejection of the supplier. |
| TPM-02 | Legal contract review | Supplier contracts are subject to a legal review to ensure minimum requirements are met. |
| TPM-03 | Regular supplier review | Material suppliers are reviewed annually for possible changes in their risk profile and to request updated assurance documentation. |
| Data Classification & Handling (DCH) | ||
| DCH-01 | Data & asset classification | Rokt maintains comprehensive data governance policies that establish clear guidelines for the collection, processing, storage, and disposal of personal data. |
| DCH-02 | Media & data retention | Data retention periods are defined, and secure disposal methods are enforced for data no longer needed to prevent unauthorized access or recovery. |
| Asset Management (AST) | ||
| AST-01 | Asset governance | Rokt has implemented mechanisms to maintain and manage approved hardware and software technologies. |
| Mobile Device Management (MDM) | ||
| MDM-01 | Management of mobile devices | Rokt has implemented mechanisms to govern Mobile Device Management (MDM) controls. |
- [1] Refer to https://aws.amazon.com/compliance/data-center/controls about AWS’ data center controls.