Our compliance program is a reflection of this commitment as we continuously invest in, and strengthen our security measures. Our clients can trust us to be a responsible intermediary that always safeguard their sensitive information.
Rokt's controls framework is comprehensive and robust, covering all aspects of information security and privacy. These controls ensure the protection of our systems and data, while our non-technical controls address processes and policies. Our privacy controls ensure the protection of personal information and compliance with applicable regulations.
Rokt has implemented internal policies and controls to ensure that personal information is protected and only accessible by authorized Rokt employees in the performance of their duties. Where Rokt engages third parties to process consumer data on its behalf (see our subprocessors), they do so in accordance with our written instructions under a duty of confidentiality. Rokt requires these third parties to implement appropriate technical and administrative measures to ensure the data is secure.
More specifically, Rokt maintains:
- Confidentiality by ensuring that only people who are authorized to use the data can access it.
- Integrity by ensuring that data is accurate and suitable for the purpose for which it is processed.
- Availability by ensuring that authorized users are able to access and use the data they need for authorized purposes in a timely and reliable manner.
Rokt takes an enterprise approach to security that monitors controls at different layers throughout the organization, including, but not limited to, physical security, network security, endpoint security, software development security, and user account security.
Rokt maintains a world-class information security and privacy program that is independently assessed on a regular basis against industry standards and includes ISO/IEC 27001, AICPA SOC 2, and SOC 1. The program follows established principles like ‘security and privacy by design and by default’ or ‘defense in depth’ to apply the most effective approach for safeguarding information assets.
Rokt’s primary objective is to achieve a high bar of excellence in the marketplace by following applicable laws, adhering to regulations, maintaining appropriate security measures, and protecting the rights and freedom of consumers.
ISO/IEC 27001 certified
This is an international standard for information security management, specifying the requirements for establishing, implementing, maintaining, and continually improving information security management systems (ISMS). It provides a systematic approach to managing and protecting sensitive information, such as personal and confidential business information.
Rokt products and services are ISO certified through Lloyd’s Register and independently audited annually to maintain certification.
AICPA SOC 2/SOC 1 Type 2 reporting
These are audit and reporting standards developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 assesses Rokt’s security, availability, confidentiality, and privacy controls. SOC 1, on the other hand, focuses on financial reporting controls.
Rokt is audited against both standards annually through A-LIGN to demonstrate the effectiveness of its internal controls and provide assurance to our clients and stakeholders.
Visit Rokt’s Compliance Portal to access our assurance documentation.
As a global organization with operations in North America, APAC, and EMEA, Rokt is subject to the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Japan's Act on the Protection of Personal Privacy (APPI). Rokt is fully committed to complying with these and any other subjected laws.
Bug Bounty & Vulnerability Disclosure
In 2022, Rokt launched a private bug bounty program in collaboration with Bugcrowd. This program is a litmus test for our internal controls and helps us to identify gaps before bad actors find and exploit them first. The program scope covers all critical assets that enable our products and services and is actively managed by our security team.
Additionally, we have published a vulnerability disclosure policy to allow ‘ethical hackers’ to report findings to our security team.
Please reach out to firstname.lastname@example.org if you have any questions or feedback about our program.