Security

Security Disclosures#

If you believe you've discovered a potential vulnerability

Email us at [email protected]. We will acknowledge your email within five business days.

Additionally, provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.

We appreciate you making a good faith effort to avoid violating the privacy, destroying data, or interrupting or degrading the Rollout service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Security Measures#

Hosting#

Rollout is hosted on Amazon Web Services (AWS) and all of our AWS servers are located in the United States. AWS data centers have state-of-the-art physical access controls, logical access controls, and frequent third-party independent audits. Rollout employees have audited and as-needed access to infrastructure on AWS and any interfaces to it. All employees have dedicated user accounts and access infrastructure via two-factor authentication.

SOC 2 Compliance#

Rollout is SOC 2 compliant. This means that we regularly undergo vulnerability testing, conduct background checks of new employees, have all employees go through security awareness training, and more. To access our SOC 2 report, please email us at [email protected].

Encryption#

All data in transit is encrypted over HTTPS/TLS 1.2 or higher between you and Rollout's servers. All data at rest is stored encrypted and replicated for durability.

Availability#

The Rollout platform uses properly-provisioned, redundant servers (e.g. multiple load balancers, web servers, replica databases) to gracefully handle failures of nodes and/or datacenters. As part of regular maintenance, servers are taken out of operation without user-noticeable impact.

Business Continuity#

Rollout keeps daily and point-in-time encrypted backups of data. While never expected, in the case of production data loss, we are able to restore customer data from these backups.

Incident Response#

Rollout has deployed a variety of security and monitoring tools for its production systems. There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security and performance issues.

While we don't anticipate there being a breach of our systems, Rollout has put in place a Security Incident Response Plan, which details roles, responsibilities and procedures in case of an actual or suspected security incident.

Access Control#

Rollout ensures that access to information and application system functions is restricted to authorized personnel only and that production environments are well separated from development and testing environments..

Rollout employees are only permitted to access User Data in the case where it is required to improve the service offering. In such cases they are given temporary access from our Security Officer and all such data access is revoked at the appropriate interval.

Personnel Security#

Organizational security policies are maintained for all employees. These include:

  • authenticating via single sign-on (SSO) or where applicable generate and store passwords in our password manager
  • use a workstation that adheres to Rollout's security policy, which includes device encryption, password complexity, automatic screen lock, up-to-date endpoint detection and response (EDR) or anti-virus software;
  • have background checks performed in accordance with local laws;
  • complete security awareness training during onboarding and at least annually;

Change Management#

Changes to the platform happen via an automated continuous delivery system. Every change runs through a suite of automated tests and code reviews before changes are entered into the production environment.