Skip to content

Information security and compliance

OVERVIEW

Security is the responsibility of everyone

Rubicon Holdings, LLC (“Rubicon”) is committed to information security and the protection of company and customer data. Rubicon believes security is the responsibility of everyone. Our Information Security Program focuses on the Security Trust Principle outlined by the American Institute of CPAs (“AICPA”). Rubicon has successfully completed a SOC2 Type2 audit of the security program. The Type2 audit cast a spotlight on our Software as a Service (SaaS) solutions. Our program consists of several policies and controls focusing on access, asset management, internal audit and compliance, continuity, information communication, organizational management, risk management, software development and change management, and security operations. Rubicon ultimately considers information security to be the responsibility of everyone.

CERTIFICATIONS

Information security

Rubicon’s cybersecurity program is based on NIST 800-53 and other industry best practice frameworks and is supported by forty-one (41) policies and one hundred thirty four (134) controls. Many of these policies and controls are audited and verified through the SOC2 Type2 audit SO2 process.

Control Environment

Rubicon understands the importance of demonstrating ethical values and integrity with a “Tone at the Top” mentality. Rubicon has established an Employee Handbook, Acceptable Use Policy, and Code of Conduct.

Rubicon’s Board of Directors (the “Board”) is ultimately accountable for independent oversight of Rubicon operations and their responsibilities. The Board, through the Audit Committee, provides oversight of the internal controls which operate within Rubicon’s environment.

Rubicon’s Executive Leadership Team (“ELT”) is focused on providing value to customers. Security is recognized as a critical component of the company. Controls for security are recognized as key enablers for the delivery of value to the customer through our products and services. The ELT, through the leadership of the InfoSec Leadership and Continuity Committee (ILC2), oversees the day-to-day management of the company’s posture related to security, privacy, business continuity, and fraud and insider threat prevention.

 

The ELT is responsible for operational activities within Rubicon. Management has developed a formal organization chart delineating roles and responsibilities, reporting lines, and delegation of authority relating to the design, implementation, and operations as part of the Information Security Program.

Rubicon utilizes a cloud-based platform to manage its Information Security Program.

The ELT recognizes that highly skilled people are critical to success. Controls have been developed to support hiring, retaining, and developing competent personnel. Background checks are conducted for all employees joining the company. At least annually, the performance and development of personnel are evaluated by management to confirm that all personnel are capable to continue to fulfill their responsibilities. Additionally, security awareness training is completed by employees at the time of onboarding and at least annually thereafter.

A formal Change Management and Software Development Lifecycle (SDLC) process is defined to control the design, development, testing, and implementation of fixes and improvements to Rubicon applications and infrastructure.

Logging and monitoring tools are used to monitor system capacity and performance based on defined thresholds. Alerts are enabled for conditions or events that exceed these thresholds and are investigated and resolved timely. Interested parties can also track system and application availability on our Status Page by clicking here and subscribing to updates.

Incident management policies and procedures as well as an incident response plan have been established and implemented. These polices and plans are reviewed and tested at least annually, or as needed.

Documented data backup and retention policies and processes exist and have been made available to guide the relevant staff in executing the controls over these processes. Cloud-based solutions are utilized to take snapshots of critical application and system data and components. Snapshots are automated and taken to ensure mitigate against the risk of disruption and to meet defined Service Level Agreements (SLA).

Rubicon has a vulnerability management program that subscribes to industry best practice configurations and patching times. Configuration and patch management processes are in place to confirm that systems are securely configured and patched. Rubicon’s workforce is secured using the Principle of least privilege and current best in breed security operational controls including, but not limited to, multi-factor authentication (MFA), virus protection, and artificial intelligence driven alerting and blocking. Rubicon also employs independent third party penetration testing, which is conducted quarterly. Tabletop exercises for incident response and business continuity management are conducted annually.

Rubicon performs an annual risk assessment, which requires both the identification of risks and the appropriate risk reduction measures needed to be implemented and maintained to address such risks. The assessment process identifies risks related to security, privacy, business continuity, and fraud and insider threat prevention. Identified risks along with mitigation strategies are documented and implemented by the organization. Rubicon assesses risk by calculating the likelihood and impact of an identified risk, and then a risk handling strategy is assigned to the identified risk; these include mitigate, avoid, accept, and transfer.

Potential Third Parties are screened against specific risk factors based on the service(s) or product(s) being procured in accordance with Rubicon’s vendor management process. Existing third parties are evaluated based on performance and compliance with SLAs. Non-disclosures and confidentiality commitments are required to be signed by third parties whom Rubicon intends to engage with. Third parties in which Rubicon conducts business with must be governed by a formal agreement.

Internal policies and controls are reviewed at least annually. Controls are tested through an internal control assessment and identified deficiencies are addressed in a timely manner. Internal audits are conducted, and findings are reported and reviewed by the ILC2.

All systems and applications are governed by a formal access control policy. The policy is designed around Role-Based Access and Control (RBAC), separation of duties, and the Principle of least privilege. This policy is backed up with strong password complexity requirements, multi-factor authentication (MFA), audits, and other technical controls.

All full-time employees complete security awareness training at the time of onboarding and annually thereafter. Rubicon also conducts and participates in tabletop exercises, compromise assessments, breach readiness assessments, managed threat hunts, and other types of exercises. Rubicon also uses current news, metrics, and data to inform its employees of risk, best practices, and BCMS issues.

Complimentary Subservice Organization Controls (CSOC)

Rubicon’s security controls cover only a portion of the overall list of controls for each of Rubicon’s SaaS products. It is not feasible for the control objectives related to these products to be achieved solely by Rubicon. Therefore, each entity’s controls must be evaluated in conjunction with Rubicon’s security controls, considering the related Complementary Subservice Organization Controls (CSOCs) expected to be implemented at the subservice organization as described below.

Cloud Computing Service Provider(s): Rubicon utilizes subservice organizations for Cloud Computing Services (“cloud providers”). These cloud providers are responsible for providing physical and environmental security controls, access to its systems, infrastructure, and other applicable components, and incident response related to security incidents. Cloud providers are responsible for segregating Rubicon’s environments from other customers. The cloud providers document all areas of responsibility. Rubicon reviews the cloud providers’ security documentation as part of the company’s Third-Party Vendor Management policy and controls.

CSOCs are controls that Rubicon assumes will be implemented by the subservice organization as it is necessary to achieve one or more of the Trust Services Criteria stated in this report. The subservice organization significant to Rubicon services, including the applicable trust services criteria that are intended to be met by controls at the subservice organization in combination with controls at Rubicon, are as follows:

*Note: The listing presented below should not be regarded as a comprehensive list of all controls that should be employed by this or any other subservice organization

Control Activities Expected to be Implemented by Cloud ProvidersApplicable Trust Criteria
Cloud providers are responsible for restricting logical and physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers.CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6, CC6.7, CC6.8, CC9.2
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards the prevention of future incidents.CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Cloud providers are responsible for maintaining segregation of client environment(s) from other provider clients.CC6.1, CC6.6

Cloud providers are responsible for maintaining the integrity of system logs and their associated configurations. Cloud providers must also monitor system components and operations to identify security incidents (both suspected and actual), in addition to indications of natural disasters.CC5.3, CC7.1, CC7.2, PI1.4


Cloud providers are responsible for demonstrating integrity and ethical values and actions in relation to its operations and with clients.CC1.1
Cloud providers are responsible for demonstrating independent governance and oversight from management. Cloud providers are responsible for holding individuals at all levels accountable for their operating and security controls. Cloud providers are also responsible for the management of any third party vendors with access to customer environments.C1.2, C1.3, C1.4
Cloud providers are responsible for communicating with clients (as needed) regarding matters affecting functionality and security and operating controls.CC2.3
Cloud providers are responsible for identifying changes that could significantly impact the system of security controls, including the effects, both positive and negative, on its clients.CC3.4, CC8.1
Cloud providers are responsible for monitoring environmental conditions (temperature, fire, and water), leak detection, UPS battery life and capacity, and other key equipment to help maintain the availability of services.A1.2
Cloud providers are responsible for the backup and recovery of data in their environment and to notify Rubicon of any issues regarding the availability or integrity of their backup data.A1.2

Complimentary User Entity Controls (CUEC)

Rubicon’s security controls cover only a portion of the overall list of controls for each of Rubicon’s SaaS products. It is not feasible for the control objectives related to these products to be achieved solely by Rubicon. Therefore, each entity’s controls must be evaluated in conjunction with Rubicon’s security controls, considering the related Complementary User Entity Controls (CUECs) expected to be implemented at the client organization as described below.

*Note: The listing presented below should not be regarded as a comprehensive list of all controls that should be employed by this or any other subservice organization

Complementary User Entity ControlsRelated Trust Criteria
Clients are responsible for demonstrating a commitment to integrity ethical values and action, and confidentiality. Clients hold individuals at all levels within their organization accountable for control responsibilities in pursuit of business objectives and security.CC1.1, CC1.3, CC1.5
Clients are responsible for reviewing and acting upon notification (as needed) of Rubicon’s communication regarding system changes, maintenance windows, or other matters impacting the security.CC2.2, CC2.3
Clients are responsible for processing data and accuracy of such data in accordance with their corporate confidentiality policies. Additionally, clients are responsible for implementing general controls over access and activities to SaaS product(s). CC3.2, CC5.2, CC5.3
Clients are responsible for assigning usernames and passwords to authorized users, activating MFA if deemed necessary, and maintaining the confidentiality of login credentials.CC6.1
Clients are responsible for periodically reviewing end users’ access to the SaaS product(s) for validity and appropriateness and making corrective changes within a timely manner.CC6.2, CC6.3
Clients restrict transmission, movement, and removal of client information as needed and are responsible for issuing best practices in the creation and transmission of client data.CC6.7
Clients are responsible for granting physical access to facilities and protected information assets.CC6.4, CC6.5
Clients are responsible for deploying security controls related to their operation to both protect against and detect security incidents, in addition to acting upon security incidents be it suspected or actual. CC6.8
Clients are responsible for monitoring operations and operating data to identify anomalies and indications of security incidents, natural disasters, etc. CC7.2
Clients must evaluate suspected or actual security incidents and act upon incidents to remediate and resolve against the incident and prevent future incidents of similar nature. CC7.3, CC7.4, CC7.5

Privacy

Rubicon understands the importance of keeping data private. Our privacy policy can be found here. Rubicon strives to maintain control of data through implemented privacy controls. These controls have been developed with the help of third party experts and follow the guidelines of CCPA and GDPR as it relates to Rubicon being defined as a data processor. As such, the customer or data subject retains ownership of and control over their data, while Rubicon is responsible for processing such data on behalf of the customer or data subject. Additionally, the customer, consumer, or data subject, hereinafter referred to as “Customer” is responsible for any controls identified as a Complimentary User Entity Control (CUEC) (above). Rubicon has taken steps to self-certify compliance with applicable data protection laws as well as commissioning an independent assessment of the privacy program. 

PRIVACY

Privacy operations

Our privacy program includes the following operating controls:

  • Annual review of Rubicon’s published Privacy Policy, in addition to reviews of all other privacy-related policies including data protection, internal privacy, data classification, retention, and disposal, data and information handling, access control, and the like
  • Obtained data collection consent from Customers
  • Defined procedures for data requests and response to inquiries, including the rejection of non-legally binding privacy requests
  • Ensuring Customer data is (i) not used in non-production environments, (ii) retained in the applicable jurisdiction where the Customer resides, and (iii) processed and handled according to Customer requirements and/or applicable law
  • 256bit encryption of data in transit and at rest and the use of a Ky Management System (KMS)
  • Internal audits are conducted focusing on the effectiveness of privacy policies and controls
Contact us
PRIVACY

Business continuity and resiliency

Rubicon has implemented a Business Continuity Management System (BCMS) which focuses on the delivery and maintenance of its SaaS products and services. The BCMS employs key pillars for continuity and resiliency including Business Impact Analyses (BIA), Business Continuity Plans (BCP), our Business Continuity Policy, Program Governance, Crisis Management, Internal Audit, and our Statement of Applicability (SoA).

PRIVACY

BCMS

The BCMS spotlights the impact to processes, procedures, and activities to SaaS products and services in the event of an incident or disruption as it relates to financial, operational, reputational, and legal and regulatory outcomes. The management of Rubicon’s BCMS includes the following:

  • Program Governance Manual which defines the purpose of Rubicon’s BCMS, context of the organization, legal and regulatory requirements, the program scope, risk assessment and consideration of risk, change management, awareness, training and exercising, communication, documentation, operational planning and controls, performance monitoring, maintenance and continuous improvement, management review, internal audit, and non-conformance and corrective action.
  • Annual reviews of each function’s documented BIA, including key activities and processes and applicable peak periods, calculated Maximum Tolerable Periods of Disruption (MTPD), calculated Recovery Time Objectives (RTO), and Minimum Business Continuity Objectives (MBCO). BIAs also assess critical dependencies on other business units, suppliers, and information assets. Furthermore, each BIA considers the impact and likelihood (“probability”) of the loss if (i) physical working site, (ii) loss of technology and communications services, (iii) loss of employees, and (iv) loss of key business partners.
  • Annual reviews of each function’s documented BCP.  These reviews focus on operational activities and outcomes in the event of an incident or disruption. Each BCP defines generic tasks associated with the activation of a function’s BCP in addition to unit or function-specific tasks to commence once a BCP is activated. Each BCP also outlines the strategies and solutions associated with a disruption to sites, technology/communications services, loss of employees, and loss of key business partners.
  • Crisis Management plan and communications playbook which outlines how Rubicon approaches crisis communications, understanding the landscape of a crisis, roles and responsibilities, scenario handling, and pre-approved messaging for communications to interested parties.
  • Annual functional leadership reviews, annual awareness, exercising and testing, and management reviews.

Service Availability

Rubicon’s Service Availability (“SA”) commitment for a given calendar month is 99.5%. This commitment is calculated as stated below:

SA  =  (Total Time – Unplanned Outage – Planned Maintenance)  /  (Total – Planned Maintenance)  X  100

These values listed in the formula above are defined as follows:

  • Total time is the total minutes in the month
  • Unplanned Outage is total minutes unavailable due to an unplanned outage in the month
  • Planned Maintenance is total minutes of planned maintenance in the month. Currently, Planned Maintenance is four (4) hours for weekly maintenance, four (4) hours for monthly maintenance, and four (4) hours for quarterly maintenance. Rubicon’s current weekly maintenance begins at 10:00 p.m. (Eastern) on Fridays; monthly maintenance begins at 02:00 a.m. (Eastern) on Saturday; and quarterly maintenance begins at 06:00 a.m. (Eastern) on Saturday. All times are subject to change upon reasonable notice. If actual maintenance exceeds the time allotted for Planned Maintenance, it is considered an Unplanned Outage. If actual maintenance is less than time allotted for Planned Maintenance, that time is not applied as a credit to offset any Unplanned Outage time for the month. The measurement point for Service Availability is the availability of the Rubicon Service. Client may request an availability report once per month.

As it relates to Disaster Recovery (DR), Rubicon commits to a Recovery Time Objective (RTO) of twelve (12) hours, measured from the time that the Rubicon service becomes unavailable until it is available again. Rubicon commits to a Recovery Point Objective (RPO) of one (1) hour, measured from the time that the first transaction is lost until the Rubicon Service became unavailable.

Interested parties can monitor service availability by navigating to our Status Page and opting into subscription updates.

Fraud and Insider Threat Protection

Rubicon understands the criticality of financial compliance and the importance of financial security. We continue to drive improvements in fundamental controls supporting logical security, physical security, change management, technology operations, access management, and data protection. Activities to support fraud prevention and insider threats include:

  • Initial creation of Rubicon’s Insider Threat Program
  • Table-top exercising for fraud detection and activation of insider threat activities
  • SOPs, workflows, and functional knowledge of managing litigation holds and e-discovery campaigns 
  • Policies for Insider Threats, access control, incident response, change management, third party management, backup and restoration, processing integrity, etc.
  • Controls supporting access authorization, Data Loss and Prevention (DLP), review, and revocation, change authorization and management, data migration, emergency changes, segregation of duties, segregation of environments, password complexity, vendor management, reporting, interfaces and protocols, code of conduct, etc.
  • Environmental restrictions for data sharing through removable media, zero-trust agent deployment to all workstations, and restrictions on data collaboration through Microsoft product suite to mitigate against data loss
  • Background and reference checks performed on all full-time employees (FTEs)

Have questions?

Get in touch with our Compliance team

Contact us