Skip to content

Security compliance

Cras mattis consectetur purus sit amet fermentum.

A subtitle for security compliance would go here

Control Environment

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

Content for this question would go here, it would only display when you click on the chevron above. When you click it again, the question would hide.

1440_security_inline_1

Control Activities Expected to be Implemented by Cloud Providers Applicable Trust Criteria
Cloud providers are responsible for restricting logical and physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers. CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6, CC6.7, CC6.8, CC9.2
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards prevention of future incidents. CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Control Activities Expected to be Implemented by Cloud Providers Applicable Trust Criteria
Cloud providers are responsible for restricting logical and physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers. CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6, CC6.7, CC6.8, CC9.2
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards prevention of future incidents. CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Cloud providers are responsible for maintaining segregation of client environment(s) from other provider clients. CC6.1, CC6.6
Cloud providers are responsible for maintaining the integrity of system logs and their associated configurations. Cloud providers must also monitor system components and operations to identify security incidents (both suspected and actual), in addition to indications of natural disasters. CC5.3, CC7.1, CC7.2, PI1.4
Cloud providers are responsible for restricting logical and physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers. CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6, CC6.7, CC6.8, CC9.2
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards prevention of future incidents. CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Cloud providers are responsible for maintaining segregation of client environment(s) from other provider clients. CC6.1, CC6.6
Cloud providers are responsible for maintaining the integrity of system logs and their associated configurations. Cloud providers must also monitor system components and operations to identify security incidents (both suspected and actual), in addition to indications of natural disasters. CC5.3, CC7.1, CC7.2, PI1.4

Complimentary User Entity Controls (CUEC)

Rubicon’s security controls cover only a portion of the overall list of controls for each of Rubicon’s SaaS products. It is not feasible for the control objectives related to these products to be achieved solely by Rubicon. Therefore, each entity’s controls must be evaluated in conjunction with Rubicon’s security controls, considering the related Complementary User Entity Controls (CUEC’s) expected to be implemented at the client organization as described below.

Complementary User Entity Controls Related Trust Criteria
Clients are responsible for demonstrating a commitment to integrity ethical values and action, and confidentiality. Clients hold individuals at all levels within their organization accountable for control responsibilities in pursuit of business objectives and security. CC1.1, CC1.3, CC1.5
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards prevention of future incidents. CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Cloud providers are responsible for maintaining segregation of client environment(s) from other provider clients. CC6.1, CC6.6
Cloud providers are responsible for maintaining the integrity of system logs and their associated configurations. Cloud providers must also monitor system components and operations to identify security incidents (both suspected and actual), in addition to indications of natural disasters. CC5.3, CC7.1, CC7.2, PI1.4
Cloud providers are responsible for restricting logical and physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers. CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6, CC6.7, CC6.8, CC9.2
Cloud providers are responsible for implementing measures to prevent or mitigate threats consistent with the risk assessment. Additionally, cloud providers are responsible for evaluating the impact of a security incident, communicating the incident to impacted clients, remediating against incidents, and working towards prevention of future incidents. CC3.1, CC3.3, CC4.1, CC4.2, CC6.3, CC6.8, CC7.2, CC7.3, CC7.4, CC7.5, CC9.1, CC9.2
Cloud providers are responsible for maintaining segregation of client environment(s) from other provider clients. CC6.1, CC6.6
Cloud providers are responsible for maintaining the integrity of system logs and their associated configurations. Cloud providers must also monitor system components and operations to identify security incidents (both suspected and actual), in addition to indications of natural disasters. CC5.3, CC7.1, CC7.2, PI1.4

Complimentary Subservice Organization Controls (CSOC)

Rubicon’s security controls cover only a portion of the overall list of controls for each of Rubicon’s SaaS products. It is not feasible for the control objectives related to these products to be achieved solely by Rubicon. Therefore, each entity’s controls must be evaluated in conjunction with Rubicon’s security controls, considering the related Complementary Subservice Organization Controls (CSOC’s) expected to be implemented at the subservice organization as described below.

Cloud Computing Service Provider(s): Rubicon utilizes subservice organizations for Cloud Computing Services (“cloud providers”). These cloud providers are responsible for providing physical and environmental security controls, access to its systems, infrastructure, and other applicable components, and incident response related to security incidents. Cloud providers are responsible for segregating Rubicon’s environments from other customers. The cloud providers document all areas of responsibility. Rubicon reviews the cloud providers’ security documentation as part of the company’s Third-Party Vendor Management policy and controls.

CSOCs are controls that Rubicon assumes will be implemented by the subservice organization as it is necessary to achieve one or more of the Trust Services Criteria stated in this report. The subservice organization significant to Rubicon services, including the applicable trust services criteria that are intended to be met by controls at the subservice organization in combination with controls at Rubicon, are as follows:

*Note: the listing presented below should not be regarded as a comprehensive list of all controls that should be employed by this or any other subservice organization.

Complimentary User Entity Controls (CUEC)

Rubicon’s security controls cover only a portion of the overall list of controls for each of Rubicon’s SaaS products. It is not feasible for the control objectives related to these products to be achieved solely by Rubicon. Therefore, each entity’s controls must be evaluated in conjunction with Rubicon’s security controls, considering the related Complementary User Entity Controls (CUEC’s) expected to be implemented at the client organization as described below.