Security Policy

We have created a general information security policy and specific policies for related topics and are working to put them in place. These policies are necessary to set up secure processes and demonstrate our compliance with industry standards towards our customers. You can also find the annual acknowledgment forms here.

In case of any questions, contact the security team. More information on this page

Do you want a short summary? You can find a security one pager here!

Mandatory Acknowledgment & Secure Configuration

Because we all must follow our security policies, we have set up GoogleForms that you can fill out and submit. Use the following 3 checklists to set yourself up securely:

  • Policy Acknowledgment, an acknowledgment for our current policies. Mandatory to complete annually by all employees
  • Security configuration, a checklist to set up a basic secure configuration of your tools. Mandatory to complete annually by all employees.

Overall Security Policy

Overall Management intention on security and baseline for our security management system.

Purpose

Rocket.Chat places a great emphasis on protecting its information. Such information includes e.g. information we manage on behalf of our customers, personnel files, our intellectual property.

At Rocket.Chat, we aim to ensure at all times that information we manage is appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information.

Our objectives are:

  • We will meet all applicable requirements in properly protecting our information, including: laws, regulations, industry standards and contractual commitments
  • The protections we apply to information assets will be in proportion to the value and sensitivity of the information, and will balance the sensitivity of the information against the cost of controls, the impact of the controls on the effectiveness of business operations and the risks against confidentiality, integrity and availability of the information
  • We will ensure that these controls are accepted by all employees, vendors, service providers, representatives and associates of our company who may have access to our information. This includes ensuring that all personnel at all levels are aware of, and are held accountable for safeguarding information assets
  • We will identify and mitigate any breaches to this policy.
  • We aim to continually improve our security practices over time.

Applicability and Ratification

This information security policy provides management direction and support for information security across the organisation. Specific, subsidiary information security policies, procedures and guidelines are considered an integral part of this information security policy, because only when followed in its entirety, we can ensure the objectives of this policy are met. This policy has been ratified by Rocket.Chat´s management team and forms part of its policies and procedures. It is applicable to and will be communicated to our staff, contractors, students and other relevant parties.

Responsibilities

Everyone handling Rocket.Chat information has the responsibility to keep the information safe, no matter where the information is located. This includes our staff members, contractors, students, etc., but also our suppliers (e.g. those that provide us with our tools to work) and other recipients of that information.

To determine the appropriate levels of security measures applied to information systems, a process of risk assessment is carried out to identify the probability and impact of security failures.

To manage information security within the organisation an information security oversight committee is established, chaired by Rocket.Chat´s Security Lead and consisting of senior members of our relevant teams. The objective of this committee is to ensure that there is clear direction and visible management support for security initiatives. This oversight group shall promote security through appropriate commitment and adequate resourcing.

An information security working party, comprising management representatives from all relevant parts of the organisation, shall devise and coordinate the implementation of information security controls. The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the head of the department managing that information system.

Specialist advice on information security is available throughout the organisation. Any member of the organization can contact his manager or directly Rocket.Chat´s Security Lead.

Rocket.Chat will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators.

Violations of our policies will be handled in accordance with the severity of the violation and applicable rules and regulations, including up to termination of contract for severe violations.

Review

This policy is reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, our other policies or contractual obligations. We will inform relevant parties about the updates.

The implementation of the information security policy shall be reviewed independently of those charged with its implementation.

Security Special Policies

The following are subpolicies related to specific areas and supplement the general policy.

Organization

We maintain a RASCI-chart that contains the responsibilities around information security. Conflicts of interest in these responsibilities must be avoided and tasks that create these conflicts be assigned to different persons. Where this is not possible, compensating controls (e.g. four-eyes principle) should be considered.

Current conflicting roles identified:

  • The roles of data protection officer and security lead are currently taken by one person and cases of conflict of interest will be raised to the management team to resolve.

The company maintains relevant contacts with authorities and agencies, those relevant for Rocket.Chat being mostly:

  • Data protection agencies
  • NIST
  • ISO
  • Open Source Community

In project management, the project leads are responsible to ensure security is properly addressed in a project.

Personnel Security

All personnel is screened before entering a position and subject to a Terms of employment, including a duty of confidentiality. The screening process is in relation to the applicable laws and regulations as well as the requirements of the position. All personnel is subject to contractual terms that describe their duties. The Information Security Team ensures that all personnel is aware of Rocket.Chat´s Security policies. Personnel that is leaving Rocket.Chat must certify that all assets have been returned to the company and then will be de-registered from the user directories.

The details of these processes are implemented and the records kept by the Human Resources Team.

Asset Management

All assets must be inventoried. An asset is something of value for Rocket.Chat (e.g. information itself, a device, intellectual property). We maintain a list of all devices and all software used, including additional information relevant per type of asset. References to sublists for assets (e.g. virtual machine inventories, mobile device lists) are allowed and should be referenced. The amount of effort needed to maintain a detailed list of assets should correspond to the criticality of the asset.Assets must be returned to Rocket.Chat once an owner leaves the organization. Ownership of an asset and the risks associated with an asset are separated to focus on overarching risk mitigation without boundaries between assets.

The lists of assets can be found here.

Data Classification & Lifecycle Policy

This section is about how we classify various elements of data and how to treat them regarding their criticality. You might have seen documents containing footers like “confidential” / “top secret”, etc. This section focusses on general aspects of handling data.

Scope:

This data classification policy applies to all data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.) Your private opinion, e.g. what you share on social media under your personal name, is not in scope of this policy. You should always make clear if you are posting in the name of Rocket.Chat or privately, if the context leaves room for ambiguity.

Classifications:

All data you create, modify, receive or otherwise process in connection with Rocket.Chat, must be handled confidentially and protected according to the risk related to it. (Confidential Data). Your NDA includes more details on what is considered confidential and what not. We do not distinguish between various levels of confidentiality (like secret, top secret, super secret, …).

An exception to confidentiality of data applies when the data in question is specifically targeted at a broader audience outside the organization (e.g. blog posts, webinars, public source code). This data is classified as “public”. (Public Data).

In case a customer has a different way of classifying data and we are required to follow the customer´s classification scheme (either by contract or because it is custom), then the customer classification scheme applies. (Customer Data Classification)

Handling and marking of data, incl. access control:

Unless stated otherwise, the creator of data is considered its owner and has to ensure the provisions of this policy are followed. Our general policy is that access to data is denied by default within the company, unless the owner has authorized access to it (e.g. to an individual, to a role or to a group of individuals). This granting or changing of access must be logged and the access control lists regularly reviewed by the owner. This also means we follow the principle of discretionary access control, meaning that owners of data grant access to this data by themselves.

Confidential data: We generally do not tag or otherwise mark confidential information. Instead we store information in secure repositories and grant access to information only when there is a legitimate need to it (“need-to-know”-access). Unauthorized access must be prevented with the features of the tools you are using. E.g. you should set links to a file with the correct sharing permission. Before sharing confidential data with individuals outside the Rocket.Chat organization, an NDA must be signed. This NDA signature is the responsiblity of the HR team for employees and contractors and of the Sales team for potential clients and customers. In case you are in doubt of the existence of an NDA, contact these teams respectively before sharing confidential data. For confidential information shared from us to customers or other external parties (e.g. a slidedeck), you must tag it with the Rocket.Chat logo to indicate its origin and minimize intellectual property infringement. Where the context warrants an additional note to the recipient, you should consider putting a footer like “Confidential material. Do not reproduce” on your document. Secure ways of sharing data (e.g. PGP-encrypted mailing, end-to-end encrypted channels on Rocket.Chat) should be preferred. For sending confidential material via hardcopy, only use legitimate mail services and avoid marking that draws attention to the content of the package.

Public data: Public data is also not marked specifically, instead it is characterized as being public when you put it on a place where the intended audience can access it (e.g. on our website or a public GitHub repository). To distinguish public data and confidential data, consider where it is being placed. Consider also that all data you put on the web is potentially replicated in other places (e.g. wayback machine, reupload on youtube, etc.) so be sure to check in advance if the data in question is really intended to be public.

Customer Data Classification: For information that is received from customers or regularly exchanged with them (e.g. slidedecks, RFQs, etc.) stick to the customer´s classification method and mark it appropriately.

Other handling and marking methods depending on tools and systems you use: When you work with specific tools and systems, these systems often come with their own classification schemes (e.g. GitHub Public vs Private Repositories) and mechanisms (access control lists, metadata, etc.). You should use these classification mechanisms in the spirit of this policy and the context of how you use the system.

Deletion of data:

Once data is considered no longer necessary, it should be deleted. Keep in mind that we are required to keep certain data for a minimum or maximum amount of time (e.g. for legal reasons). Use secure methods for deleting data, e.g. DBAN Contact the security team in case you are in doubt of deleting data. Public data generally does not need to be deleted since the risk associated with it is low and our external audience often expects this data to be available (e.g. in our public source code repositories).

Acceptable Use

This section is about general acceptable use of equipment, systems, the internet, etc. when you are using those in a capacity for Rocket.Chat. We have additional, specific policies for device types, which are presented in the upcoming sections.

Applicability:

This policy applies to assets, when these assets are provided by Rocket.Chat or when they are provided by you and used in the name of Rocket.Chat. Assets are: Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP. It does not apply to the usage of e.g. your private internet at home when not working for Rocket.Chat.

Acceptable Use:

Assets must primarily be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. You are responsible for exercising good judgment regarding the reasonability of personal use. Personal use may never endanger the objectives of our policies (e.g. via actions regarded as unacceptable use)

Unacceptable Use:

The following are examples of unacceptable use:

  • Violations of the law or of rights of any person or company, e.g. copyrights, patents, trademarks
  • Accessing data, a server or an account for any purpose other than conducting company business
  • Exporting technology in violation of international or regional export control laws
  • Introduction of malicious programs into the network or server
  • Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties
  • Effecting security breaches or disruptions of network communication, e.g. port scanning or security scanning
  • Circumventing user authentication or security of any host, network or account.

Certain exceptions to the items listed under acceptable use apply when such behaviour listed is expressly part of your job duties (e.g. to perform vulnerability scanning) or with prior authorization of senior management.

Enforcement:

For security and network maintenance purposes, authorized individuals within Rocket.Chat may monitor equipment, systems and network traffic at any time. Rocket.Chat reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

Device & Portable Storage Security

Our general policy is that everyone is responsible to secure their workstation by themselves. We do not enforce group policies, software whitelisting, or such. This means in turn that you yourself must be taking a greater amount of care to secure your workstation.

General

Applicable to all devices:

  • Keep your workstation in a secure environment (e.g. a locked room or building).
  • Always lock your workstation screen when leaving it.
  • Store all important or sensitive information on network drives (e.g. GSuite).
  • Keep your antivirus and antimalware protection up to date at all times and with daily definition updates
  • Keep on updating your operating system and local software to the latest version as soon as it becomes available.
  • Run a full anti-malware check at least monthly.
  • In case of a virus/malware warning, run a full scan and resolve all findings.
  • Use software and OS that still receive security updates from their vendors.
  • Do not install software that could cause security risks (e.g. not from official app stores). You are responsible to determine if a new software you are about to install poses a security risk.
  • Limit your privileges to what is necessary (e.g. do not run programs with administrator privileges that do not need them).
  • When decommissioning a workstation, securely wipe it with DBAN or an alternative (e.g. factory reset) before using it in another way (e.g. selling it).

Mobile Device Specifics

  • Install at least one authenticator app to allow for multifactor authentication
  • No jailbreak / rooted devices
  • Do not store business information outside of apps (e.g. in the download folder), instead keep information inside the native apps and use the app-side browser to view and modify information.

Portable Storage

Portable Storage (e.g. USB sticks, external HDDs) creates some additional risks, especially to availability of information and the risk of theft. That is why portable storage is generally not allowed to be used for Rocket.Chat information. You may use portable storage in limited circumstances when you have custody of the device (e.g. you own it) and it is used:

  • For non-sensitive purposes (e.g. marketing material to be shared with a customer on a USB stick)
  • For encrypted backups of your workstation
  • To extend the storage of your mobile devices

Portable storage you acquire in a used state or not directly from a vendor (e.g. a gift you received, lost & found devices) may never be connected to your devices and should be returned or destroyed because they could be infected with Malware, even after wiping them. Instead of using portable storage, you should always use shared network resources (e.g. GSuite).

Physical Security, incl. Homeoffice

Porto Alegre

  • Read the rules that are pinned in the office
  • Join the Rocket.chat channel to be informed about news

Homeoffice / Remote Work

Additional rules apply if you work remotely:

  • Configure a secure home network, you can use a guide like: link 1 or link 2
  • Use VPN when working outside of your home office (e.g. in a coffee shop)
  • Block sight lines of others, so that only you can see your screen when it contains confidential information
  • Keep printouts with work data to an absolute minimum and destroy them securely once done. In general, most of your work should be done paperless.
  • Keep your workstation secure at all times (e.g. not leave it in a car)

Cryptography

Cryptographic requirements are adressed in the other parts of the subpolicies and must follow the general principles as described by OWASP Cryptography in our products will be described in the product documentation.

Password & Secrets Policy

  • Always use strong passwords, as described e.g. here.
  • Always reset your password if you have suspicion of it being compromised.
  • Always keep your passwords in a secure and encrypted location like your password manager (preferred, e.g. ZOHO Vault) or your head.
  • Never share your passwords with anyone. Credential sharing is not allowed. An exception to this applies if the password is shared by nature.

Shared Passwords

Shared passwords & secrets should only be used, if a personal password can NOT be used. Always prefer using your own passwords (tied with your own account/credential).Shared passwords must be stored in an approved secure and auditable password storage system. Our current standard is ZOHO Vault, its integrations are approved (e.g. the browser extension).

Shared Passwords must:

  • Abide our password policies (complexity, length), unless the target system/use case does not allow this or prescribes a different standard
  • Have one or multiple owners, default owner is the creator of the shared password. In Zoho, this is called “Authorizer” or “Owner”, depending on the screen, kind of annoying…
  • Always be maintained in the central storage system. Do not update passwords and keep an outdated password in ZOHO. ZOHO is single source of truth.

Shared Passwords SHOULD:

  • Be put in folders (ZOHO: “Chambers”), with a preconfigured set of persons with access. This makes it easier to manage access control.
  • Not be exported out of Zoho.

When a person leaves the company, he must transfer ownership of the shared password to a successor. Click on “more actions” → “Transfer Ownership” in ZOHO.

Authentication Policy

Access to confidential Rocket.Chat data is only allowed after successfully and securely authenticating an individual. Your main account is your rocket.chat account and serves as your main digital identity. You will receive your account during your onboarding process as well as other, potentially needed digital identities.

You should always use your firstname.lastname@rocket.chat identity. Exceptions apply when you are testing out a service or you specifically want to access the service under a pseudonym. You may not circumvent authentication or use different identities unless this is specifically part of your duties.

In terms of authentication methods, you should always opt for using SSO/SAML authentication where possible. Since your identity is tied to a Google account, you can also click on the “Sign up with Google” button or similar phrasing, in case SAML/SSO is not available. If you get an error when authenticating via SAML or SSO, contact the person who invited you to enable it properly.

2-Factor- or Multifactor-Authentication is required before accessing critical assets and will be set as mandatory there.

Secure Development & Change Management

Secure engineering basic principles:

Features or changes involving components that could affect overall system security (e.g. authentication, encryption, access control) should consider the following steps:

  • have a thoroughly documented PR explaining the change
  • the PR must pass all checks, alerts must be remediated before merging
  • be subject to the regular tests (including security tests) before a release and not be introduced after these tests
  • should check if documentation needs to be updated and if so, update it

Changes to assets should only occur when a change is necessary. All changes must be controlled. All changes related to source code must occur through the authorized version control system (e.g. GitHub). In case a change is urgent, the change control process may be shortened by decision of management, in order to mitigate potential damages to the organization.

Accessing Customer Data

For access to customer data, you must adhere to the following:

You may only access customer data if

  • The customer specifically requests it (e.g. support request) or
  • When it is necessary for us to fulfill our contractual obligations (e.g. to act proactively to prevent an instance from failing)

Access is strictly limited to the data needed to fulfill the request. You may not access data of other tenants. No customer data may be extracted unless this is strictly requested by the customer. All data extracted must be stored safely and deleted when it is no longer necessary.

You must terminate the session immediately after the reason for your access has been resolved. You must as soon as possible inform the customer of the outcome of your access.

Incident Management

An incident is any event that has the potential to affect the confidentiality, integrity or availability of Rocket.Chat information, in any format, or IT systems in which this information is held. Violations of laws, policies, contractual obligations or also external requests should also be considered as incidents in this sense.

Examples of incidents include:

  • Lost devices
  • A suspicious and successful log in
  • Malware incident
  • Ransomware attack
  • Email with confidential data sent to wrong recipient
  • Law enforcement requests to disclose data of customers

General Incident Process:

  1. Logging the incident
  2. Assigning it to the proper team to investigate
  3. Triage
  4. Escalation (if needed)
  5. Resolution, including implementation, testing, as well as reaching out to other parties necessary. Before advancing, the affected user or customer must also be in agreement that the incident has been resolved.
  6. Closing

The Security Team will produce metrics on the incidents occurring in order to reduce their occurrence and improve our process. The detailed process is in the playbooks section of the security team.

Incidents happen and it is important for Rocket.Chat to be aware of them and taking proper action. In case you feel you are in a conflict of interest or in fear of potential repercussions of reporting an incident, you can confidentially contact the HR team or the Security team and your incident report will be submitted anonymously.

Business Continuity and Disaster Recovery

Business Continuity ensures that regular business will continue even during a disaster.

Disaster recovery means restoring vital support systems and is a subset of business continuity.

Disaster prevention:

Disaster prevention is everyone´s responsibility. This means that every employee must actively prevent disasters from occurring and report potential risks of a disaster to management. Most controls to prevent disasters are taken on a system level by the respective system administrator and will be performed against a system specific control catalog (e.g. backup configuration). Since many of our systems rely on third party providers, following our policies for third parties is critical. Disaster Prevention controls include:

  • Redundancy of the network in the office
  • Preventing vendor lock-ins
  • Chosing of trusted partners that provide an adequate level of security (e.g. SaaS providers)
  • Storing data offsite and off-client

Criticality ratings:

Rocket.Chat maintains a list of all systems, including a rating of their criticality on our business processes. This criticality is mostly based on tolerable downtime. The criticality ratings are as follows: High: less than 24 hours tolerable downtime Medium: less than 72 hours tolerable downtime Low: more than 72 hours tolerable downtime Criticality ratings to a system may be adjusted on a case-by-case basis where the circumstances justify the adjustment. Rocket.Chat also runs a risk management program to identify and manage risks, including risks of a disaster occuring.

Disaster Recovery:

In case of a disaster, we will form an incident response team consisting of the respective members of our management team, security and other individuals, depending on the type of disaster. The members of the team will communicate using Rocket.Chat - or where this is not possible - email or phone. We will inform all affected employees via the Rocket.Chat channel “important” or others where relevant. In case the disaster has taken down the rocket.chat servers, we will notify via email or - where warranted - contact you via the phone numbers you have given us during onboarding. The incident response team will also ensure that affected customers are informed via the proper methods.

Testing:

Annually, we test our business continuity and disaster recovery capabilities. The scope and method of testing are related to our risk management process and decided by management. The results of these tests are shared in the company and may lead to updates to this policy.

Procurement

All Systems procured must comply with defined information security requirements. Those requirements are defined before a procurement decision is made,

Supplier Relationships

This policy applies to the security and compliance of supplier relationships. Maintaining a secure supply chain is important because often vulnerabilities and risks are introduced through supplier relationships. Suppliers can be SaaS providers, hardware suppliers and similar.

Contracts & Service levels:

Relationships with suppliers must be based on written agreements/contracts. Such contracts must include provisions on information security when necessary. Service levels of suppliers must be agreed upon and monitored, e.g. by monitoring uptime reports, quality of service, and in case the service does not meet the expected level, the supplier be notified to remediate the issues. Changes to the provision of services by vendors, including changes to agreements, must be recorded (e.g. a contract amendment).

Supplier access & privacy:

Suppliers accessing or processing Rocket.Chat data must be subject to an NDA or other confidentiality clauses. They must follow either our privacy policy or have their own, legally compliant privacy policy.

Supplier compliance:

Supplier compliance is assessed on a risk-based approach and against the requirements of our security policies. Suppliers must demonstrate the same level of compliance for their supply chain.

Auditing

The Information Security Team will audit the design and implementation of these policies on a regular basis, with a focus on risks identified in the risk management process. Where a potential conflict of interest takes place, the audit will be delegated to another individual with such conflict or other compensating controls be taken.