Global data protection and compliance certifications all come with security requirements and frameworks—a specific set of standards you need to meet to be able to put a SOC 2, CSA Star, or ISO logo on your company’s website. And for a lot of companies, that’s the ultimate goal: putting the logo on the website. At Rippling, that’s just the start.
We don’t treat compliance as a box to check off. Instead, we make sure it’s deeply ingrained in everything we do at Rippling. We aim for what we call “meaningful compliance,” security controls that actually impact the security of our environment and, ultimately, our customers’ data. We know we store and process sensitive data for our customers, and we’re responsible for keeping it secure.
Doing what’s best for Rippling—and for our customers—means going above and beyond what’s required for our certifications.
In less than two years, we’ve more than doubled the size of our security team, built new and modern security guardrails, developed new programs, and rolled out company-wide training to establish and reinforce every employee’s responsibility for keeping the organization—and our customers—secure. Below, I’ll walk through some of the changes we’ve implemented in the last year and how they promote “meaningful compliance” at Rippling.
Building Rippling’s security program
Prior to joining Rippling nearly two years ago, I was at Auth0, now part of Okta, where my team and I built their security compliance program. When I left, we had the whole gambit of certifications and attestations: SOC 2, PCI DSS, ISO 27001, CSA STAR, and more.
At Rippling, I was hired to mature our program. Prior to my arrival, Rippling had a short review period SOC 1 and SOC 2. Since then, we’ve obtained:
- Full 1 year SOC 1 Type 2
- Full 1 year SOC 2 Type 2
- ISO 27001 Certification
- ISO 27018 Certification
- CSA STAR Level 2 Certification
Building our program also meant building our team. Under our CISO, Duncan Godfrey, our security team has grown rapidly and continues to grow.
Going above and beyond compliance requirements
With the program and team in place, we had three goals:
- Create new security policies relevant to building a culture of security at Rippling
- Ensure Rippling employees understand their security responsibilities
- Constantly assess our security controls—and go above and beyond certification requirements to meet our own security bar.
We used ISO 27001, a globally recognized security certification, as our foundation to start establishing new security policies. Over the last year, we’ve drafted more than 40 policies and procedures that not only meet audit requirements, but also provide security value and guidance to our employees. We didn’t want to simply reuse templates that met our obligations. Instead, we wanted to develop a policy set that every Rippling employee could use to understand their security role and the overall importance of security.
Our overarching information security policy provides guidance and standards to employees on their responsibilities and requirements. It is our blueprint for employee security-related responsibilities. From there, we also published critical operational policies and procedures. These include our Incident Response Plan, which guides how we respond to security incidents, and our Supplier Relationships Policy, which determines how we handle third-party risk management and vendor due diligence. Both provide guidance and guardrails around our universally critical security risk areas.
As we developed these policies, we rolled out training to all employees to ensure everyone at Rippling understood our policy set—and, ultimately, their responsibilities. Training included a policy review and an Information Security Awareness course that reinforced our best practices. We also developed more focused training for employees who handle sensitive data to ensure those important responsibilities were fully understood.
Finally, there were controls we needed to strengthen as we built our security program and rolled out our new policies—for example, we put a lot of work into strengthening our access management posture by making sure our program not only met ISO standards, but also our own internal security standards. We also continued to build out our security engineering program through strong secure software development lifecycles and more targeted third-party penetration tests. These controls were helpful for compliance, but more importantly, they made a meaningful impact on our platform’s security and ultimately strengthened our protection around our most important asset, the data of our customers.
What’s next for Rippling’s security program?
As Rippling looks to what lies ahead in the security landscape, there are a few ways we’re keeping our security and compliance efforts at the forefront of everything we do.
Number one: We lead from the front and are compliant ourselves. A core part of my job is to ensure that Rippling remains compliant because we are bound by regulatory requirements that come with our global presence. We are continuously assessing our security posture and ensuring we adhere to current and future obligations.
We also have ongoing conversations with Rippling leadership to ensure security is embedded across the organization. With every single change Rippling makes—and every single product Rippling launches—we view it through a security lens. We’re constantly making sure we’re mitigating risk, not just from a regulatory standpoint, but for our customers, too. These conversations also are not limited to internal discussions. We also meet with our customers to understand their security and compliance needs to ensure we can plan and implement those accordingly.
But maybe the best endorsement of Rippling’s compliance efforts is the fact that we use our own products every day.
And that means if we ever see anything that can make our security stance stronger—we feed that directly back into the product. As a security team, we continuously collaborate with the research and development and product teams to improve Rippling. And when it comes to security, there’s no red tape around prioritizing improvements. Everyone at Rippling works together to ensure the protection of our customer’s data is always top of mind.
Disclaimer: Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.
