Security starts with trust
We know your data is sensitive. That’s why we combine enterprise-grade security features with regular audits to ensure that you’re always protected.
We ensure Rippling meets industry-standard compliance.
We use industry best practices to provide Rippling’s services.
We ensure every Rippling employee is vetted and trained.
App & development
Our product is built with security and quality at the forefront.
We comply with global data protection and security frameworks
SOC 1 Type ll
Rippling’s SOC 1 Type 2 report covers 11 different control areas from information security and operations to change management and payroll processing, and is audited annually.
SOC 2 Type ll
Rippling's SOC 2 Type 2 report covers the trust services categories of Security, Confidentiality, and Availability, and is audited annually.
Rippling's SOC 3 report is a publicly available version of our SOC 2 that covers the same trust services criteria.
CSA STAR Level 2
We ensure policies, processes, and controls comply with CCPA requirements, and have even built CCPA employee notices directly into our software.
ISO 27001 Certified
Rippling's ISO 27001 certification demonstrates our commitment to operating a mature security programme.
ISO 27018 Certified
Rippling's ISO 27018 certification demonstrates our commitment to protecting personal information of our customers.
Data & Infrastructure Security
We're built to secure your most sensitive data
Secure infrastructure provider
We host all our data in physically secure, US-based Amazon Web Services (AWS) facilities that include 24/7 on-site security, camera surveillance, and more.
Data encryption in transit & at rest process
All data sent to or from Rippling is encrypted using TLS, and all customer data is encrypted using AES-256.
Data redundancy and resiliency
Rippling’s infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.
Strict access controls
Access to all Rippling systems is managed through our identity provider, which automates user provisioning, enforces 2FA, and logs all activity.
Server security and monitoring
All servers are configured using a documented set of security guidelines, and images are managed centrally. Changes to the company’s infrastructure are tracked, and security events are logged appropriately.
We hold our employees to the highest standards
Formal security policies and incident response plan
Rippling maintains a set of comprehensive security policies that are kept up to date to meet the changing security environment. These materials are made available to all employees during training and through the company’s knowledge base.
Strict onboarding and offboarding process
Every new joiner must pass a thorough background check and attend a “Legal and Security” training course, as well as an InfoSec training course once a year. We instantly disable departing employees’ devices, apps and access during offboarding via Rippling’s IDM and MDM products.
Continuous security training
The Rippling Security Team provides continuous education on emerging security threats, performs phishing awareness campaigns, and communicates with employees regularly.
Rippling manages visitors, office access and overall office security via a formal office security programme.
App & Development
Our developers treat security as the highest priority
Penetration testing and bug bounties
We regularly run internal pen tests and partner with reputable security firms to run external pen tests. Additionally, our bug bounty programme allows anyone to test our system and report bugs.
Application monitoring and protection
All app access is logged and audited. We also use a wide variety of solutions to quickly identify and eliminate threats, including a Web App Firewall (WAF) and Runtime App Self Protection Agent (RASP).
Development and change management process
Code development is done through a documented SDLC process, and every change is tracked via GitHub. Automated controls ensure changes are peer-reviewed and pass a series of tests before being deployed to production.
Third-party vendor security review process
We ensure that all our third-party apps and providers meet our security data protection standards before using them.