Trust and security at RocketDocs
Three decades of regulated-industry experience produced a security and compliance posture that holds up under bank, health plan, and pharma audit scrutiny. Documentation, certifications, AI security details, and standardized security questionnaire responses are all available through our Trust Center.
What is on the Trust Center
Everything regulated buyers actually need
The RocketDocs Trust Center is hosted at trust.rocketdocs.com and is the authoritative source for our security and compliance documentation. Customers, prospects, security teams, and procurement reviewers can access most documents directly. Confidential audit reports may require an NDA.
Certifications and audit reports
- SOC 2 Type II audit report (annual recertification)
- ISO 27001 certificate
- Penetration testing summaries from independent third parties
- Vulnerability management documentation
AI security documentation
- AI Security Policy covering Astro on Llama 3.1 hosted privately
- Data flow documentation showing how customer data is processed (and why it never leaves your environment)
- Model training and isolation policy
- AI accuracy, transparency, and human-review documentation
Security questionnaire responses
- Standard SIG response (Shared Assessments Standardized Information Gathering)
- Standard CAIQ response (Cloud Security Alliance Consensus Assessments Initiative Questionnaire)
- NIST 800-171 alignment documentation
- HIPAA security alignment documentation for healthcare customers
- FedRAMP-aligned content for federal-adjacent deployments
Privacy and data handling
- Privacy Policy and Cookie Policy
- Data Processing Addendum (DPA) templates for GDPR and CCPA
- Sub-processor list with change notifications
- Data residency documentation (US and EU)
- Incident response process
Compliance frameworks
Compliance frameworks supported
Cross-industry
- SOC 2 Type II
- ISO 27001
- GDPR (EU General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- AES-256 encryption at rest
- TLS 1.2 or higher in transit
Financial services
- SOX (Sarbanes-Oxley)
- GLBA (Gramm-Leach-Bliley)
- FINRA
- OCC vendor management (Bulletin 2013-29 and successors)
- SEC and CFTC
- FCA, BaFin, AIFMD, MiFID II for international firms
- NAIC Model Laws for insurance carriers
Healthcare
- HIPAA Privacy Rule and Security Rule
- HITECH Act
- HITRUST CSF alignment
- NCQA accreditation support
Life sciences
- 21 CFR Part 11-aligned workflows
- ICH GCP
- GxP (GMP, GLP, GCP, GDP) alignment patterns
- EU MDR / IVDR support for medical device manufacturers
Enterprise tech and government
- FedRAMP and StateRAMP alignment patterns
- NIST 800-171 and NIST 800-53
- CMMC for defense industrial base
- PCI DSS for payment-handling deployments
AI security architecture
Why our AI security architecture matters
Most response management platforms route customer data through third-party AI providers. RocketDocs does not. Astro, our generative AI engine, runs on Llama 3.1 hosted privately inside our environment. Customer data never leaves your environment, never trains a third-party model, never appears in another customer's AI context.
For regulated industries, this is the only AI architecture that holds up under audit. Compliance review boards reject third-party AI architectures. Procurement teams flag them. Customer security questionnaires explicitly disallow them. We built private AI as an architectural decision, not a marketing position. Full details are in the AI Security Policy on the Trust Center.
Dogfooding
We use RocketDocs to maintain our own security responses
When a customer or auditor asks for our SIG, our CAIQ, our SOC 2 supporting questionnaire, or our latest compliance attestations, we respond from RocketDocs. Same platform you would use. Same audit trail. Same private AI. The result is that our own security responses are always current, always traceable, and always available through the Trust Center. Not many vendors can say their security questionnaire process is run on the platform they sell. We can.
How to access
How to access documentation
Public documents
Most certifications, policies, and standardized questionnaire responses are publicly accessible on the Trust Center without login. Visit trust.rocketdocs.com to browse.
NDA-gated documents
Confidential audit reports (the full SOC 2 Type II report, penetration testing details, certain compliance documentation) are available under NDA. Request access through the Trust Center and our security team will respond within one business day.
Customer-only documents
Active customers have access to additional documentation including custom security questionnaire responses, deployment-specific compliance documentation, and incident notifications. Customer access is managed through the Trust Center login.
Direct security inquiries
For security questions not addressed by the Trust Center, contact security@rocketdocs.com. Our security team responds to qualified inquiries within one business day.
FAQ
Frequently asked questions
How do I get the SOC 2 Type II report?
The SOC 2 Type II report is available under NDA. Request access through the Trust Center. Our security team will email you the NDA, countersign on receipt, and provide the full report typically within one business day.
Do you sign Data Processing Addendums (DPAs)?
Yes. Our standard DPA covers GDPR and CCPA requirements and is available as a template on the Trust Center. Custom DPA terms are negotiated as part of the subscription agreement for customers with specific data protection needs.
Do you sign HIPAA Business Associate Agreements (BAAs)?
Yes. Healthcare customers requiring a Business Associate Agreement under HIPAA can request a BAA as part of the subscription agreement. Our standard BAA terms are aligned with the HIPAA Privacy Rule and Security Rule.
How often is the Trust Center updated?
Major documentation (SOC 2 reports, ISO 27001 certificates) is updated at recertification (typically annual). Sub-processor lists, security questionnaire responses, and policy documents are updated when underlying changes occur. Customers can subscribe to change notifications through the Trust Center.
Can I get a custom security questionnaire response?
Yes. For custom enterprise security questionnaires beyond the standard SIG, CAIQ, and NIST formats published on the Trust Center, contact security@rocketdocs.com with the questionnaire and your timeline. Our security team will respond as quickly as possible (typically within five business days for standard formats, longer for highly customized questionnaires).
How do I report a security issue?
Security vulnerabilities or incidents should be reported immediately to security@rocketdocs.com. We acknowledge security reports within one business day and follow up with details on remediation timelines. We participate in responsible disclosure and coordinate publicly known vulnerabilities with the security research community.
Where is data stored?
Customer data is hosted in enterprise-grade cloud infrastructure with redundant availability zones, automated failover, and continuous security monitoring. US and EU data residency are supported. For specific residency requirements, contact security@rocketdocs.com.
Do you use sub-processors?
Yes. A current list of sub-processors is maintained on the Trust Center, with change notifications available through subscription. We use the minimum number of sub-processors necessary to deliver the Services and maintain contractual data protection requirements with each.
Ready to talk to our security team?
For a deep technical review of the platform's security architecture, our customer success team can pre-arrange a session with our CTO and security engineering team. This is a common request for regulated-industry deployments.