We know that the security of your application’s data is your top priority. It’s ours too and we take that commitment very seriously.
Rollbar uses a variety of industry-standard security technologies and procedures to protect your information from unauthorized access, use, or disclosure. We adhere to HIPAA and ISO 27001 compliance and meet industry best practices where applicable. Our employees are required to attend annual security awareness training and are informed of their security responsibilities.
The Rollbar security program is led by the Chief Information Security Officer and the Chief Technology Officer.
Data Security & Privacy
All raw data is encrypted at rest with a different encryption key per account. The data that is being requested is decrypted only when requested by an authenticated member of the subscription. This provides an additional level of protection should Rollbar ever encounter a breach of its infrastructure. In this case, if data was ever lost, it would be protected by the best industry standards in encryption technology and the data would be useless to the attacker since it would appear to be randomized data.
All data in transit is sent through https (TLS) encrypted connections. This ensures the confidentiality and integrity of the data sent between the Rollbar application and the customer.
Customized Data Retention
Rollbar’s standard data retention is 180 days. Through our Compliant SaaS solution we may accommodate data retention plans of varying lengths to meet your compliance and regulatory requirements.
On designated plans with data encryption at rest, data removal can be accomplished by destroying the customer’s encryption key from the Rollbar encryption key store. This will have the same effect of removing the data from the database. This option would normally be used to remove all account data.
On plans that do not use the database encryption, data can be purged from the database and will fall out of backups over seven days. This option is also used for one-off deletions of specific data.
Rollbar complies with the EU-U.S. Privacy Shield Principles and Swiss-U.S. Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
Access to account data by Rollbar employees is limited to a necessary set of users consistent with their assigned Rollbar responsibilities. At Rollbar, we believe in the concepts of ‘need to know’ and ‘least privileged’.
In addition to this, you are ultimately in control of what data is sent to Rollbar. We provide you the ability to filter out information you don’t want to send to Rollbar in the client configuration. This may be due to regulatory issues like PCI-DSS, or any other possible privacy concern that you might have.
Two-Factor Authentication provides an extra layer of security to your Rollbar account by requiring a time-based one-time password in addition to a password each time you login. Two-factor Authentication can be enabled by each user and requires a mobile authenticator app, such as Google Authenticator or Authy.
SAML-Based Single Sign On
On designated Rollbar plans, you can enable SAML-based single sign-on (SSO) using Google Apps for Work, Okta, or Bitium. SSO not only improves the user experience by making it seamless to log into the Rollbar application, SSO also enhances security by allowing companies to control and maintain their own identity management, which translates into fewer user identities and simpler accessibility across trusted domains.
Rollbar has an entire suite of audit controls built into the application. The following is a sample of Rollbar capabilities:
- User List – List of all users associated with your account along with their activity.
- Security Audit Logs – Shows all of the recent actions pertaining to your Rollbar account.
Infrastructure and Network Security
Rollbar undergoes third-party penetration tests on an annual basis. All items found in the testing are addressed, mitigated, or remediated depending on the severity of the finding. A summary report is available to customers that are currently under contract with Rollbar at the Enterprise level.
In addition to the yearly penetration testing, we have a quarterly third-party vulnerability scan performed that covers all of our IP space. This is meant to complement the annual penetration test and to ensure there are no gaps throughout the year.
Our engineering team performs monthly authenticated internal vulnerability scans of our production environment. This is to ensure that all systems are not only patched but are following industry best practices in security.
Our primary data center, where data is stored and encrypted at rest, is located in the Iowa region. We also utilize a global points-of-presence network to deliver fast and reliable experience to users anywhere in the world. Our data center provider complies with top certifications, including ISO 27001, AICPA SOC 2 and 3, PCI DSS, HIPAA, and more.
The Rollbar application has a set of Enterprise level access controls, including:
- Single Sign On
- Two-Factor Authentication
- Password complexity settings
- IP safelisting
- Session timeout
- Controls on the number of invalid login requests before locking out a user
- Controls to force a user password to expire after a period of use
- Restrict access to specific time periods.
Contingency Plans and Operations
We have a documented and tested Contingency Plan and Disaster Recovery plan. These plans are tested at least annually or when there is a major change in the Rollbar environment. Lessons learned from the tests are compiled and are remediated by our engineering department.
We engage in performing Risk Management on a regular basis and update the Risk Management document as items progress. However, the official Risk Management document is reviewed and updated on an annual basis. Our main goals in Risk Management are the continuation of the Rollbar service along with the confidentiality, integrity, and availability of customer data.
Security Awareness and Training
All Rollbar employees, upon initial hire and annually, go through security awareness training. This training includes some of the best practices and guidelines from the security industry, and includes the mandated HIPAA training.
We have the following security policies and will make them available for customer review under an NDA. All policies are updated as needed and reviewed on an annual basis.
- Acceptable Use of Data in Test
- Access Control Policy
- Backup Policy
- Contingency Plan
- Device and Media Control Policy
- Encryption Policy
- HIPAA Data Retention Policy
- HIPAA Security Review Policy
- Information System Activity Review Policy
- Rollbar Vulnerability and Patch Management Policy
- Security Awareness and Training Policy
- Security Responsibility Assignment
- Software Development Life Cycle
- System and Information Integrity Policy
The Rollbar Compliant SaaS solution meets the strict guidelines of the Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001 controls. Rollbar Compliant SaaS allows customers to store their sensitive data and rely on Rollbar to perform all of the underlying security and safeguards needed.
Rollbar Compliant SaaS is fully compliant with HIPAA and the HITECH Act. The Compliant SaaS environment is set up to allow customers to place their sensitive data within the Rollbar application. We follow all of the required procedural and technical controls within the cloud environment. Additionally we will sign a Business Associate Agreement (BAA) with each Compliant SaaS customer that may request one in order to ensure that Rollbar and the customer are both in alignment with the security controls being enforced to protect such data.
We have chosen to become ISO 27001 compliant with our production environment. This level of compliance provides reassurance to our customer that we have implemented, are maintaining, and are continually improving an information security management system in accordance with international industry best practices.
SOC 2 Type 1
SOC 2 Type 2
Rollbar has received its SOC 2 Type 1 and Type 2 compliance certifications.
Contact us to obtain the report.
Cloud Security Alliance – STAR registrant
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR) – a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
SSAE16 / ISAE 3402 Type II Attestations
We utilize Google Cloud Platform to host the complete Rollbar environment. Google undergoes annual independent audits for the following:
- SOC 1
- SOC 2
- SOC 3 public audit report
For further details, see Google Cloud Platform Security.
Responsible Disclosure Policy
Rollbar aims to keep its Services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.
Rollbar will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against or suspend or terminate access to the Services of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Rollbar reserves all of its legal rights in the event of any noncompliance.
Capitalized terms used in this Responsible Disclosure Policy and not otherwise defined have the meaning ascribed to such terms in our Terms of Service.
If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, Rollbar commits to:
- Promptly acknowledge receipt of your vulnerability report
- Provide an estimated timetable for resolution of the vulnerability
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure
You may test only against an Account for which you are the Account owner or a Member authorized by the Account owner to conduct such testing. In no event are you permitted to access, download or modify data residing in any other Account or that does not belong to you or attempt to do any of the foregoing. You are also prohibited from:
- Executing or attempting to execute any “Denial of Service” attack;
- Knowingly posting transmitting, uploading, linking to, sending or storing any Malicious Software;
- Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages;
- Testing in a manner that would degrade the operation of the Services;
- Testing third party applications or websites or services that integrate with or link to the Services.
Share the details of any suspected vulnerabilities with the Rollbar Security Team by sending an email to firstname.lastname@example.org. Please do not publicly disclose these details without express written consent from Rollbar. In reporting any suspected vulnerabilities, please include the following information:
- Vulnerability details with information to allow us to efficiently reproduce your steps
- Your email address
- Your name as it should be displayed on this page if you would like it to be
- Your Twitter handle or website as it should be displayed