NewRocket
Security and Data Protection
PublicStatement
Effective: January 1, 2025
Classification: Public
Version 2.0
NewRocket is committed to protecting the confidentiality,integrity, and availability of information entrusted to us by our customers,partners, and employees. This public statement provides an overview of thesecurity and data protection measures we maintain across our organization tosafeguard customer data, corporate assets, and the services we deliver.
Our security program is designed to meet the rigorous requirements of recognized industry frameworks and is subject to independentthird-party assurance. We continuously invest in our people, processes, andtechnology to maintain a security posture that meets or exceeds theexpectations of the organizations we serve.
Security is a foundational element of how NewRocket operates. Our commitment starts at the executive level, where senior leadership maintains active oversight of information security strategy, risk management, and compliance. We have established a formal IT governance structure with clearly defined roles, responsibilities, and accountability that ensures security considerations are embedded in every business decision.
NewRocket maintains a comprehensive library of iformation security policies that are reviewed and updated on a regular cycle.These policies address every major domain of information security and arealigned with industry-recognized control frameworks. All employees are requiredto acknowledge and adhere to these policies as a condition of employment.
NewRocket’s security program is aligned with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria that underpin the SOC 2 Type 2 assurance framework. Our internal controls are designed to address all five Trust Services Categories:
• Security — Protection ofinformation and systems against unauthorized access, unauthorized disclosure ofinformation, and damage to systems.
• Availability —Accessibility of information and systems as committed or agreed upon.
• Processing Integrity —Completeness, validity, accuracy, timeliness, and authorization of systemprocessing.
• Confidentiality —Protection of information designated as confidential.
• Privacy — Collection, use,retention, disclosure, and disposal of personal information in conformity withour commitments and applicable regulations.
Our control environment is subject to ongoing internal monitoring and periodic independent assessment. We maintain a formal internalcontrols matrix that maps our policies and procedures to the applicable TrustServices Criteria, and we conduct regular evaluations to verify that controlsare operating effectively.
NewRocket recognizes that our customers entrust us withaccess to sensitive information, and we treat this responsibility with thehighest level of care. Our data protection program is built on the followingprinciples:
We maintain a formal data classification framework thatcategorizes information based on its sensitivity and business impact.Classification levels drive specific handling, storage, transmission, anddisposal requirements, ensuring that data receives protection commensurate withits sensitivity throughout its lifecycle.
NewRocket employs strong encryption standards to protectdata both at rest and in transit. We enforce the use of current,industry-accepted cryptographic algorithms and key management practices.Deprecated or weakened encryption protocols are explicitly prohibited. Ourencryption policies are reviewed regularly to ensure alignment with evolvingindustry standards and regulatory requirements.
We maintain formal data retention schedules that definehow long different categories of information are retained based on businessneed, contractual obligations, and regulatory requirements. When data reachesthe end of its retention period, it is disposed of securely using methodsappropriate to its classification and the media on which it is stored.
NewRocket’s privacy program is designed to comply withapplicable data protection regulations, including the General Data ProtectionRegulation (GDPR) and applicable United States privacy laws. We maintainpublished privacy notices, provide mechanisms for data subjects to exercisetheir rights, and apply the principles of data minimization and purposelimitation to our processing activities. Our privacy governance structureincludes designated privacy oversight responsibilities with regular programreviews.
In our role as a services provider, NewRocket operateswithin clearly defined data processing boundaries. We access customer data onlyas necessary to perform contracted services and in accordance with documentedcustomer instructions. We do not independently process, store, or host customerdata beyond the scope of our service delivery obligations. Our personnel aretrained on the boundaries of authorized data access, and controls are in placeto enforce the principle of incidental access.
NewRocket employs a defense-in-depth approach to identityand access management. Our access control framework is designed to ensure thatonly authorized individuals can access systems and data, and only to the extentnecessary for their role.
We require multi-factor authentication for access tocorporate systems, customer environments, and sensitive resources. Our authentication standards are aligned with current best practices andincorporate modern password policies based on recognized guidelines,emphasizing strong passphrases, breach-detection-based credential rotation, andcentralized identity management.
Access to systems and data is governed by the principleof least privilege. Role-based access controls ensure that individuals aregranted only the minimum permissions necessary to perform their job functions.Access rights are reviewed on a regular cadence, and we maintain formalprocedures for provisioning, modifying, and revoking access in response tohiring, role changes, and separations.
NewRocket conducts background checks for new hires in accordance with applicable law. Our onboarding process includes mandatory security awareness training, and access to systems is provisioned only after completion of required training and policy acknowledgments. Upon separation, access is revoked promptly through formal offboarding procedures, and all company-issued equipment and credentials are recovered.
NewRocket’s network security architecture followsdefense-in-depth principles to protect the confidentiality and integrity ofdata traversing our systems.
• We maintain networksegmentation to isolate systems of differing sensitivity and function.
• Firewalls are configured on a default-deny basis and are subject to regular rule reviews.
• Intrusion detection andprevention systems monitor network traffic for indicators of maliciousactivity.
• Remote access requiresencrypted connections with multi-factor authentication.
• Wireless networks aresecured using current encryption standards and are subject to monitoring forunauthorized access points.
Our endpoint security controls include mandatory deviceencryption, anti-malware protection, and centrally managed patching. Mobiledevice policies govern the use of personal and company-issued devices, andremovable media use is restricted and controlled.
NewRocket operates a proactive vulnerability managementprogram that includes regular internal and external vulnerability scanning, webapplication security assessments, and cloud configuration reviews. Identifiedvulnerabilities are prioritized using industry-standard severity scoring andare remediated within defined timeframes based on risk.
All changes to production systems and infrastructurefollow a formal change management process. Changes are classified by type andrisk, assessed for potential impact, tested in non-production environments, andsubject to appropriate approvals before implementation. A Change Advisory Boardprovides governance over the change process. Emergency changes follow anexpedited procedure with mandatory post-implementation review. Rollbackprocedures are documented and tested to allow for rapid recovery if a changedoes not perform as expected.
NewRocket maintains comprehensive security monitoring andlogging capabilities. We collect and centrally aggregate security event datafrom across our infrastructure, including authentication events, privilegedoperations, data access activities, configuration changes, and network traffic.Our security operations team monitors alerts continuously, with definedresponse timeframes based on event severity. Logs are retained in accordancewith our retention policies and are protected against unauthorized modification.
NewRocket maintains a formal Incident Response Programwith documented policies and procedures covering the full incident lifecycle:preparation, detection and analysis, containment, eradication, recovery, andpost-incident review. Our incident response team is trained and equipped torespond to security events promptly and effectively.
Key elements of our incident response capability include:
• Defined incidentclassification and severity levels to drive appropriate response urgency andescalation.
• Established communicationprocedures for notifying affected customers and relevant stakeholders in theevent of a security incident.
• Post-incident reviews toidentify root causes and implement corrective actions that strengthen oursecurity posture.
• Regular testing andrefinement of incident response procedures to ensure readiness.
NewRocket maintains a Business Continuity Programdesigned to ensure the continued delivery of services in the event of adisruption. Our business continuity planning addresses resource management,service delivery continuity, alternative communication channels, and escalationprocedures. Business continuity plans are reviewed and tested regularly tovalidate their effectiveness.
Our backup and recovery policies define requirements fordata backup frequency, retention, integrity verification, and restorationtesting. These controls are designed to minimize data loss and support timelyrecovery in alignment with our service commitments.
NewRocket operates a formal risk management program thatincludes comprehensive risk assessments conducted on a regular basis. Our riskassessment methodology addresses information security risks, operational risks,compliance risks, and fraud risks. Risks are evaluated using a structuredlikelihood-and-impact analysis, and treatment decisions are documented andtracked through a centralized risk register. Senior management reviews the riskregister on a periodic basis and provides oversight of risk treatment activities.
We recognize that our security extends to the vendors andsubcontractors we engage. NewRocket maintains a formal vendor risk managementprogram that includes security assessments during onboarding, contractualsecurity and data protection requirements, and ongoing monitoring. Vendors withaccess to sensitive data or systems are subject to enhanced due diligence,including review of independent security certifications and compliance reports.We require appropriate data protection agreements with all vendors that processdata on our behalf.
All NewRocket employees participate in a comprehensivesecurity awareness program that begins at onboarding and continues throughouttheir employment. Annual security awareness training covers key topicsincluding data protection, phishing and social engineering, password security,incident reporting, and safe remote working practices. Role-based specializedtraining is provided to personnel with elevated security responsibilities. Weconduct regular simulated phishing exercises to measure and improve employeeawareness and response. Training completion is tracked and is a condition ofcontinued system access.
NewRocket enforces physical security controls at allfacilities where corporate information is accessed or stored. These controlsinclude access-controlled entry points, visitor management procedures,electronic access logging, surveillance systems, and environmental protections.Our clean desk policy and secure work area requirements apply to both officeand remote work environments.
NewRocket follows a Secure Software Development Lifecyclethat integrates security into every phase of the development process, fromrequirements gathering and design through coding, testing, deployment, andmaintenance. Security requirements are defined at the design stage, and threatmodeling is performed for significant changes. Our development practicesinclude mandatory code reviews with security focus, automated security testing,and pre-deployment security validation. Secrets management, secure configurationpractices, and separation of development, testing, and production environmentsare enforced across all projects.
NewRocket is committed to the continuous improvement ofour security program. We regularly evaluate the effectiveness of our controlsthrough internal monitoring, deficiency remediation procedures, and independentassessments. Findings are tracked to resolution, and lessons learned fromincidents, audits, and industry developments are incorporated into our policiesand practices. Our control monitoring program includes both automated andmanual assessment activities, with defined remediation timeframes based on theseverity of identified deficiencies.
Version
History
1: 1/1/2025 Initial Policy
2: 1/1/2026 Updates
Contact Information
For questions regarding Newrocket’s security and dataprotection practices, or to request additional information about our securityprogram, please contact us:
Newrocket Security Team
Email: security@Newrocket.com
Website: www.newrocket.com
Disclaimer: Thisdocument is provided for informational purposes and represents a summary of NewRocket’s security and data protection program as of the effective date. It does notconstitute a contractual commitment and is subject to change. For the most current information, please contact the NewRocket Security Team.
.svg)
