Rocketbook Security Questionnaire
Encryption and Password Management
Does Rocketbook encrypt customer data?
When a user registers an account, data is sent to Rocketbook servers through API calls secured over HTTPS. Once received, the data is stored in MongoDB Atlas and the Google Cloud Platform.
Rocketbook also collects customer data for analytics purposes, which is transferred through HTTPS to Mixpanel and the Google Cloud Platform. For more information about Mixpanel, please view their security overview.
MongoDB Atlas has built-in encryption at rest for disks by default. For more information, please see information about their data encryption.
The Google Cloud Platform encrypts customer data stored at rest by default. For more information, please see information about their data encryption.
Where does Rocketbook store the customer data?
Rocketbook stores customer data in the United States on MongoDB Atlas, served on AWS in the US-East-1 region. In addition, customer data is also temporarily stored on the Google Cloud Platform in the United States Multi-Region, and deleted after processing.
How is customer data backed up?
The customer data is backed up daily using the MongoDB Atlas cloud backup system. Atlas uses the native snapshot capabilities of the Amazon Web Service (AWS).
For more information, please see more information about MongoDBs cloud backup system.
How is customer data deleted?
Users can delete their app data by deleting their Rocketbook account in the app or by sending a delete request to email@example.com to delete the analytics related data.
Rocketbook uses third party vendors to provide services, principally Google Cloud Platform, Heroku Cloud Application Platform, and MongoDB Atlas. Rocketbook uses other reputable vendors for analytics and marketing purposes after they have signed the appropriate contractual protection to handle customer data.
Rocketbook sends emails using Twilio Sendgrid, a well known email service provider. The customer data is sent using the Sendgrid API through secured HTTPS. Rocketbook does not store the email message data.
Sendgrid retains email message activity and metadata (such as opens and clicks) for 30 days. For more information, please see Sendgrid’s security policies.
When authenticating with third party integrations, Rocketbook does not store user credentials, only the access token is stored locally on the user’s device. Rocketbook does not store any information related to the integrations on its servers.
When sending data and setting up app integrations, Rocketbook uses the proprietary SDK of the integration provider. In cases where an SDK does not exist, the data is sent through their proprietary API using HTTPS.
App Smart Features
OCR Features: Smart Titles, Smart Search, Smart Tags, OCR Transcriptions
When using OCR features, the user scans are uploaded to the Google Cloud Platform and a request is sent to the Rocketbook API through HTTPS for transcribing. To transcribe the scans, Rocketbook uses the Google Vision API.
After the transcription process is completed, Rocketbook deletes all images from the Google Cloud Platform. In addition, a lifecycle rule is implemented to delete all scans after 1 day.
The transcription data is stored locally on the user’s device, Rocketbook does not store any transcription data on the servers.
When using the Smart List feature, the user scans are uploaded to the Google Cloud Platform, and a request is sent to the Rocketbook API through HTTPS for transcribing. To transcribe the scans, Rocketbook uses the Google Vision API.
After the transcription process is completed, the Smart List data is stored on MongoDB Atlas, served on AWS in the US-East-1 region.
When using Snapcast, images are uploaded to the Google Platform and the related metadata is stored on MongoDB Atlas, served on AWS in the US-East-1 region.
The Snapcast URL is hosted on the Heroku Cloud Application Platform, in the United States. For more information about Heroku, please see Heroku’s security policy.