Is Rolli SOC 2 certified?

Rolli is pursuing SOC 2 Type II certification. Our current security posture includes encryption at rest and in transit, role-based access controls, and regular third-party penetration testing. Contact security@rolli.ai to request our security documentation.

Does Rolli store social media data?

Rolli processes public social media signals for analysis. We do not store the underlying post content long-term. Processed authenticity scores and signal metadata are retained according to your plan's data retention settings.

What is Rolli's responsible disclosure policy?

Rolli operates a responsible disclosure program. If you discover a security vulnerability, please report it to security@rolli.ai. We acknowledge reports within 1 business day and provide remediation timelines based on severity.

Can I get a DPA or sub-processor list for procurement?

Yes. Enterprise procurement documentation — including DPA, sub-processor list, and security questionnaire responses — is available on request. Email security@rolli.ai with your organization's requirements.

Does Rolli support SSO and enterprise key management?

SSO (SAML/OIDC) and enterprise key management are available on Rolli IQ Enterprise plans. Contact our sales team to discuss your organization's specific requirements.

Trust Center

Security, compliance, and procurement in one place

Q: Is Rolli GDPR compliant?

Yes. Rolli offers a Data Processing Agreement (DPA) for enterprise customers and EU-based organizations. We process data in accordance with GDPR requirements. Request the DPA at security@rolli.ai.

Everything your legal, security, and procurement teams need to evaluate Rolli—documented here for fast-path review.

Request Security Documentation View Procurement Checklist

TLS 1.3Encryption in transit

AES-256Encryption at rest

SOC 2Compliance (in progress)

Security at a glance

99.9%

Uptime SLA

SOC 2

Audit in progress

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

99.97% uptime last 90 days (as of Mar 2026) · View status

400+ organizations trust Rolli for narrative intelligence

Enterprise procurement team? Request the full documentation package.

Security overview · pen test summary · controls documentation · DPA — available under NDA while SOC 2 audit completes (Q3 2026).

Request Documentation

Security at a Glance

Security credentials

Every control listed below is active today — not on a roadmap.

SOC 2 Type II

In progress · 2026

TLS 1.3

All data in transit

GDPR Ready

EU data handling

AES-256

Data at rest

99.9% Uptime

SLA guaranteed

No Data Sold

Privacy by design

CONTROLS IN PLACE TODAY

What's already built

Every control below is active today — not on a roadmap.

TLS 1.3 + HSTS enforced

AES-256 encryption at rest

Automatic key rotation (KMS)

RBAC — team & key scoping

IP allowlisting per API key

API key usage audit logs

Annual third-party pen test

GDPR DPA available

CCPA compliant

Public-data-only ingestion

99.9% uptime SLA

SOC 2 audit active (Q3 2026)

Overview

Our security posture

Rolli is built on infrastructure designed to meet the security and reliability expectations of enterprise and institutional customers. We apply industry-standard controls across our platform including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access controls, audit logging, and annual third-party penetration testing.

Rolli processes publicly available social media data only. We do not collect, store, or process private user data, private messages, or non-public content. This scope is deliberate — all evidence behind Rolli IQ's authenticity scores is publicly verifiable, which matters for enterprise teams whose procurement requires reproducible methodology.

For procurement reviews, enterprise customers can request an interim documentation package (security overview, pen test executive summary, controls documentation, DPA) while our SOC 2 Type II audit completes in Q3 2026. Contact security@rolli.ai.

Compliance

Compliance frameworks

SOC 2 Type II

Active audit — Q3 2026

Active audit underway — target completion Q3 2026. Controls are aligned to the SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). Enterprise customers can request an interim documentation package under NDA while the audit completes.

Contact security@rolli.ai to request the interim package: security overview, pen test summary, and controls documentation.

GDPR & CCPA

DPA Available

Data Processing Agreement (DPA) including Standard Contractual Clauses (SCCs) is available for enterprise customers. CCPA: Rolli does not sell or share personal information for cross-context behavioral advertising.

Email legal@rolli.ai to request a DPA or to exercise data subject rights.

ISO 27001

2026 Roadmap

ISO 27001 certification is on the 2026 product roadmap. Current security controls are aligned with ISO 27001 domains.

SOC 2 Type II audit in progress with a Big Four accounting firm. Expected completion: Q3 2026. Security questionnaire (CAIQ), architecture overview, and sub-processor list available immediately under NDA. Request documentation →

What This Means For You

What our certifications mean for you

SOC 2 Type II (In Progress)

Annual third-party audit of our security controls. Expected Q3 2026. Summary available under NDA to qualified enterprise customers. Controls aligned to SOC 2 Trust Service Criteria: Security, Availability, and Confidentiality.

GDPR Compliant

All EU customer data processed under GDPR Article 6. Data Processing Agreements available including Standard Contractual Clauses. Sub-processor list published. Contact legal@rolli.ai for your DPA.

TLS 1.3 + AES-256

All data encrypted in transit (TLS 1.3) and at rest (AES-256 with 90-day key rotation). Zero plaintext storage of sensitive data. HSTS enforced across all endpoints. Older TLS versions rejected.

Encryption

Data encryption

In transit

All data in transit is encrypted using TLS 1.3. API endpoints are served exclusively over HTTPS. Older TLS versions are not accepted. HTTP Strict Transport Security (HSTS) is enforced.

At rest

Data stored in Rolli infrastructure is encrypted at rest using AES-256. Encryption keys are managed through our cloud provider's key management service with automatic rotation.

ACCESS CONTROLS

Access control capabilities

Enterprise-grade access management for teams and API consumers.

SSO / SAML

Available on request / roadmap

On request

Role-Based Access Control (RBAC)

Available on Enterprise tier for API key scoping and team management.

Available

Audit logs

API key usage logs and access audit trails available on Enterprise tier.

Available

IP allowlisting

Per-key IP allowlisting available on Professional and Enterprise tiers.

Available

Data Handling

Data handling & retention

Data Type	Retention Period	Deletion Policy	Notes
Public social data	Up to 12 months	On account deletion	Publicly available only
API keys & credentials	Active until rotated	Immediate on revocation	Hashed at rest
Audit logs	12 months	Per contract / request	Available on Enterprise
Customer account data	Duration of subscription + 30 days	On account deletion + grace	Contact for DPA

Full retention schedule and deletion procedures available upon request. Contact security@rolli.ai.

Sub-processors

Sub-processor list

Provider	Purpose	Region	DPA
Amazon Web Services (AWS)	Hosting & storage	United States	Available
HubSpot, Inc.	CRM & lead management	United States	Available
Brevo (Sendinblue SAS)	Transactional email	European Union	Available
Google LLC (GA4)	Product analytics	United States	Available
Sentry (Functional Software)	Error monitoring	United States	Available

Full sub-processor list with DPA details available upon request to qualified prospects. Contact security@rolli.ai.

Security

Vulnerability management & responsible disclosure

Responsible disclosure

If you discover a potential security vulnerability in Rolli, please report it directly to our security team. We commit to acknowledging reports promptly and keeping you updated through the resolution process.

security@rolli.ai

Security testing

Rolli conducts an annual third-party penetration test of its infrastructure and application layer, in addition to ongoing internal security reviews. Penetration test executive summaries are available to enterprise customers under NDA. Contact security@rolli.ai for the most recent assessment date.

ROADMAP

Security roadmap & disclosure

Where we are, what's coming, and how to request full documentation.

SOC 2 Type II

Q3 2026

SOC 2 Type II audit is currently in progress. Expected completion: Q3 2026. Enterprise customers can request an interim documentation package under NDA — contact security@rolli.ai.

Data Retention

Active

Customer data is retained for up to 12 months. Deletion requests are processed within 48 hours of account closure or on request. Contact security@rolli.ai to initiate deletion.

Pen Testing

Annual

Annual third-party penetration testing of infrastructure and application layer. Last test: Q4 2025. Executive summary available to enterprise customers under NDA — contact security@rolli.ai.

Availability

Uptime & SLA

99.9% Uptime

Last 90 days

0%99.9%

99.9%

Target uptime SLA

< 1 hour

Incident response

status.rolli.ai

Status page

On request

Enterprise SLA

Live uptime and incident history at status.rolli.ai. Enterprise SLA terms available on request — contact your account representative or security@rolli.ai.

Enterprise Procurement

Procurement fast-path checklist

The items below represent the most common requests from enterprise procurement and legal teams. Items marked 'Available' can be accessed directly or upon request.

The items below represent the most common requests from enterprise procurement and legal teams. Items marked "Available" can be accessed directly or upon request. Items marked "On request" require contacting our security team.

10/12 compliance items available83%

Security overview & posture statement

Available

SOC 2 Type II report (available under NDA)

On request

GDPR Data Processing Agreement (DPA)

On request

ISO 27001 certification

Roadmap

Data Processing Agreement (DPA)

On request

Sub-processor list

Available

Penetration test summary [most recent]

On request

Business Continuity & Disaster Recovery plan

On request

Acceptable Use Policy

Available

Responsible disclosure policy

Available

Uptime history & SLA documentation

On request

Request Security Documentation

Enterprise Pathway

Pre-SOC-2 Enterprise Pathway

SOC 2 Type II certification is in progress (expected Q3 2026). While we complete certification, enterprise procurement teams can access the following directly — no waiting required.

Security Questionnaire (CAIQ)

Completed Cloud Security Alliance Consensus Assessment Initiative Questionnaire — ready for your procurement team.

Request Questionnaire →

Pen-Test Coordination

Available to coordinate third-party penetration testing for enterprise prospects. Executive summary of our most recent test available under NDA.

Schedule Review →

Architecture Review (NDA)

NDA-protected architecture review call with our security team. Covers infrastructure, data flows, access controls, and encryption model.

Request Architecture Review →

Schedule a Security Review →Download Security Questionnaire

Contact

Request security documentation

For procurement reviews, DPA requests, penetration test summaries, or any security question, email us directly or use the contact below. We aim to respond within 1 business day.

Security & Compliance Team

security@rolli.ai

Responses within 1 business day. For urgent security disclosures, include "[SECURITY]" in your subject line.

Email Security Team General Contact

Architecture

Security architecture

Technical controls in place today, documented for security reviewers and procurement teams.

rolli-security-controls.json
ControlSpecificationStatus
Data in transitTLS 1.3 (AES-256-GCM) · HSTS enforced · HTTP strict redirect● active
Data at restAES-256 encryption · Keys rotated every 90 days via cloud KMS● active
AuthenticationSSO/SAML 2.0 available · MFA enforced for all admin accounts● active
Access controlsRole-based (RBAC) · Principle of least privilege · Per-key scoping● active
Audit logsAll data access logged · 12-month retention · Available on Enterprise● active
Network securityIP allowlisting per API key · WAF enabled · DDoS protection● active
Penetration testingAnnual third-party pen test · Last: Q4 2025 · Summary on request● active
SOC 2 Type IIAudit in progress · Expected completion Q3 2026 · Interim docs available● in progress
ISO 27001Controls aligned to ISO 27001 domains · Certification on 2026 roadmap● roadmap

Control	Specification	Status
Data in transit	TLS 1.3 (AES-256-GCM) · HSTS enforced · HTTP strict redirect	● active
Data at rest	AES-256 encryption · Keys rotated every 90 days via cloud KMS	● active
Authentication	SSO/SAML 2.0 available · MFA enforced for all admin accounts	● active
Access controls	Role-based (RBAC) · Principle of least privilege · Per-key scoping	● active
Audit logs	All data access logged · 12-month retention · Available on Enterprise	● active
Network security	IP allowlisting per API key · WAF enabled · DDoS protection	● active
Penetration testing	Annual third-party pen test · Last: Q4 2025 · Summary on request	● active
SOC 2 Type II	Audit in progress · Expected completion Q3 2026 · Interim docs available	● in progress
ISO 27001	Controls aligned to ISO 27001 domains · Certification on 2026 roadmap	● roadmap

Talk to a reference customer

We'll connect you with a security or comms team using Rolli in a similar context to yours.

Request a Reference →

Data Promise

Our customer data commitment

Three things we commit to, unconditionally, for every customer on every plan.

Your data is never sold

We do not sell, rent, or share your data with third parties for any commercial purpose. Your data is used exclusively to provide you the Rolli service.

Full deletion within 48 hours

You can request complete deletion of your data at any time. We process deletion requests within 48 hours of account closure or on written request to security@rolli.ai.

We monitor platforms — not you

Rolli monitors public social media content so you can understand the information environment. We do not monitor your private communications, internal systems, or personal accounts.

Security

Responsible disclosure policy

We take security seriously. If you discover a vulnerability in Rolli's systems, please report it responsibly. We commit to working with you transparently and promptly.

Respond within 48 hours

We acknowledge all security reports within 48 hours of receipt and provide a timeline for investigation.

Fix critical issues within 30 days

Critical vulnerabilities are prioritized for remediation. We commit to addressing confirmed critical issues within 30 days.

Credit reporters in our changelog

Security researchers who responsibly disclose vulnerabilities are credited by name in our public changelog, with their permission.

Report a vulnerability

Email security@rolli.ai with "[SECURITY]" in the subject line. Please include steps to reproduce, potential impact, and your contact information.

Report a Vulnerability

Enterprise FAQ

Common security & compliance questions

Is Rolli GDPR compliant?

Yes. Rolli processes data in compliance with GDPR Article 6 (lawful basis for processing). Rolli collects and processes only publicly available social media data — it does not process special category data or private personal information at scale. EU and EEA customers can request a Data Processing Agreement (DPA) including Standard Contractual Clauses (SCCs). Contact legal@rolli.ai.

Does Rolli store raw social media content?

Rolli stores metadata and analysis outputs — sentiment scores, authenticity scores, engagement metrics, and narrative classifications — rather than raw social media content. The full scope of data processing, retention periods, and deletion procedures is detailed in our Data Processing Agreement, available to enterprise customers on request.

Can Rolli support single sign-on (SSO)?

Yes. SAML 2.0 SSO is available on Team and Enterprise plans. Rolli supports integration with Okta, Microsoft Azure AD, Google Workspace, and other SAML 2.0-compliant identity providers. MFA is enforced for all admin accounts regardless of SSO configuration. Contact your account representative or security@rolli.ai to configure SSO.

Where is Rolli's infrastructure hosted?

Rolli's infrastructure is hosted on Amazon Web Services (AWS) in the United States. EU data residency options are available for enterprise customers with specific regulatory requirements — contact security@rolli.ai to discuss your requirements.

How does Rolli handle a security incident affecting customer data?

Rolli maintains a documented incident response plan. In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours of confirmation — consistent with GDPR Article 33 requirements. The notification will include the nature of the incident, data affected, steps taken, and recommended actions for affected customers.

What is Rolli's vulnerability patch policy?

Critical severity vulnerabilities: remediation target within 72 hours. High severity: within 14 days. Medium severity: within 30 days. Low severity: addressed in the next scheduled release cycle. Our annual third-party penetration test results in a prioritized remediation plan that is tracked to completion.

Have a question not listed here? Email our security team — we respond within 1 business day.

Want to see Rolli in action before a procurement review?

Customer case studies Start free trial →