Security Policy

All data is encrypted in transit using TLS 1.3 with strong cipher suites. Data at rest is encrypted using AES-256 encryption across all storage systems, including databases, block storage, and backups. Our infrastructure runs on enterprise-grade hardware in Tier III+ data centers with redundant power, cooling, and network connectivity. All servers are hardened according to CIS benchmarks and undergo regular security patching. Network segmentation ensures strict isolation between customer workloads. Each customer's resources operate in isolated virtual private networks with no cross-tenant network access. Firewall rules follow the principle of least privilege, allowing only explicitly authorized traffic.

Access to customer data and production infrastructure is restricted to authorized personnel on a need-to-know basis. All internal access requires multi-factor authentication (MFA), VPN connectivity, and role-based access control (RBAC). Employee access is reviewed quarterly and revoked immediately upon role change or termination. All administrative actions are logged in an immutable audit trail with a minimum retention period of 12 months. Customer accounts support multi-factor authentication, API key management with granular permissions, and session management with configurable timeout policies. We recommend enabling MFA for all accounts.

Our infrastructure is hosted in SOC 2 Type II certified data centers located in the United States, Europe, and Asia-Pacific regions. Data center facilities feature: 24/7 physical security with biometric access controls, CCTV surveillance, and on-site security personnel. Redundant power systems with UPS and diesel generator backup capable of sustaining operations for a minimum of 72 hours. Climate-controlled environments with N+1 redundant cooling systems. Fire detection and suppression systems with pre-action dry pipe sprinkler systems. We maintain compliance with SOC 2 Type II, ISO 27001, and GDPR requirements. Annual third-party audits verify our compliance posture and the effectiveness of our security controls.

Rackline maintains a comprehensive incident response plan that is tested and updated regularly. Our incident response process includes: Detection — Continuous monitoring using automated alerting systems, intrusion detection systems (IDS), and log analysis. Our security operations team monitors alerts 24/7. Containment — Upon detection of a security incident, our team immediately works to contain the threat and prevent further impact. Affected systems are isolated while maintaining service availability where possible. Investigation — Our security team conducts a thorough investigation to determine the scope, cause, and impact of the incident. We engage third-party forensics specialists when appropriate. Notification — We notify affected customers within 72 hours of confirming a data breach, in compliance with GDPR and applicable regulations. Notifications include details about the incident, data affected, and remediation steps. Remediation — We implement corrective actions to address the root cause and prevent recurrence. Post-incident reviews are conducted to identify improvements to our security posture.

We welcome responsible disclosure of security vulnerabilities from security researchers and the broader community. If you discover a vulnerability in our systems, please report it to our security team at: security@rackline.net When reporting a vulnerability, please include: A detailed description of the vulnerability and its potential impact. Steps to reproduce the issue, including any proof-of-concept code or screenshots. Your contact information for follow-up communication. We ask that you do not publicly disclose the vulnerability until we have had reasonable time to investigate and remediate the issue. We aim to acknowledge vulnerability reports within 24 hours and provide an initial assessment within 5 business days. We do not pursue legal action against security researchers who report vulnerabilities in good faith and in accordance with responsible disclosure practices.

Rackline maintains the following security certifications and compliance frameworks: SOC 2 Type II — Annual audit covering security, availability, processing integrity, confidentiality, and privacy trust service criteria. ISO 27001 — Information security management system (ISMS) certification covering all aspects of our security program. GDPR — Full compliance with the General Data Protection Regulation for processing personal data of EU residents. PCI DSS Level 1 — Payment Card Industry Data Security Standard compliance for secure handling of payment card information. CSA STAR Level 2 — Cloud Security Alliance Security, Trust, Assurance, and Risk certification. Copies of our SOC 2 report and other compliance documentation are available to customers and prospective customers under NDA. Contact sales@rackline.net to request access.

For security-related inquiries, vulnerability reports, or compliance documentation requests, contact us at: Security team: security@rackline.net General inquiries: support@rackline.net Rackline, Inc. 548 Market Street, Suite 42 San Francisco, CA 94104 United States