// Trust & Security Report

    People Center, Inc. (d/b/a Rippling) logo

    People Center, Inc. (d/b/a Rippling)

    Unified workforce management ('workforce OS') spanning HR (core HR, benefits, recruiting, performance, LMS), Payroll (US + global/EOR), IT (identity, device/MDM, access governance), Finance (spend management, corporate cards, expenses, bill pay, procurement, travel), a PEO offering, a low-code custom-apps builder, and 'Rippling AI' / 'Data Cloud' features layered on the shared data platform.

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1
    HELD

    Audits and Certifications (7): SOC 1 - 2 Documents. Trust center About text: 'we have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001, ISO 27018, ISO 42001, SOC 1 and SOC 2.'

    Verify on trust.rippling.com
    SOC 2 Type II
    HELD

    Audits and Certifications (7): SOC 2 - 2 Documents. Trust center About text: 'we have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001, ISO 27018, ISO 42001, SOC 1 and SOC 2.'

    Verify on trust.rippling.com
    SOC 3
    HELD

    Audits and Certifications (7): SOC 3 - 1 Document.

    Verify on trust.rippling.com
    ISO/IEC 27001
    HELD

    We have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001... Audits and Certifications (7): ISO 27001 - 1 Document.

    Verify on trust.rippling.com
    ISO/IEC 27018 (PII protection in public cloud)
    HELD

    We have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27018... Audits and Certifications (7): ISO 27018 - 1 Document.

    Verify on trust.rippling.com
    ISO/IEC 42001 (AI Management System)
    HELD

    We have built our platform and our organization to meet stringent global certification and audit requirements including... ISO 42001... Audits and Certifications (7): ISO 42001 - 1 Document.

    Verify on trust.rippling.com
    CSA STAR Level 2
    HELD

    Audits and Certifications (7): CSA STAR Level 2 - 1 Document. Questionnaires (1): CAIQ.

    Verify on trust.rippling.com
    HIPAA
    HELD

    Trust center 'Additional Documents' list includes a document titled "Rippling's Approach to HIPAA" (confirmed on two independent live fetches of trust.rippling.com). Note: HIPAA has no formal third-party 'certification'; this is a documented compliance posture, not an audited certification like SOC 2/ISO 27001, and no Business Associate Agreement (BAA) language was independently located.

    Verify on trust.rippling.com
    GDPR (posture)
    HELD

    Trust center 'Additional Documents' list includes 'Transfer Impact Assessment Information Sheet (March 2026).pdf' and 'Rippling Sub-processors (April 30, 2026).pdf' -- both standard GDPR cross-border-transfer and Article 28 sub-processor disclosure mechanisms. GDPR itself is a regulatory framework, not a certification Rippling can 'hold'.

    Verify on trust.rippling.com
    > Show 3 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    PCI DSS is NOT among the 7 items in trust.rippling.com's official 'Audits and Certifications' list (SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27018, ISO 42001, CSA STAR Level 2). PCI DSS is referenced only in Rippling marketing/blog copy (e.g. 'Compliance beyond the certifications'), which could not be independently fetched (403) to confirm exact wording or scope (e.g. whether it applies only to the Rippling Spend Management/corporate-card product via a payment partner). Treated as unverified pending direct vendor confirmation.

    source: trust.rippling.com
    ISO/IEC 27701 (Privacy Information Management)
    NOT CONFIRMED

    Not listed among the trust center's 7 audits/certifications; no public evidence found.

    source: trust.rippling.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; not listed on trust center and not expected for a commercial HR/Finance/IT SaaS without a government-cloud offering.

    source: trust.rippling.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily US-based AWS data centers across multiple availability zones (per third-party-corroborated vendor page content); trust center separately lists dedicated data-protection documentation for at least Australia, Canada, and Germany plus a global Transfer Impact Assessment sheet, indicating regional data handling/residency addenda for non-US customers.

    Vendor states customer usage data is not used to train AI models and that 'Rippling AI' follows the same data handling, storage, and privacy standards as the core platform. This claim was corroborated by web search of the vendor's own AI product page (rippling.com/platform/ai) but could not be independently re-fetched verbatim due to the site's bot protection -- treat as medium-confidence pending direct verification.

    // Security controls

    Cloud infrastructure

    Hosted on AWS, described as physically secure US-based data centers across multiple availability zones.

    rippling.com

    Independent audits

    SOC 1 Type 2 and SOC 2 Type 2 reports issued annually by a third-party auditor; a dated third-party penetration test report ('Rippling_PenTest_April_2026.pdf') is listed among trust center 'Additional Documents'.

    trust.rippling.com

    Sub-processor transparency

    Trust center publishes a dated sub-processor list ('Rippling Sub-processors (April 30, 2026).pdf').

    trust.rippling.com

    Insurance / risk transfer

    Trust center lists a Certificate of Insurance evidencing Errors & Omissions (E&O) primary coverage with limits.

    trust.rippling.com

    AI governance

    Holds ISO/IEC 42001 (AI Management System) certification, indicating a formal, audited AI governance program covering Rippling AI features.

    trust.rippling.com

    // Products & data scope

    Core HRHuman resources

    data: Employee PII, org/reporting structure, performance and LMS records

    Foundational data layer other modules build on.

    Payroll (US + Global/EOR)Payroll & compliance

    data: SSNs/national IDs, bank account details, compensation, tax data

    Highest-sensitivity data category; global payroll adds cross-border transfer considerations (Transfer Impact Assessment doc referenced in trust center).

    Benefits administrationHR / insurance

    data: Health plan enrollment and dependent data; adjacent to but not itself a HIPAA-covered-entity function

    Trust center references a dedicated 'Approach to HIPAA' document for this and adjacent workflows.

    IT (identity, device/MDM, access governance)IT security management

    data: Device inventory, SSO/identity and access policy data, not typically regulated payment or health data

    Positioned as an identity/zero-trust and endpoint management layer that enforces policy across the other apps.

    Finance / Spend Management (corporate cards, expenses, bill pay)Corporate finance

    data: Payment card transaction data, expense receipts, vendor bank details

    The module most likely to carry PCI DSS scope; this analyst could not confirm a Rippling-held PCI DSS attestation on the official trust center list (see flags).

    Rippling AI / Data CloudAI / business intelligence

    data: Cross-module HR/IT/Finance data used to power prompts, insights, and automation

    Vendor states customer usage data is not used for AI model training and that AI features inherit core platform privacy/security controls; covered by ISO 42001.

    Custom ApplicationsLow-code platform

    data: Whatever fields a customer chooses to build/store via the platform

    Data scope is customer-defined; inherits platform-level security controls.

    // What to watch

    • PCI DSS is referenced in Rippling marketing/blog copy but is absent from the trust center's own authoritative 7-item 'Audits and Certifications' list -- potential over-claim or product-specific (Spend Management) scope that isn't surfaced platform-wide. Graded held=false pending direct vendor confirmation.
    • HIPAA is graded held=true based on a named trust-center document ('Rippling's Approach to HIPAA'), but HIPAA has no formal third-party certification body -- this reflects a documented compliance posture, not an audited cert equivalent to SOC 2/ISO 27001. No explicit Business Associate Agreement (BAA) language was located.
    • Several vendor sub-pages (rippling.com/trust/security, /trust/compliance, /legal/privacy, /glossary/soc2, /blog/compliance-beyond-the-certifications) returned HTTP 403 to automated fetch (bot protection), so specific claims about encryption details, exact SOC 2 report scope wording, and the AI-training statement rely on third-party search-engine snippets attributing quotes to those vendor pages rather than a first-party verbatim capture by this analyst. Recommend re-verification once direct access is available or via a signed customer-facing trust center login.
    • AI-training 'we do not train on customer data' claim is sourced only via search synthesis of the vendor's AI product page, not a directly re-fetched quote -- treat as medium-confidence until confirmed in the DPA/AI addendum text.
    • QA correction: the original SOC 1 and SOC 2 proof quotes asserted specific report scope ('SOC 1 covers 11 control areas including payroll processing'; 'SOC 2 covers Security, Confidentiality, and Availability'). Two independent live fetches of trust.rippling.com show no such descriptive text renders on the trust center; only the 'Audits and Certifications (7)' list entries and the About paragraph are on-domain. Those unverifiable scope sentences were removed from the proof quotes. The certifications themselves remain held=true (confirmed by 'SOC 1 - 2 Documents' / 'SOC 2 - 2 Documents' and the About text). The specific report-scope details should be re-confirmed against the actual SOC reports before being restated as fact.

    // At a glance

    Pricing model

    Custom/quote-based, per-employee-per-month, modular by product (HR, Payroll, IT, Finance, PEO, Global); no public self-serve price list found

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on People Center, Inc. (d/b/a Rippling)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.rippling.com

    > Browse all vendor trust reports