// Trust & Security Report
People Center, Inc. (d/b/a Rippling)
Unified workforce management ('workforce OS') spanning HR (core HR, benefits, recruiting, performance, LMS), Payroll (US + global/EOR), IT (identity, device/MDM, access governance), Finance (spend management, corporate cards, expenses, bill pay, procurement, travel), a PEO offering, a low-code custom-apps builder, and 'Rippling AI' / 'Data Cloud' features layered on the shared data platform.
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.rippling.com“Audits and Certifications (7): SOC 1 - 2 Documents. Trust center About text: 'we have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001, ISO 27018, ISO 42001, SOC 1 and SOC 2.'”
Verify on trust.rippling.com“Audits and Certifications (7): SOC 2 - 2 Documents. Trust center About text: 'we have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001, ISO 27018, ISO 42001, SOC 1 and SOC 2.'”
Verify on trust.rippling.com“We have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27001... Audits and Certifications (7): ISO 27001 - 1 Document.”
Verify on trust.rippling.com“We have built our platform and our organization to meet stringent global certification and audit requirements including ISO 27018... Audits and Certifications (7): ISO 27018 - 1 Document.”
Verify on trust.rippling.com“We have built our platform and our organization to meet stringent global certification and audit requirements including... ISO 42001... Audits and Certifications (7): ISO 42001 - 1 Document.”
Verify on trust.rippling.com“Audits and Certifications (7): CSA STAR Level 2 - 1 Document. Questionnaires (1): CAIQ.”
Verify on trust.rippling.com“Trust center 'Additional Documents' list includes a document titled "Rippling's Approach to HIPAA" (confirmed on two independent live fetches of trust.rippling.com). Note: HIPAA has no formal third-party 'certification'; this is a documented compliance posture, not an audited certification like SOC 2/ISO 27001, and no Business Associate Agreement (BAA) language was independently located.”
Verify on trust.rippling.com“Trust center 'Additional Documents' list includes 'Transfer Impact Assessment Information Sheet (March 2026).pdf' and 'Rippling Sub-processors (April 30, 2026).pdf' -- both standard GDPR cross-border-transfer and Article 28 sub-processor disclosure mechanisms. GDPR itself is a regulatory framework, not a certification Rippling can 'hold'.”
> Show 3 unconfirmed / not-held certifications
source: trust.rippling.comPCI DSS is NOT among the 7 items in trust.rippling.com's official 'Audits and Certifications' list (SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27018, ISO 42001, CSA STAR Level 2). PCI DSS is referenced only in Rippling marketing/blog copy (e.g. 'Compliance beyond the certifications'), which could not be independently fetched (403) to confirm exact wording or scope (e.g. whether it applies only to the Rippling Spend Management/corporate-card product via a payment partner). Treated as unverified pending direct vendor confirmation.
source: trust.rippling.comNot listed among the trust center's 7 audits/certifications; no public evidence found.
source: trust.rippling.comNo public evidence found; not listed on trust center and not expected for a commercial HR/Finance/IT SaaS without a government-cloud offering.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily US-based AWS data centers across multiple availability zones (per third-party-corroborated vendor page content); trust center separately lists dedicated data-protection documentation for at least Australia, Canada, and Germany plus a global Transfer Impact Assessment sheet, indicating regional data handling/residency addenda for non-US customers.
Vendor states customer usage data is not used to train AI models and that 'Rippling AI' follows the same data handling, storage, and privacy standards as the core platform. This claim was corroborated by web search of the vendor's own AI product page (rippling.com/platform/ai) but could not be independently re-fetched verbatim due to the site's bot protection -- treat as medium-confidence pending direct verification.
// Security controls
Cloud infrastructure
Hosted on AWS, described as physically secure US-based data centers across multiple availability zones.
rippling.comIndependent audits
SOC 1 Type 2 and SOC 2 Type 2 reports issued annually by a third-party auditor; a dated third-party penetration test report ('Rippling_PenTest_April_2026.pdf') is listed among trust center 'Additional Documents'.
trust.rippling.comSub-processor transparency
Trust center publishes a dated sub-processor list ('Rippling Sub-processors (April 30, 2026).pdf').
trust.rippling.comInsurance / risk transfer
Trust center lists a Certificate of Insurance evidencing Errors & Omissions (E&O) primary coverage with limits.
trust.rippling.comAI governance
Holds ISO/IEC 42001 (AI Management System) certification, indicating a formal, audited AI governance program covering Rippling AI features.
trust.rippling.com// Products & data scope
data: Employee PII, org/reporting structure, performance and LMS records
Foundational data layer other modules build on.
data: SSNs/national IDs, bank account details, compensation, tax data
Highest-sensitivity data category; global payroll adds cross-border transfer considerations (Transfer Impact Assessment doc referenced in trust center).
data: Health plan enrollment and dependent data; adjacent to but not itself a HIPAA-covered-entity function
Trust center references a dedicated 'Approach to HIPAA' document for this and adjacent workflows.
data: Device inventory, SSO/identity and access policy data, not typically regulated payment or health data
Positioned as an identity/zero-trust and endpoint management layer that enforces policy across the other apps.
data: Payment card transaction data, expense receipts, vendor bank details
The module most likely to carry PCI DSS scope; this analyst could not confirm a Rippling-held PCI DSS attestation on the official trust center list (see flags).
data: Cross-module HR/IT/Finance data used to power prompts, insights, and automation
Vendor states customer usage data is not used for AI model training and that AI features inherit core platform privacy/security controls; covered by ISO 42001.
data: Whatever fields a customer chooses to build/store via the platform
Data scope is customer-defined; inherits platform-level security controls.
// What to watch
- PCI DSS is referenced in Rippling marketing/blog copy but is absent from the trust center's own authoritative 7-item 'Audits and Certifications' list -- potential over-claim or product-specific (Spend Management) scope that isn't surfaced platform-wide. Graded held=false pending direct vendor confirmation.
- HIPAA is graded held=true based on a named trust-center document ('Rippling's Approach to HIPAA'), but HIPAA has no formal third-party certification body -- this reflects a documented compliance posture, not an audited cert equivalent to SOC 2/ISO 27001. No explicit Business Associate Agreement (BAA) language was located.
- Several vendor sub-pages (rippling.com/trust/security, /trust/compliance, /legal/privacy, /glossary/soc2, /blog/compliance-beyond-the-certifications) returned HTTP 403 to automated fetch (bot protection), so specific claims about encryption details, exact SOC 2 report scope wording, and the AI-training statement rely on third-party search-engine snippets attributing quotes to those vendor pages rather than a first-party verbatim capture by this analyst. Recommend re-verification once direct access is available or via a signed customer-facing trust center login.
- AI-training 'we do not train on customer data' claim is sourced only via search synthesis of the vendor's AI product page, not a directly re-fetched quote -- treat as medium-confidence until confirmed in the DPA/AI addendum text.
- QA correction: the original SOC 1 and SOC 2 proof quotes asserted specific report scope ('SOC 1 covers 11 control areas including payroll processing'; 'SOC 2 covers Security, Confidentiality, and Availability'). Two independent live fetches of trust.rippling.com show no such descriptive text renders on the trust center; only the 'Audits and Certifications (7)' list entries and the About paragraph are on-domain. Those unverifiable scope sentences were removed from the proof quotes. The certifications themselves remain held=true (confirmed by 'SOC 1 - 2 Documents' / 'SOC 2 - 2 Documents' and the About text). The specific report-scope details should be re-confirmed against the actual SOC reports before being restated as fact.
// At a glance
Pricing model
Custom/quote-based, per-employee-per-month, modular by product (HR, Payroll, IT, Finance, PEO, Global); no public self-serve price list found
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on People Center, Inc. (d/b/a Rippling)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.rippling.com