Statement on Brexit and personal data transfer

Like many other companies that operate globally, Rapid7 has been preparing for Brexit. This preparation has included updates designed to assist customers to continue receiving our solutions and services, as well as transferring data, without interruption. At this time, Rapid7 will continue to operate as normal and no action is required on the part of our customers. For more specific information please see the statement below.

Rapid7 action

As part of our dedication to customer success, Rapid7 has undertaken preparations to ensure that it can continue to transfer data internationally with minimal disruption. Rapid7 has updated its Data Processing Addendum (“DPA”) to incorporate Standard Contractual Clauses (“SCCs”)  to enable customer data flows between the UK and the European Economic Area (“EEA”), as well as between the UK and non-EEA countries, even if the UK does not receive an “adequacy decision” by the European Commission. For more information on how Rapid7 is responding to the evolving legal requirements regarding international data transfers, please refer to the Rapid7 statement on privacy and status of EU-US data transfers post-Schrems II

As an organization with offices and users in the UK and worldwide, Rapid7 is continuing to monitor the situation around Brexit closely, and will update our compliance mechanisms as needed based on the outcome of ongoing negotiations between the UK and EU. 


On January 31, 2020, the UK formally left the EU, otherwise known as “Brexit”. Following Brexit, the UK entered a transition period which ends on December 31, 2020 (the "Transition Period"). During the Transition Period, EU laws will continue to apply in the UK (including GDPR). After the Transition Period, the compliance requirements for personal data transfers from the EEA to UK may change. 

Transfers during the transition period:

  • Between the EEA and the UK: These transfers will not be considered to be transfers to a third country under GDPR, and will not require a specific data transfer mechanism as the UK will continue to be treated as a member state of the EU (“Member State”).
  • From the UK to non-EEA countries: Because GDPR continues to apply (i.e. there is no change to the status quo) the data transfer mechanisms within the DPA, SCCs, can continue to be used for transfers from both the UK and the EEA to the rest of the world without any impact to, or further action needed by, our customers. 

Transfers after the transition period:

  • From the UK to the EEA: These transfers will not require specific data transfer mechanisms under GDPR.
  • From the EEA to the UK: If the European Commission provides the UK with an adequacy decision, then, no specific data transfer mechanism is necessary. In the event that the European Commission does not provide the UK with an adequacy decision, or the adequacy decision is not concluded by the time the Transition Period ends, then the SCCs within the DPA will serve as the approved data transfer mechanism.
  • From the UK to non-EEA countries: Countries which receive an adequacy decision by the European Commission prior to the end of the Transition Period will also be considered to be adequate by the UK government after the Transition Period. This means personal data can be transferred from the UK to these “adequate” countries without a specific data transfer mechanism. For all other countries, the SCCs, which are the existing GDPR data transfer mechanism incorporated into the DPA, will continue to be valid when the Transition Period ends. 

By incorporating SCCs, and other safeguards, Rapid7 is prepared for a range of the potential Brexit scenarios that may be realized.  For information on Rapid7’s data protection safeguards, please visit our Trust page, and for questions about Rapid7 and Brexit, please email