Rapid7 LLC and the EU-U.S. Privacy Shield

Last Updated: January 10, 2022

Rapid7, Inc. and its subsidiary and affiliate companies (Rapid7 LLC (US)) (collectively, “Rapid7”) participate in and have certified compliance with the EU-U.S. Privacy Shield Framework (the “Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the European Economic Area (“EEA”) and the United Kingdom (the “UK”) to the United States. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/.

To the extent applicable, Rapid7 is responsible for the processing of personal data it receives, under the Framework, and subsequent transfers to a third-party acting as an agent on its behalf. Rapid7 complies with the Privacy Shield Principles for all transfers pursuant to the Framework of personal data from the EEA and the UK, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Framework, Rapid7 is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Rapid7 may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

With respect to personal data received under the framework, and in accordance with applicable law, data subjects may access, limit the use and/or disclosure of, correct, update or request deletion of their personal information by emailing Rapid7 at privacy@rapid7.com.

In compliance with the Privacy Shield Principles, Rapid7 commits to resolve complaints about our collection or use of your personal information.  EEA and UK individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at privacy@rapid7.com

Rapid7 commits to cooperate with EU and UK data protection authorities (DPAs) and comply with the advice given by the panel with regard to unresolved Privacy Shield complaints concerning data transferred from the EEA and the UK.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.