Trust

Security. Privacy. Transparency.

We understand the inherent trust you are placing in us from the first byte of data you collect with our solutions and take this very seriously. Each aspect of our high availability strategy, third party integrations, and software development lifecycle involves deliberation and is opened to criticism from other parties. Our goal for this page is to be as transparent as possible with the public without revealing enough detail to put our customers at risk. If you would like to know more than is provided here or believe you can improve upon our approach, we welcome the conversation.

Privacy

You own and control your data.

You own the data you collect with Rapid7 products, and you control access to that data. Your data is used only to provide you with the service that you have subscribed to. If you opt to leave a Rapid7 service, you have the opportunity to collect and transfer any data that is possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days.

You approve before we access your data. We do not sell your data to third parties. Rapid7 maintains metadata about who is using the service, who the primary contact is, and what capabilities you are allowed to use. We also collect basic anonymized metadata about feature usage in order to continue to improve user experience. Rapid7 does not access sensitive customer information, such as user, network, vulnerability, incident, or asset information, unless you have explicitly requested it to diagnose or troubleshoot issues with our service. Please also review the EULA for more details on privacy of your customer contact information.

Read our full privacy policy >

 

Security

We have a deliberate approach to platform security.

The Rapid7 Insight platform is comprised of two main components: on-premise collectors and a data processing pipeline. These components are safeguarded through a security-first approach to the data, the infrastructure, and overall operations.

View operational status >
Download Cloud Security Overview >

  • Collectors Getting Your Data

    The Insight platform’s collector technology is used to gather information from on-premise networks and securely transfer data into our processing pipeline. These collectors are designed and built from the ground up with the security of your data in mind to ensure we maintain the confidentiality and integrity of all information.

  • Data Processing Analyzing & Storing

    The Insight platform’s analytics engine relies on various NoSQL and relational databases to store and process your data. Each Rapid7 customer is assigned their own relational database schema, which houses all asset names, other human-readable descriptions, and various public keys that support broader security processes related to your infrastructure. Much of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms.

  • Infrastructure Protecting & Scaling

    The Insight platform’s high availability infrastructure is designed to be fully automated to ensure security policies are consistently applied. These policies include two-factor authentication, bastion/jump hosting, service segregation, and by-service defined permissions ensuring least-privilege and access methodologies are applied.

  • Delivery Innovating & Automating

    Our Insight platform Delivery and Information Security teams are leading the way in creative and automated mechanisms to deploy highly reliable and horizontally scalable cloud services. We have open sourced many components we’ve built to automate and secure our platform. Please visit our public github repositories to see how we automate and secure many components of our platform.

Transparency

We want your critical eye on our approach.

You know where your data is located. Rapid7 is transparent about the geographic region in which your data is stored. Where possible, we offer the ability to choose the region to which your data will be transmitted, processed, and stored.

We will not disclose your data hosted in the Rapid7 Insight platform to a government or law enforcement except as you direct or where required by law:

  • We do not offer direct access to customer data. We believe that you should control your own data. Rapid7 does not give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct.
  • We redirect law enforcement and other third-party requests to the customer. When we receive a government or law enforcement request for customer data, we will promptly notify you of any third-party request, and give you a copy unless we are legally prohibited from doing so.
  • We do not give access to platform encryption keys. We do not provide any government with our encryption keys or the ability to break our encryption.

We want to know when you find our flaws. As a provider of security software, services, and research, we strive to set an example with our disclosure philosophy. If you believe you have discovered a vulnerability in a Rapid7 product or have a security incident to report, please contact security@rapid7.com. If you feel the need, please use our PGP public key - KeyID: 959D3EDA - to encrypt your communications with us.

Read our full vulnerability disclosure policy >

 

Compliance

We don’t cut corners and we don’t stop improving.

Rapid7 is built on a culture of acting with customer best interests in mind. To safely steward our customers' data, we implement foundational and innovative technical controls that reduce the risk of compromise. This right-answer-first approach leads to successful compliance initiatives, not the other way around.

Rapid7 strives to implement best-in-class security practices driven by a blend of published standards. We currently have a SOC 2 Type II in place for the foundation of our platform and are continuing to expand the specific compliance regimes for which we are audited.

Still have unanswered questions?