We strive to ensure that the fewest people possible have access to your data, and only on an as-needed basis.
Support, Software Developers, and Operations Engineers have access to data to support application development and troubleshooting. Additionally, Rapid7 collects Usability Data to help us improve our solutions and services and Security System Data to deliver the Insight platform. For more details on these data types, please visit our Transparency page.
Sales and Solution Engineers only have access to your Security System Data if you choose to use a production environment for a proof-of-concept.
Sales, Marketing and other customer support teams have access to contact information, sales data, and Usability Data for product support and product analytics.
Rapid7 does not give any third-party direct or unfettered access to customer data except as you direct or when required by law.
We redirect law enforcement and other third-party requests to the customer. When we receive a government or law enforcement request for customer data, we will promptly notify you and provide you with a copy of the request, unless we are legally prohibited from doing so.
We do not give access to platform encryption keys. We do not voluntarily provide any government with our encryption keys or the ability to break our encryption, and will challenge overbroad legal demands for this data.
In compliance with our Terms of Service, customers are not permitted to perform assessments of our networks or applications.
Rapid7 undergoes third party network and application penetration testing on an annual basis to ensure our products and corporate IT environments are secure. We are happy to provide letters of attestation from the external firm summarizing the results of this effort and Rapid7’s steps for remediation.
We work very hard to provide high quality information about our security program, the security of our products, and Rapid7 procedures for keeping customer data secure. Our security team is happy to have a conversation if you can’t find the information you need.
Yes, Rapid7 has a current SOC 2 report prepared by a third-party auditor. This report is a comprehensive assessment of the internal controls and information security related to our service.