You own the data you collect with Rapid7 products, and you control access to that data. Your data is used only to provide you with the service that you have subscribed to. If you opt to leave a Rapid7 service, you have the opportunity to collect and transfer any data that is possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days.
You approve before we access your data. We do not sell your data to third parties. Rapid7 maintains metadata about who is using the service, who the primary contact is, and what capabilities you are allowed to use. We also collect basic anonymized metadata about feature usage in order to continue to improve user experience. Rapid7 does not access sensitive customer information, such as user, network, vulnerability, incident, or asset information, unless you have explicitly requested it to diagnose or troubleshoot issues with our service. Please also review the EULA for more details on privacy of your customer contact information.
The Rapid7 Insight platform is comprised of two main components: on-premise collectors and a data processing pipeline. These components are safeguarded through a security-first approach to the data, the infrastructure, and overall operations.
The Insight platform’s collector technology is used to gather information from on-premise networks and securely transfer data into our processing pipeline. These collectors are designed and built from the ground up with the security of your data in mind to ensure we maintain the confidentiality and integrity of all information.
The Insight platform’s analytics engine relies on various NoSQL and relational databases to store and process your data. Each Rapid7 customer is assigned their own relational database schema, which houses all asset names, other human-readable descriptions, and various public keys that support broader security processes related to your infrastructure. Much of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms.
The Insight platform’s supporting infrastructure is designed to be fully automated to ensure security policies are consistently applied. These policies include two-factor authentication, bastion/jump hosting, service segregation, and by-service defined permissions ensuring least-privilege and access methodologies are applied.
Our Insight platform Delivery and Information Security teams are leading the way in creative and automated mechanisms to deploy highly reliable and horizontally scalable cloud services. We have open sourced many components we’ve built to automate and secure our platform. Please visit our public github repositories to see how we automate and secure many components of our platform.
You know where your data is located. Rapid7 is transparent about the geographic region in which your data is stored. Where possible, we offer the ability to choose the region to which your data will be transmitted, processed, and stored.
We will not disclose your data hosted in the Rapid7 Insight platform to a government or law enforcement except as you direct or where required by law:
We want to know when you find our flaws. As a provider of security software, services, and research, we strive to set an example with our disclosure philosophy. If you believe you have discovered a vulnerability in a Rapid7 product or have a security incident to report, please contact email@example.com. If you feel the need, please use our PGP public key - KeyID: 959D3EDA - to encrypt your communications with us.
Rapid7 is built on a culture of acting with customer best interests in mind. To safely steward our customers' data, we implement foundational and innovative technical controls that reduce the risk of compromise. This right-answer-first approach leads to successful compliance initiatives, not the other way around.
Rapid7 strives to implement best-in-class security practices driven by a blend of published standards. We currently have a SOC 2 Type II in place for the foundation of our platform and are continuing to expand the specific compliance regimes for which we are audited.