v6.2 Released

Welcome to the initial release the Rapid7 trust center! Please feel free to explore, and if there are documents you would like to see, please "request access" and agree to the terms of our NDA. Thanks!

Begin your security review

View & download information relating to our security practices and data handling

Overview

Security at Rapid7 encompasses more than just our products. Rapid7 has policies and procedures in place to keep both our data and products secure, so that we can continue to keep our Customers secure.At Rapid7, we strive to create a great experience for customers and make the most successful security technologies and practices accessible to all. It is our priority to ensure you have information you need to trust Rapid7 as a security partner. We have created this Trust Profile to provide transparency and to give you access to latest security information and security artifacts to help you successfully conduct due diligence on Rapid7. If you still have questions after reviewing our documentation, we are happy to address them. Kindly contact your account representative via email with your additional questions.

Compliance

Rapid7 is Trusted by

Documents

REPORTS
01/28/2026

Security Whitepaper

SELF-ASSESSMENT
01/28/2026

SIG Core

LEGAL
01/28/2026

Cyber Insurance

REPORTS
01/28/2026

Pentest Report

REPORTS
01/28/2026

Data Flow Diagram

COMPLIANCE
01/28/2026

ISO 42001

COMPLIANCE
01/28/2026

ISO 27001:2022

01/28/2026

SOC 1

COMPLIANCE
01/28/2026

SOC 2

FAQ

Who can access our data?

We strive to ensure that the fewest people possible have access to your data, and only on an as-needed basis. Support, Software Developers, and Operations Engineers have access to data to support application development and troubleshooting. Additionally, Rapid7 collects Usability Data to help us improve our solutions and services and Security System Data to deliver the Insight platform. For more details on these data types, please visit our Transparency page. Sales and Solution Engineers only have access to your Security System Data if you choose to use a production environment for a proof-of-concept. Sales, Marketing and other customer support teams have access to contact information, sales data, and Usability Data for product support and product analytics.

Will Rapid7 share our data?

Rapid7 does not give any third-party direct or unfettered access to customer data except as you direct or when required by law. We redirect law enforcement and other third-party requests to the customer. When we receive a government or law enforcement request for customer data, we will promptly notify you and provide you with a copy of the request, unless we are legally prohibited from doing so. We do not give access to platform encryption keys. We do not voluntarily provide any government with our encryption keys or the ability to break our encryption, and will challenge overbroad legal demands for this data. To learn more about how Rapid7 handles data, please view our Privacy Policy.

Can we perform our own assessment of Rapid7 systems?

In compliance with our Terms of Service, customers are not permitted to perform assessments of our networks or applications. Rapid7 undergoes third party network and application penetration testing on an annual basis to ensure our products and corporate IT environments are secure. We are happy to provide letters of attestation from the external firm summarizing the results of this effort and Rapid7’s steps for remediation.

Will you fill out our security questionnaire?

Rapid7 is more than happy to help you with your due diligence needs. We work very hard to provide high quality information about our security program, the security of our products, and Rapid7 procedures for keeping customer data secure. Rapid7 has now introduced a “Documentation First Approach Process”. This approach will simply ensure that all our customers and prospects have all the applicable security artifacts they need to kick off their review of Rapid7 without delay from our OneTrust Profile. Publicly available documents can be downloaded here. If you require additional access to download Rapid7 SOC2 Type II report and other vital documents, kindly contact your Rapid7 account representative and they will submit a ticket on your behalf to have access provisioned for you. This will allow you to create a OneTrust account and give you access to the platform for 5 business days to download all applicable documents. If you still have questions after reviewing our documentation, we are happy to address them. Kindly contact your account representative via email with your additional questions.

What is Rapid7's data privacy policy?

You can find our full privacy policy at Privacy Policy.

Is a third-party audit report (SOC2 Type II) available?

Yes, these reports can be downloaded on Rapid7 OneTrust Private Profile. Please contact your Rapid7 account representative and they will submit a ticket on your behalf to have access provisioned for you. This will allow you to create a OneTrust account and give you access to the platform for 5 business days to download the SOC2 Type II report and any other applicable security artifact for your review. If you still have questions after reviewing our documentation, we are happy to address them. Kindly contact your account representative via email with your additional questions.

Trust Center Updates

Security Program Roadmap Published

January 28, 2026

General

A high-level security and compliance roadmap has been published outlining upcoming initiatives, assessments, and control enhancements.

The roadmap is intended to provide visibility into the continuous improvement of security and risk management programs.

Trust Center Content Refresh

December 20, 2025

General

The Trust Center has been updated to improve clarity and organization of security and compliance documentation.

This update reflects an ongoing commitment to transparency for customers, prospects, and the public.

Access Control Policy Review

November 22, 2025

Compliance

A scheduled review of access control and user provisioning policies has been completed.

The review validated role-based access controls, least-privilege principles, and periodic access review procedures.

Incident Response Tabletop Exercise Conducted

October 11, 2025

Security Operations

An incident response tabletop exercise was conducted to test escalation paths, communication workflows, and response procedures under simulated scenarios.

Lessons learned were documented and incorporated into response playbooks.

Third-Party Risk Review Process Updated

September 25, 2025

Vendor Risk

The third-party risk assessment framework has been updated to reflect evolving security and compliance expectations.

Enhancements include updated due diligence questionnaires, clearer risk scoring, and standardized remediation tracking.

Security Awareness Training Completion

September 25, 2025

Security

All employees have completed annual security awareness training.

Training topics included phishing awareness, data protection, and incident reporting, with completion tracked internally.

Business Continuity & Disaster Recovery Plan Review

August 1, 2025

Resilience

An annual review of Business Continuity and Disaster Recovery (BC/DR) plans has been completed.

Testing scenarios included simulated system outages and recovery procedures to validate recovery time and recovery point objectives.

Annual Risk Assessment Cycle Completed

May 5, 2025

Risk Management

The annual enterprise risk assessment has been completed.

This process included identifying key operational, security, and compliance risks, validating control coverage, and documenting mitigation plans reviewed by leadership.

Updated Penetration Test Summary Now Available

February 1, 2025

Security

A recent independent penetration test has been completed. A high-level executive summary is available in the Trust Center.

The assessment evaluated application security and infrastructure controls. Identified findings were reviewed, prioritized, and addressed through established risk management processes.