Rapid7 Privacy Policy

Data Privacy Framework Notice Click here for the PDF version
Rapid7 Privacy Policy Click here for the PDF version

Last Updated: May 20, 2024

Our quest to accelerate insight for security and technology practitioners requires collecting and processing certain data, including personal information. We take the privacy of your data seriously, and we support this Privacy Policy with layers of security to safeguard your data.

“Rapid7”, “we”, “our”, and “us” refers to Rapid7, Inc., Rapid7 LLC and any of our corporate affiliates.

This Privacy Policy describes how we collect, use, and disclose information you provide to us, including personal information. For example, we may receive your information when you use our solutions or services or otherwise interact with us (for example, by using our websites or attending our events). In addition, this Privacy Policy covers the information we may collect through our research initiatives.

This Privacy Policy also describes the choices available to you regarding our use of your personal information and how you can access and update this information. We encourage you to read this Privacy Policy carefully when using or providing information to us through our sites, solutions, and services. You understand that by using our sites, solutions, and services, you are accepting our practices as described in this Privacy Policy.

What kinds of information do we collect?

Information you provide directly to us

For example, we collect information you provide in order to access our solutions, use our sites, subscribe to our content, or register for an activity associated with Rapid7. This may include, but is not limited to, your name, email address, telephone number, and mailing address.

If you make a purchase from Rapid7, become one of our vendors, or otherwise establish a relationship with us that involves financial transactions, we collect information about those transactions. This may include, but is not limited to, your credit or debit card information, account and authentication information, tax identifiers, and other billing, delivery, and contact details.

Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. Text messaging originator opt-in data and consent information will not be shared with any other third parties/Affiliates.

Information we collect to deliver and improve our solutions and services

In order to provide our solutions and services, we must necessarily collect certain information automatically. This also helps us to ensure that our solutions and services are operating correctly. The types of information we collect include:

  • Device and network data
  • User and system behavior
  • Application logs
  • Organizational information
  • Other relevant machine data

We also collect information about the services and solutions that you use and how you use them, such as how often you access our products and which features you use most frequently. We collect this information to improve our services and solutions and your experience with them. For example, we may use this information to reach out to you if you seem “stuck” on a certain process within the solution, to make our solutions more intuitive, or to enhance the solution’s most popular features.

On our sites, Rapid7 and our third-party partners collect information using cookies and other tracking technologies. Please see What are cookies and how does Rapid7 use them? below for more information.

Information from third parties

We receive various types of information from third parties on some occasions, such as when we jointly offer services or sponsor events. We also collect data from third-party security providers and online databases in connection with our research activities that relate to active or historic threats, vulnerabilities, and risks around the world. This can include data like domain names, IP addresses, email accounts, and usernames that are associated with security risks (for example, known compromised accounts and usernames), and we use this information to enhance the security services and solutions we provide to you. Additionally, we also collect certain information from publicly available sources, including the dark web, in connection with our research activities, solutions, and services, in particular to identify and help our customers protect against the likes of historic and/or future security threats, vulnerabilities, and risks. This information can include the likes of domain names, IP addresses, email addresses, and usernames and any other data that might be associated with the applicable security risks of issues identified (for example, known compromised accounts and usernames).

Return to top

How do we use this information?

To deliver, improve, and develop our offerings

We are able to deliver our sites, solutions and services, understand the behavior of attackers, and better help our customers keep their environments safe by using the information we collect above.

In general, we only process our customers' information to deliver our sites, solutions and services. Although we may collect the information listed above, we do not access information that we process on our customer’s behalf, such as user, network, vulnerability, incident, or asset information, unless our customers have requested we do so to investigate issues with our solution or carry out a service.

To communicate with you

We use your information to communicate with you about our sites, solutions, services, features, surveys, newsletters, offers, promotions, and events, and to provide other news or information about Rapid7 and our partners, in accordance with your communications preferences.

We will also use your information to respond to you when you contact us.

To conduct research initiatives

The vast majority of the data we collect through our research initiatives is data that’s publicly available. It is collected to educate and enrich the security community, and foster secure adoption of technology. For example, one of our research initiatives uses the metadata from publicly exposed services to identify large-scale misconfigurations and vulnerabilities in consumer, enterprise, and critical infrastructure systems.

For Advertising Purposes

We may use the information we collect to personalize our advertising and marketing communications and to deliver promotions and offers to you that we think may interest you.

For our Internal Business Purposes

We may use the information we collect for our internal business purposes, such as data analysis, audits, developing new products and services, enhancing our sites, solutions, and services, improving our products and services, identifying site usage trends, and determining the effectiveness of our promotional campaigns.

For Legal Purposes

We may use the information we collect as we believe to be necessary or appropriate: (i) under applicable law; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities; (iv) to enforce this Privacy Policy and our Terms of Use; (v) to protect our operations; (vi) to protect our rights, privacy, safety or property, and/or that of you or others; and (vii) to allow us to pursue available remedies or limit the damages that we may sustain.

Return to top

How is this information shared?

With our customers and organizations participating in or promoting research

We will share information that we identify about security risks and/or incidents that affect or relate to our customers with those customers. Additionally, information related to the research we conduct may be shared with various research and security organizations, including academic institutions or publications, but only when this information is already freely publicly available and/or non-identifiable. We may also publish this research online on our website or through third-party social media sites.

With third-party vendors, consultants, service providers, or other business partners

Some third parties provide services on our behalf and may require access to your information to carry out that work, including billing, customer support, etc. These service providers are authorized to use your information only as necessary to provide the services and solutions in scope and are subject to strict contractual controls to protect the confidentiality and security of your information. If you’re a customer of our products or services, our list of subprocessors is available here. We may also share information with our services providers, including those who host our sites or assist us in providing functionality on our sites, provide data analytics on our sites, and send out emails about our sites and our products and services.

In the case of a merger, sale, financing, or acquisition

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, divestiture, acquisition of all or a portion of our business to another company or in the unlikely event of bankruptcy. You will subsequently be notified via email and/or via a prominent notice on our sites of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. The recipient of your information will be informed of the need to protect your personal information in accordance with this Privacy Policy.

For Legal Purposes

We may share personal information with companies, organizations, or individuals outside of Rapid7 if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:

  • Protect against harm to the rights, property, or safety of Rapid7, our customers or the public.
  • Pursue available remedies or limit damages we may sustain.
  • Meet any applicable law, regulation, legal process, or enforceable governmental request.
  • Detect, prevent, or otherwise address fraud, security, or technical issues.

If we receive a government or law enforcement request for customer data, we will promptly notify the customer and provide them with a copy of the request, unless we are legally prohibited from doing so. Further, we may challenge government or law enforcement requests for customer data that we consider to be overly broad or unlawful.

Return to top

What are cookies and does Rapid7 use them?

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.

Cookies set by the website owner (in this case, Rapid7) are called "first-party cookies". Cookies set by parties other than the website owner are called "third-party cookies". Third-party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). The parties that set these third-party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites. For instance, we use Google Analytics and Google Ads to help analyze how users use our sites. If you would like to opt-out from the use of your information by Google Analytics, you may use Google Analytics’ opt-out browser add-on designed for this purpose.

We also may use other third-party tracking technologies, such as pixels to collect or receive information from our sites and elsewhere on the Internet to use such information to enable us to create targeted advertisements and measure the effectiveness of our ads. For additional information on ad targeting and to opt-out of the collection and use of information for ad targeting, please see the paragraph of this Privacy Policy entitled “Interest Based Advertising”.

How does Rapid7 use them?

We use first-party and third-party cookies for several reasons. Some cookies are required for technical reasons in order for our sites to operate, and we refer to these as "strictly necessary" cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our sites. Third parties serve cookies through our sites for advertising, analytics and other purposes. 

To view and control the specific types of first and third-party cookies we serve, please visit on the Cookie Preferences link at the bottom of this page.

Interest Based Advertising

We may collect information about your online activities on our sites to provide you with advertising about products tailored to your individual interests. We also may obtain information for this purpose from third-party websites on which our advertisements are served. 

You may see certain advertisements on other websites because we work with advertising partners (including advertising networks) to engage in remarketing and retargeting activities. Our advertising partners allow us to target our messaging to users through demographic, interest-based and contextual means. These partners track your online activities over time and across websites, including our sites, by collecting information through automated means, including through the use of third-party cookies, web server logs and web beacons. They use this information to show you advertisements that may be tailored to your individual interests. The information our advertising partners may collect includes data about your visits to websites that participate in the relevant advertising networks, such as the pages or advertisements you view and the actions you take on the websites. This data collection takes place both on our sites and on third-party websites that participate in the ad networks. This process also helps us track the effectiveness of our marketing efforts. For example, we utilize certain of our advertising partners’ targeted advertising services to show you our advertisements on other websites based on your prior visits to our sites and other online activity. 

Provided that a company participates in industry-developed programs designed to provide consumers choices about whether to receive targeted advertising, you may opt out of interest-based advertising generally through the Network Advertising Initiative website or by visiting http://www.aboutads.info/choices/ (web-based advertising) or http://www.aboutads.info/appchoices (for mobile advertising). To learn more, please visit the websites operated by the Network Advertising Initiative and Digital Advertising Alliance at www.networkadvertising.org/choices. Opting-out does not mean that you will stop receiving advertisements from us. It means that you still stop receiving advertisements from us that have been targeted to you based on your visits and browsing activity across websites over time.

Return to top

California Privacy Rights Act

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”) provides California residents with specific rights regarding their personal information. The below describes such rights and how you may exercise such rights, and our information practices, including the categories of personal information we collect, use, retain, disclose, sell or share, and how and why we collect, disclose, sell or share such information. 

Consumer Rights

Right to Know

You have the right to request that we disclose what personal information we collect, use, disclose, sell or share. Specifically, you may request that we disclose to you the following:

  1. The categories of personal information we have collected about you.
  2. The categories of sources from which the personal information is collected.
  3. The business or commercial purpose for collecting, selling or sharing personal information.
  4. The categories of third parties with whom we disclose personal information.
  5. The specific pieces of personal information we have collected about you.

You may also request that we disclose to you:

  1. The categories of personal information that we have sold or shared about you and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each third party to whom the personal information was sold or shared.
  2. The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

Right to Request Deletion

You have the right to request that we delete any personal information about you which we have collected from you. If it is necessary for us to maintain your personal information for certain purposes, we are not required to comply with your deletion request. If we determine that we will not delete your personal information when you request us to do so, we will inform you and tell you why we are not deleting it. 

Right to Opt-Out of Sale or Sharing of Personal Information

You have the right to direct a business that sells or shares personal information about you to third parties not to sell or share your personal information. We do not sell your personal information for monetary consideration. However, we do use cookies for targeted advertising purposes. The collection of data through certain cookies for our targeting advertising purposes may be considered a “sale” and is considered “sharing” under the CPRA. To opt-out of having your information sold and shared with third-party website analytics and digital advertising service providers for this purpose, visit our “Do Not Sell or Share My Personal Information” web page. 

Right to Correct Inaccurate Personal Information

You have the right to request a business that maintains inaccurate personal information about you to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Right to Limit Use and Disclosure of Sensitive Personal Information

You have the right to direct a business that collects sensitive personal information about you to limit its use of your sensitive personal information (1) to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; (2) for certain business purposes; and (3) as authorized by the implementing regulations of the CPRA. Rapid7 does not use or disclose any sensitive personal information for any purpose other than those permitted under the CPRA.

No Discrimination

You have the right not to be discriminated against because you exercised any of your aforementioned rights. 

How to Submit a Request

To exercise the rights described above, you must submit a verifiable request to us. You can do so by emailing us at privacy@js-ayds.com

If you maintain an online account with us, we will verify your identity for a request through the normal account authentication process, meaning you will need to sign on with your username and password.

To submit a verifiable request, you will be asked to provide certain information to help us verify your identity. The information we ask you to provide to initiate a request may differ depending upon the type of request, the type, sensitivity and value of the personal information that is the subject of the request, and the risk of harm to you that may occur as a result of unauthorized access or deletion, among other factors.

You may designate an authorized agent to make a request on your behalf by providing the agent with signed written permission to do so.

If we cannot verify your identity or authority to make the request, we will not be able to comply with your request. We will inform you if we cannot verify your identity or authority. We will only use personal information provided in a verifiable request to verify the requestor’s identity or authority to make the request. 

How we collect, use, disclose, sell and share personal information of consumers

Rapid7 has collected the following categories of personal information and used, disclosed, sold or shared such information in the twelve (12) months prior to the effective date of this Privacy Policy:

Category Disclosed for a Business or Commercial Purpose? Categories of Third Parties to Whom the Information was Disclosed Sold or Shared? Categories of Third Parties to Whom the Information was Sold or Shared Purpose(s) for Selling or Sharing
Identifiers, such as name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers. Yes
  • Customers and organizations participating in or promoting research
  • Service providers
  • Law enforcement, courts, governmental / regulatory authorities, companies, organizations, or individuals outside of Rapid7 for legal purposes
  • Third parties as part of a corporate transaction (e.g., merger, sale of company assets, financing, divestiture, acquisition of all or a portion of our business to another company or in the unlikely event of bankruptcy)
No, except for IP address as described in the “Internet or other electronic network activity information” category below. N/A N/A
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, signature, address, telephone number, bank account number, credit card number, debit card number, or any other financial information. Yes No N/A N/A
Commercial information, such as records of products or services purchased, obtained, or considered. Yes No N/A N/A
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement Yes Yes Third-party website analytics and digital advertising service providers.
  • to provide and improve our sites;
  • to operate, improve and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;
  • to personalize our advertising and marketing communications and to deliver promotions and offers to you that we think may interest you;
  • for security, to detect fraud or illegal activities, and for archival and backup purposes in connection with the provision of our sites;
  • for research and analysis purposes;
  • For our business purposes, such as data analysis, enhancing our sites, improving our products and services, identifying site usage trends, and determining the effectiveness of our promotional campaigns;
  • As we believe to be necessary or appropriate: (i) under applicable law; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities; (iv) to enforce this Privacy Policy and our Terms of Use; (v) to protect our operations or those of any of our affiliates; (vi) to protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others; and (vii) to allow us to pursue available remedies or limit the damages that we may sustain.
Geolocation data Yes Yes

We collect, use and disclose the following categories of sensitive personal information:

Categories of Sensitive Personal Information Collected Disclosed for a Business Purpose? Categories of Third Parties to whom the Sensitive Personal Information is Disclosed
Personal information that reveals account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account Yes
  • Service providers
  • Law enforcement, courts, governmental / regulatory authorities, companies, organizations, or individuals outside of Rapid7 for legal purposes
  • Third parties as part of a corporate transaction (e.g., merger, sale of company assets, financing, divestiture, acquisition of all or a portion of our business to another company or in the unlikely event of bankruptcy)

Rapid7 collects the personal information, including the sensitive personal information, described above from the sources set forth in the section entitled “What kinds of information do we collect?”. Rapid 7 collects and discloses the personal information, including the sensitive personal information, described above for a variety of business purposes as described in the section entitled “How do we use this information” above. 

As set forth in the section entitled “How long do you keep data for?” below, Rapid7 will retain the personal information, including the sensitive personal information, described above for as long as long as your account is active, or as needed to provide you products and/or services.  We will also retain and use your information as necessary for legitimate business reasons, including as needed to comply with our legal obligations, to resolve disputes, and to enforce our agreements. When we have no ongoing legitimate business reason to process your information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your information and isolate it from any further processing until deletion is possible.

Personal Information of Minors

Rapid7 not have actual knowledge that it sells or shares personal information about minors under the age of sixteen.

Return to top

How do we respond to legal requests?

We may share personal information with companies, organizations, or individuals outside of Rapid7 if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:

  • Protect against harm to the rights, property, or safety of Rapid7, our customers or the public.
  • Meet any applicable law, regulation, legal process, or enforceable governmental request.
  • Detect, prevent, or otherwise address fraud, security, or technical issues.

If we receive a government or law enforcement request for customer data, we will promptly notify the customer and provide them with a copy of the request, unless we are legally prohibited from doing so. Further, we may challenge government or law enforcement requests for customer data that we consider to be overly broad or unlawful.

Return to top

How do we operate our global services and solutions?

Rapid7 may share information internally across our parent, subsidiary, and affiliate companies or with third parties for the purposes defined in this policy. Information collected within the European Economic Area (“EEA”) and the UK may, for example, be transferred to countries outside of the EEA and the UK (including the United States of America) for the purposes described in this policy.

When we transfer EEA, Swiss and UK personal information to non-EEA/non-Swiss/non-UK countries, we will implement appropriate safeguards to protect this information. This may include implementing Standard Contractual Clauses (available here and here) with our customers when we process personal information on their behalf.

For transfers from the EU, UK and Switzerland to the United States, Rapid7 complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. For further information, please see our “Data Privacy Framework Self-Certification Notice”.

Return to top

How will we notify you of changes to this policy?

We may update the Rapid7 Privacy Policy to reflect changes to our information practices. If we make any change in how we use your personal information we will take steps to notify you, which may include notifying you by email (sent to the email address specified in your account) or by means of a notice on this site prior to the change becoming effective. If required by applicable data protection laws, we will seek your consent to any material change in how we use your personal information before that change takes effect.

We encourage you to periodically review this page for the latest information on our privacy practices.

Return to top

How can you manage or delete information about your organization?

Correcting and updating your information

Upon request, Rapid7 will provide you with information about whether we hold any of your personal information. You may access, correct, update or request deletion of your personal information by emailing us at privacy@js-ayds.com. We will respond to your request within a reasonable timeframe and in accordance with applicable data protection laws.

Communications opt-out

We may use your information to send you a newsletter or other marketing communications in accordance with your communication preferences. You may choose to stop receiving our newsletter or marketing communications at any time by following the unsubscribe instructions included in the newsletters or communications. Alternatively, you can opt-out of receiving such newsletters and communications by contacting us at privacy@js-ayds.com.

Customer data

If you opt to end your engagement with Rapid7, you have the opportunity to collect and transfer any data that is possible to export. If you request that Rapid7 delete your data, the request will be processed in accordance with applicable law and regulation.

Return to top

How secure is my data?

We're a security company, so naturally we take data security very seriously. We use appropriate technical and organizational security measures to protect your data against any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the information we process. However, please note that no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. It is your responsibility to protect the security of your login information.

Return to top

How long do you keep data for?

We will retain your information for as long as your account is active, or as needed to provide you products and/or services. If you wish to cancel your account or request that we no longer use your information to provide our offerings, contact us at privacy@js-ayds.com.

We will also retain and use your information as necessary for legitimate business reasons, including as needed to comply with our legal obligations, to resolve disputes, and to enforce our agreements. When we have no ongoing legitimate business reason to process your information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your information and isolate it from any further processing until deletion is possible.

Return to top

I'm from the European Economic Area/the UK – is there anything else I should know?

Legal basis for processing personal information

If you are an individual in the European Economic Area or the UK, our legal basis for collecting and using your information will depend on the information concerned and the specific context in which we collect it.

However, we will normally collect information from you only where we have your consent to do so, where we need the information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. Where we collect and use your information in reliance on our legitimate interests (or those of any third party), it will normally be obvious from the context what those legitimate interests are. For example, in relation to personal data processed in connection with our provision of services and/or research activities, it is in the legitimate interests of Rapid7 and our customers to detect, remediate and protect against a broad variety of cyber threats.

If we are processing information about you on behalf of a customer in the course of providing our services and solutions to them (i.e. as a data processor), then it is our customer's responsibility to determine the legal basis for the processing we conduct on their behalf. If you ask us about information we are processing on behalf of a customer, we will direct you to speak with the relevant customer.

If you have questions about or need further information concerning the legal basis on which we collect and use your information, please contact us using the contact details provided below.

Additional data protection rights

In addition to your rights to access, correct, update and delete your information described above, and your right to opt-out of communications also explained above, you also have the right to object to processing of your information, ask us to restrict processing of your information or to request portability of your information. You can exercise these rights by contacting us using the contact details provided below.

If we have collected and process your information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your information conducted in reliance on lawful processing grounds other than consent.

If you are unhappy with the way we have processed your information, you have the right to complain to a data protection authority. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area are available here.)

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Data Protection Officer

To contact our Data Protection Officer, please e-mail privacy@js-ayds.com.

UK representative

Our representative in the UK is Rapid7 International Limited with a registered office at Riverbank House, 2 Swan Lane, London, England, EC4R 3TT.

EU representative

Our representative in the European Union is Rapid7 Ireland Limited with a registered office at 70 Sir John Rogerson’s Quay, Dublin 2, Ireland.

Return to top

Do Not Track

Our sites do not currently take any action when it receives a Do Not Track request. Do Not Track is a privacy preference that you can set in your web browser to indicate that you do not want certain information about your webpage visits collected across websites when you have not interacted with that service on the page. For details, including how to turn on Do Not Track, visit www.donottrack.us.

Return to top

Children

We do not knowingly collect or maintain personal information from any person under the age of 13. No parts of our sites are directed to or designed to attract anyone under the age of 13.

Return to top

How can you contact Rapid7 with questions or concerns?

Mailing Address:

Rapid7, 120 Causeway Street, Suite 400, Boston, MA 02114

Phone:

1.617.247.1717

Email:

privacy@js-ayds.com

Return to top