Security Policy Overview 

Welcome to Rapta, Inc’s comprehensive Security Policy, where safeguarding our digital infrastructure and protecting our customers’ privacy is paramount. As a technology-driven company, we understand the critical importance of maintaining robust security measures to uphold the trust and confidentiality of our stakeholders. This policy outlines our commitment to implementing and enforcing comprehensive security protocols across all facets of our operations, ensuring the integrity, availability, and confidentiality of our systems and data. With the ever-evolving landscape of cybersecurity threats, we remain dedicated to proactively identifying risks, implementing preventive measures, and fostering a culture of security awareness among our team members. Together, we strive to maintain the highest standards of security to safeguard our assets and uphold the trust of our customers and partners.  

The Rapta Security Policy is organized into three main sections: 

  1.  Data Protection: This section focuses on protecting the confidentiality, integrity, and availability of the organization’s data assets. It includes policies and procedures related to data classification, encryption, access controls, data handling and storage, data retention and disposal, and compliance with data protection regulations. 
  1. Security Governance: This section outlines the governance framework for managing security within our organization. It defines the roles, responsibilities, and accountabilities of key stakeholders and personnel involved in security management. It also includes policies and procedures related to risk management, compliance, security awareness training, incident response, and policy review and updates. 
  1. Development, Security, and Operations (DevSecOps): DevSecOps refers to the integration of security practices into the software development and deployment process. This section focuses on incorporating security considerations and controls into the organization’s software development lifecycle (SDLC) and DevOps practices. It includes policies and procedures for secure coding practices, secure configuration management, continuous integration and deployment (CI/CD) pipeline security, and collaboration between development, security, and operations teams. 

Data Protection Policy 

This Data Protection Policy establishes the guidelines and procedures for safeguarding the confidentiality, integrity, and availability of Rapta’s data assets. This policy applies to all employees, contractors, vendors, and third parties who have access to Rapta Inc.’s data assets or are involved in the collection, processing, storage, or transmission of data on behalf of the organization. 

Introduction 

Data protection is fundamental to our business operations and is essential for maintaining the trust of our customers, partners, and stakeholders. We are committed to ensuring the confidentiality, integrity, and availability of our platform, adhering to industry best practices and the framework of ISO (International Organization for Standardization). Data protection is at the core of our architecture, and our product is designed, built, and operated with this in mind.  

Data Classification 

Data will be classified based on its sensitivity and criticality to the organization. Classification levels will include but not be limited to: 

  • Public: Information intended for public consumption. 
  • Internal: Information restricted to employees and authorized personnel. 
  • Confidential: Highly sensitive information requiring strict access controls and protection measures. 

We collect data from the manufacturing floor to provide you with the service you purchased. This includes contact information so we can communicate with you about the service, and should you purchase our product the information we need to bill you. All requests to collect and store data are reviewed by the Data Protection Officer (DPO). This person confirms the business needs to record the information and assigns it to the system that has the appropriate controls. 

Rapta retains four types of data: 

  1. Personal data that we ask our users to provide so we can respond to their product inquiries and provide them with our services.   
  1. Personal data that they may provide but is optional, like their name, email and phone number.  A user can supply this for every organization for which they are a member, forming a User Profile. User Profiles are distinct to each organization, allowing a user to present different personal information to each of their groups.   
  1. Telemetry and logs that we collect about our product usage and performance that may have potentially identifying information, like an IP address, so we can see how users interact with our service and ensure proper functioning of the system. A subset of this information is visible to Team Admins in the Team Log.   
  1. Customer manufacturing process data including but not limited to photos, videos, text, test or calibration data.   

Data Handling and Storage 

Data will be handled and stored in accordance with its classification level and applicable laws and regulations. Access to confidential and sensitive data will be restricted to authorized personnel on a need-to-know basis. Data is stored in secure locations with appropriate physical and logical access controls to prevent unauthorized access or disclosure.  

The foundation of data protection in Rapta is on-premises isolation. By default, your data is retained within the physical Rapta Computer that resides on your premises and we may only create a copy or backup if you request us to do so. We apply strong protections to the data, including encryption of the data at rest and infrastructure-level access controls.  Unless otherwise elected, all customer data is stored on customer premises within the customer’s IT infrastructure.  

System information, such as operational logs and configuration data, is stored within the AI Computer.  Only Rapta system administrators have access to this system information. Further, high-sensitivity data, such as encryption keys, are stored in dedicated hardware TPM devices in a secure storage device.  Access is controlled through the mechanisms provided by the underlying system, e.g. the database enforces a distinct set of roles, users, and permissions that are defined within our infrastructure.  Internally, we follow the principle of least privilege, which means that our employees and service accounts are only granted the limited access they need to perform their tasks.   

User data may be collected if the customer elects to have an operator or supervisor log into the Rapta station. The information collected includes usernames, time stamped activities including steps and manufacturing assemblies completed, photos and videos. We make every effort to install the Rapta system in a manner that only looks at the work piece however incidental photos or videos of people may be recorded by the Rapta system.   

Each class of data that is partitioned is stored in a system that is appropriate both for security and for operational efficiency. If the user elects for a cloud storage option, then data is stored in secure third-party systems that comply with Rapta’s privacy and security policy. For a complete list of partitions and the storage infrastructure, please see “Appendix 1: Data Storage Locations”.   

Access Controls 

Access to data is granted based on the principle of least privilege, ensuring that users have access only to the data necessary for performing their job functions. We implement stringent access controls to ensure that only authorized personnel can access the platform. This includes role-based access control (RBAC), strong authentication mechanisms, and regular access reviews. Access to sensitive data will be regularly reviewed and audited to ensure compliance with access control policies and detect any unauthorized access attempts. 

Staff are only allowed to access our systems with accounts that are centrally managed via our IT department. Our policy requires that users use two-factor authentication and that passwords have a minimum level of complexity. The account management system that contains these accounts provides a report on password strength which is periodically reviewed by engineering management. Accounts are immediately disabled when a staff member is no longer affiliated with Rapta.    

Data stored in the various partitions needs to be accessed by different users and systems. We define the permissions necessary for a specific role, and then explicitly grant the necessary role for the duration it is needed. This is true across all our systems and data, and the person responsible for determining roles and durations is designated based on the purpose of the system.  

In some cases, Rapta is the data controller for customers’ personal information we request. For personal data, this is true in two cases: the data we request for responding to product inquiries and the data we require to provide the services. We are also the controller for operational data, such as telemetry and logs.   

We are the data processor, and our users are the controllers, for all other data that the users supply as they use our product. This includes all data they create and upload as they manage their manufacturing process and create and run assemblies. This includes data they enter manually, such as the name, part number, description or specific assembly step data, and data they upload or import through linking to other data sources.   

Product Infrastructure Roles 

Our product environment includes development, staging, and production environments. Our engineers work with our code in the development environment. We do internal testing on our stage environment, where employees simulate customer data to ensure the proper functioning of the system. Customers are only given access to the production system. Data provided by those customers is only stored in the production system, and it is never copied out of that environment by us.    

Engineers are only granted access to the production environment when it is required to ensure the proper functioning of the system. This access is restricted to lead engineers who have been trained on the importance of preserving customer privacy.    

Data Retention and Disposal 

We retain data for a minimum of 5 years and in some cases longer but only as long as is necessary to fulfill our obligations to you, our customer. Once those obligations have been met, we strive to delete the data from our system as soon as is practically possible. We honor requests to delete user information, and all our communications methods include links to unsubscribe. The details of our policy are in our Data Retention Policy document.   

Retention for sales and marketing   

When users inquire about our product, we collect information to determine the nature of their request.  We collect contact information, such as name, company address, email address or phone number. A user may choose to sign up to our electronic mailing list without requesting further contact from our sales organization. They do this through an explicit link that has clear, unambiguous language indicating that they are signing up for a mailing list. All automated messages from the list include an unsubscribe link.   

Retention of data for product usage   

As users interact with our product, they provide data, including manufacturing information, telemetry, and data used to create assemblies. We implement rolling logs on Rapta on-premises systems and logs collected for operational purposes are automatically deleted after a defined period. Telemetry is only stored in aggregated form, and no personal identifying information, such as a name or email address is retained.   

We log and store the activity of users and the team administrator can audit most activity. Log entries track who made a change to an object, the time they changed it, and a reference to the object that was changed. This and any other data that the user chooses to provide to us as they interact with the product is retained for as long as they have an account with us.    

Data Privacy  

The data we retain is protected from unauthorized access through a variety of methods. In some cases, such as our sales or marketing databases, we rely on external partners to secure our data. We select third party vendors that define and enforce strong security policies, and that comply with all applicable laws and regulations.   

As users interact with our product, we may collect telemetry that describes their usage behavior. We do not collect personally identifying information for users in telemetry, but we do record the generated numeric IDs of the objects used in requests. This information is stored in a separate telemetry system with dedicated authorization controls.   

When a user asks to join our mailing list, we collect their email address and request other identifying information.  This information is stored in an entirely separate system. There is no connection between this system and any of our operational infrastructure. This is also true for users who interact with our sales team: all information the user provides is stored in the sales management system, again with no connection to our product infrastructure. In each case, access is only granted to the relevant employees, with permissions enforced by the respective system.   

In all cases, the user is the owner of their personal information. They may access, review, and update their information via the tools we provide in the product. If the user information we retain is incorrect and you cannot update it, please contact support. We will update the information as requested by you.   

A user may request that we delete their personal information at any time. Any optional information can be deleted directly through the interface. Otherwise, please notify us that you’d like us to remove your information by sending an email to our support organization. You can also email support to receive a copy of all information we have about you. We will notify you within 45 days of how we handled your request.   

Compliance 

Adherence to this Data Protection Policy is mandatory for all employees, contractors, vendors, and third parties. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, as well as legal consequences for individuals found to have compromised the security or privacy of data assets. 

For a complete list of storage location and relevant privacy policies, please see “Appendix 1: Data Storage Locations”.   

Security Governance Policy 

At Rapta, Inc., we recognize that effective security governance is essential for ensuring the confidentiality, integrity, and availability of our information assets. This Security Governance Policy outlines our approach to establishing and maintaining a robust security governance framework to guide our organization in managing security risks effectively.  

The purpose of this policy is to: 

  • Define the roles, responsibilities, and accountabilities for managing security within our organization. 
  • Establish clear processes and procedures for identifying, assessing, and mitigating security risks. 
  • Ensure compliance with relevant laws, regulations, and industry standards. 
  • Foster a culture of security awareness and accountability across all levels of the organization. 

Scope 

This policy applies to all employees, contractors, vendors, and third parties who have access to Rapta, Inc.’s information assets or are involved in the development, implementation, or maintenance of our systems and services. 

Governance Structure 

Security Committee 

The Security Committee will be responsible for overseeing the development, implementation, and monitoring of security policies, procedures, and initiatives. 

Chief Information Security Officer (CISO) 

The CISO will lead the Security Committee and serve as the focal point for all security-related matters within the organization. The CISO will be responsible for: 

  • Developing and maintaining security policies, standards, and guidelines. 
  • Conducting regular risk assessments and security audits. 
  • Ensuring compliance with relevant security regulations and standards. 
  • Providing security awareness training and education to employees. 
  • Investigating and responding to security incidents and breaches. 

Rapta’s CISO is Matthias Daue our CTO: security@rapta.ai 

Security Roles and Responsibilities 

All employees will have specific security responsibilities outlined in their job descriptions and/or security awareness training. These responsibilities may include: 

  • Protecting sensitive information from unauthorized access, disclosure, or alteration. 
  • Reporting any security incidents or suspicious activities promptly. 
  • Adhering to security policies, procedures, and guidelines. 
  • Participating in security awareness training and education programs. 

Continuous Improvement  

We are committed to continuously improving our security posture by: 

  1. Regularly reviewing and updating our security policies and procedures. 
  1. Staying informed about emerging threats and vulnerabilities. 
  1. Conducting regular security audits and assessments. 
  1. Engaging with industry peers and experts to share best practices and lessons learned. 

Risk Management 

Rapta Inc. utilizes a risk management process to identify, assess, prioritize, and mitigate security risks effectively. This process includes: 

  • Regular risk assessments to identify and evaluate security threats and vulnerabilities. 
  • Implementation of controls and safeguards to mitigate security risks to an acceptable level. 
  • Ongoing monitoring and review of security controls to ensure effectiveness and compliance. 

Compliance and Regulatory Requirements 

Rapta Inc. is committed to complying with all applicable laws, regulations, and industry standards related to information security. The organization will regularly review and update security policies, procedures, and controls to ensure compliance with evolving regulatory requirements.   We adhere to the following ISO standards:  

  1. ISO 27001: Information Security Management System (ISMS)  
  1. ISO 27002: Code of Practice for Information Security Controls  
  1. ISO 27018:  Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds  

Security Awareness and Training 

Rapta Inc. will provide regular security awareness training and education to all employees to ensure they are aware of their security responsibilities and equipped with the knowledge and skills to protect company assets effectively. 

As an outsourced service, Rapta is currently evaluating 3rd party providers and plans to have Security Awareness and Training identified and implemented by Q4 2024.  

Incident Response and Management 

Rapta Inc. will maintain an incident response plan to guide the organization’s response to security incidents and breaches. The plan will outline procedures for detecting, reporting, assessing, containing, and mitigating security incidents, as well as communicating with stakeholders and conducting post-incident reviews to identify lessons learned and improve future response efforts.

Policy Review and Updates 

This Security Governance Policy will be reviewed annually and updated as necessary to reflect changes in the organization’s security posture, business environment, or regulatory requirements. Amendments to the policy will be communicated to all relevant stakeholders and incorporated into security awareness training and education programs. 

Enforcement 

Adherence to this Security Governance Policy is mandatory for all employees, contractors, vendors, and third parties. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, as well as legal consequences for individuals found to have compromised the security of Rapta and Rapta Customers information assets. 

Secure Software Development Lifecycle 

Rapta Inc. integrates security practices into every aspect of the software development lifecycle, from planning and coding to deployment and monitoring.  Our DevSecOps strategy integrates security practices into the DevOps process to ensure that security is prioritized throughout the software development lifecycle. This ensures we can proactively identify and address security risks, improve the resilience of our applications and infrastructure, and accelerate the delivery of secure software. The key components of our DevSecOps strategy, as they relate to security include: 

Planning and Development 

Security Integration: security is integrated into the early stages of the development lifecycle. We perform threat modeling and risk assessments to identify and mitigate potential security vulnerabilities. 

Code Development: our developers use secure coding guidelines tailored to the programming languages and frameworks used in the project. We use memory-safe programming languages. 

Version Control: a version control system is used to manage code changes and maintain a history of modifications. This system supports branching and merging strategies for managing features and fixes. 

Continuous Integration and Testing 

Automated Builds: the build process is automated, to include compilation, unit testing, and integration testing using a continuous integration (CI) tool. This ensures that every commit triggers an automated build. 

Security Testing: we implement automated security testing as part of the CI process. This includes static application security testing (SAST) to analyze the code for security issues at commit time. 

Artifact Repository: we use an artifact repository to store the build outputs securely. Our quality assurance team ensures that the artifacts are versioned and traceable back to the corresponding source code. 

Configuration Management 

Infrastructure as Code (IaC): we utilize technology similar to Ansible to automate the configuration of hardware and software. This ensures that all devices are configured consistently and in compliance with security policies. 

Change Management: we apply a change management process for all configurations and scripts used in the IaC setup to ensure traceability and auditability. 

Continuous Deployment 

Automated Deployment: the deployment process is automated using IaC tools. Our DevOps team ensures that the deployment scripts are tested and stored securely in the source control. 

Update Control: a controlled update mechanism (facilitated by IaC tools) is used to roll out updates to the hardware devices. This includes phased rollouts and canary releases to minimize the impact of any potential issues. 

Rollback Mechanisms: our customer support team utilizes automated rollback capabilities to revert devices to a previous configuration if an update fails or introduces new vulnerabilities. 

Monitoring and Feedback 

Monitoring: Rapta continuously monitors the devices for operational and security issues. We use centralized logging and monitoring tools to detect and respond to incidents in real-time. 

Feedback Loops: we establish feedback mechanisms from the monitoring systems back to the development teams. This way, we ensure that insights gained from operations are used to improve future code and configuration updates. 

Compliance and Auditing 

Security Audits: we regularly perform security audits and compliance checks in-house to ensure that the devices meet relevant security standards and regulations. 

Documentation: Maintain comprehensive documentation of the DevSecOps processes, security controls, and audit trails for regulatory and troubleshooting purposes. 

DevSecOps Culture: Foster a culture where security is a shared responsibility across all teams involved in the lifecycle of the hardware devices. 

Appendix 1: Data Storage Locations   

Supporting systems for company operations: 

System   Data Retained   Privacy/Security Policy   Location   
Close  Customer data related to sales inquires   https://www.close.com/security   USA   
Microsoft Azure    Any cloud database, dev, staging or testing environments  https://azure.microsoft.com/en-us/explore/security   USA   
Microsoft 365  Customer data relating to sales and engineering  https://learn.microsoft.com/en-us/microsoft-365/security/?view=o365-worldwide   USA