Security Policy Overview
Thank you for being a Rapta customer, we recognize the trust you place in us, and the security of your data is our highest priority. Because of this, data protection is fundamental to what we do. It is at the core of our architecture, and our product is designed, built, and operated with this in mind. Key tenants of our security policy include:
- API Contracts limit access to only the prescribed data and all inputs are sanitized.
- By default, our production system is completely isolated from the internet which minimizes external vectors for malicious actors.
- Device firewall limits open ports and services for external integrations.
- Encrypted device security and hardening, protects all systems from tampering or reverse engineering attempts.
- Role Based Access Control (RBAC) enforces least privilege access rules.
Unless otherwise elected, all customer data is stored on the customer premises within either the customer’s IT infrastructure or on a Rapta device.
The Data We Retain
We collect data from the manufacturing floor to provide you with the service you purchased. This includes contact information so we can communicate with you about the service, and should you purchase our product the information we need to bill you. All requests to collect and store data are reviewed by the Data Protection Officer (DPO). This person confirms the business needs to record the information and assigns it to the system that has the appropriate controls.
We retain four types of data:
- Personal data that we ask our users to provide so we can respond to their product inquiries and provide them with our services.
- Personal data that they may provide but is optional, like their name, email and phone number. A user can supply this for every organization for which they are a member, forming a User Profile. User Profiles are distinct to each organization, allowing a user to present different personal information to each of their groups.
- Telemetry and logs that we collect about our product usage and performance that may have potentially identifying information, like an IP address, so we can see how users interact with our service and ensure proper functioning of the system. A subset of this information is visible to Team Admins in the Team Log.
- Customer manufacturing process data including but not limited to photos, videos, text, test or calibration data.
Our Role in Data Protection
In some cases, Rapta is the data controller for the personal information we request. For personal data, this is true in two cases: the data we request for responding to product inquiries and the data we require to provide the services. We are also the controller for operational data, such as telemetry and logs.
We are the data processor, and our users are the controllers, for all other data that the users supply as they use our product. This includes all data they create and upload as they manage their manufacturing process and create and run assemblies. This includes data they enter manually, such as the name, part number, description or specific assembly step data, and data they upload or import through linking to other data sources.
We retain data for a minimum of 5 years and in some cases longer but only as long as is necessary to fulfill our obligations to you, our customer. Once those obligations have been met, we strive to delete the data from our system as soon as is practically possible. We honor requests to delete user information, and all of our communications methods include links to unsubscribe. The details of our policy are in our Data Retention Policy document.
Retention for sales and marketing
When users inquire about our product, we collect information to determine the nature of their request. We collect contact information, such as name, company address, email address or phone number. A user may choose to sign up to our electronic mailing list without requesting further contact from our sales organization. They do this through an explicit link that has clear, unambiguous language indicating that they are signing up for a mailing list. All automated messages from the list include an unsubscribe link.
Retention of data for product usage
As users interact with our product, they provide data, including manufacturing information, telemetry, and data used to create assemblies. We implement rolling logs on Rapta on-premises systems and logs collected for operational purposes are automatically deleted after a defined period of time. Telemetry is only stored in aggregated form, and no personal identifying information, such as a name or email address is retained.
We log and store the activity of users and the team administrator can audit most activity. Log entries track who made a change to an object, the time they changed it, and a reference to the object that was changed. This and any other data that the user chooses to provide to us as they interact with the product is retained for as long as they have an account with us.
In all cases, the user is the owner of their personal information. They may access, review, and update their information via the tools we provide in the product. If the user information we retain is incorrect and you cannot update it, please contact support. We will update the information as requested by you.
A user may request that we delete their personal information at any time. Any optional information can be deleted directly through the interface. Otherwise, please notify us that you’d like us to remove your information by sending an email to our support organization. You can also email support to receive a copy of all information we have about you. We will notify you within 45 days of how we handled your request.
The foundation of data protection in Rapta is on-premises isolation. By default, your data is retained within the physical Rapta Computer that resides on your premises and we may only create a copy or backup if you request us to do so. We apply strong protections to the data, including encryption of the data at rest and infrastructure-level access controls. Please see the section “Data Storage and Controls” for details.
User data may be collected if the customer elects to have an operator or supervisor log into the Rapta station. The information collected includes usernames, time stamped activities including steps and manufacturing assemblies completed, photos and videos. We make every effort to install the Rapta system in a manner that only looks at the work piece however incidental photos or videos of people may be recorded by the Rapta system.
As users interact with our product, we may collect telemetry that describes their usage behavior. We do not collect personally identifying information for users in telemetry, but we do record the generated numeric IDs of the objects used in requests. This information is stored in a separate telemetry system with dedicated authorization controls.
System information, such as operational logs and configuration data, is stored within the AI Computer. Only Rapta system administrators have access to this system information. Further, high-sensitivity data, such as encryption keys, are stored in dedicated hardware TPM devices in a secure storage device. Access is controlled through the mechanisms provided by the underlying system, e.g. the database enforces a distinct set of roles, users, and permissions that are defined within our infrastructure. Internally, we follow the principle of least privilege, which means that our employees and service accounts are only granted the limited access they need to perform their tasks.
Sales and Marketing Data
When a user asks to join our mailing list, we collect their email address and request other identifying information. This information is stored in an entirely separate system. There is no connection between this system and any of our operational infrastructure. This is also true for users who interact with our sales team: all information the user provides is stored in the sales management system, again with no connection to our product infrastructure. In each case, access is only granted to the relevant employees, with permissions enforced by the respective system.
Data Storage and Controls
Each class of data that is partitioned is stored in a system that is appropriate both for security and for operational efficiency. If the user elects for a cloud storage option, then data is stored in secure third-party systems that comply with Rapta’s privacy and security policy. For a complete list of partitions and the storage infrastructure, please see “Appendix 1: Data Storage Locations”.
Enforcing Access with Roles
Data stored in the various partitions needs to be accessed by different users and systems. We define the permissions necessary for a specific role, and then explicitly grant the necessary role for the duration it is needed. This is true across all our systems and data, and the person responsible for determining roles and durations is designated based on the purpose of the system.
Product Infrastructure Roles
Our product environment includes development, staging, and production environments. Our engineers work with our code in the development environment. We do internal testing on our stage environment, where employees simulate customer data to ensure the proper functioning of the system. Customers are only given access to the production system. Data provided by those customers is only stored in the production system, and it is never copied out of that environment by us.
Engineers are only granted access to the production environment when it is required to ensure the proper functioning of the system. This access is restricted to lead engineers who have been trained on the importance of preserving customer privacy.
Staff are only allowed to access our systems with accounts that are centrally managed via our IT department. Our policy requires that users use two-factor authentication and that passwords have a minimum level of complexity. The account management system that contains these accounts provides a report on password strength which is periodically reviewed by engineering management. Accounts are immediately disabled when a staff member is no longer affiliated with Rapta.
How we protect the data
The data we retain is protected from unauthorized access through a variety of methods. In some cases, such as our sales or marketing databases, we rely on external partners to secure our data. We select third party vendors that define and enforce strong security policies, and that comply with all applicable laws and regulations.
For a complete list of storage location and relevant privacy policies, please see “Appendix 1: Data Storage Locations”.
Ensuring Compliance with Policies
Our software is deployed from a central repository using automated systems. All code that is submitted is reviewed for compliance by a lead engineer and must pass approval before it is accepted into the code base. The repository and the deployment tools are contained within our production environment, and access to both the code and those tools are strictly controlled and limited to an as-needed basis.
Data Security Contact
Matthias Daue, CTO: firstname.lastname@example.org
Appendix 1: Data Storage Locations
Supporting systems for company operations .
|System||Data Retained||Privacy/Security Policy||Location|
|Close||Customer data related to sales inquires||https://www.close.com/security||USA|
|Microsoft Azure||Any cloud database, dev, staging or testing environments||https://azure.microsoft.com/en-us/explore/security||USA|
|Microsoft 365||Customer data relating to sales and engineering||https://learn.microsoft.com/en-us/microsoft-365/security/?view=o365-worldwide||USA|