This documentation describes the scope of RapidBee’s data privacy and security policy, including the administrative, technical and physical controls applicable to the services branded as RapidBee ( “RapidBee Services”).
Last Updated: Sept. 12, 2024
RapidBee hosts its servers on Amazon Web Services Infrastructure to host Customer Data submitted to the RapidBee Services. Each instance of the RapidBee Services contains many servers and other elements to make it run. Each instance in a primary data center (East coast) has multi-zone fault tolerance and a redundant copy in a secondary data center on the west coast.
The following security and privacy-related audits and certifications are applicable to RapidBee Services:
RapidBee’s information security control environment that is applicable to the RapidBee Services undergoes an independent evaluation in the form of SOC 1 (SSAE 16 / ISAE 3402), SOC 2 and SOC 3 reports. RapidBee’s most recent SOC 1 (SSAE 16 / ISAE 3402) and SOC 2 reports are available upon request from your organization’s RapidBee account executive.
Additionally, RapidBee Services uses third-party software to monitor server security, which includes infrastructure vulnerability assessments and application security assessments.
RapidBee Services include a variety of configurable security controls that allow customers to tailor the security of the RapidBee Services for their own use.
SECURITY PROCEDURES, POLICIES, AND LOGGING
The RapidBee Services operate in accordance with the following procedures to enhance security:
User access log entries will be maintained, containing date, time, User ID, operation performed (created, updated, deleted, login, logout, reset, activate, inactivate, password change), and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
User access log entries are available in Account Management.
Logs will be kept for a minimum of 90 days.
Passwords are not logged under any circumstances.
User passwords are stored with a one-way salted hash.
RapidBee Services come with the capability to configure a password policy. Customers can apply higher levels of policy by changing the company requirements.
RapidBee personnel will not set a defined password for a user.
Passwords are reset to a random value, which must be changed on first use, and delivered automatically via email to the requesting party.
RapidBee, or an authorized third party, will monitor the RapidBee Services for unauthorized intrusions using network-based intrusion detection mechanisms. RapidBee may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the RapidBee Services function properly.
All RapidBee systems used in the provision of the RapidBee Services log information to their respective system log facility in order to enable security reviews and analysis.
RapidBee maintains security incident management policies and procedures. RapidBee promptly notifies impacted customers of actual, reasonably suspected, or unauthorized disclosure of their respective Customer Data by RapidBee or its agents, of which RapidBee becomes aware to the extent permitted by law.
Access to RapidBee Services requires authentication via user ID/password or SAML based Federation as determined and controlled by the customer. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
RapidBee supports multi-factor authentication using SMS or Email. Tenants can configure multi factor authentication for each user profile.
Data centers, provided by Amazon Web Service, used to provide the RapidBee Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are physically secured by around-the-clock guards, two-factor access screening, including biometrics, and escort-controlled access. They are also supported by on-site back-up generators in the event of a power failure.
All networking components, load balancers, web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the RapidBee Services is stored on a primary database server with active real time replication for higher availability. All Customer Data submitted to the RapidBee Services is stored on carrier-class disk storage using redundant devices and multiple data paths to ensure reliability and performance. All Customer Data submitted to the RapidBee Services, up to the last committed transaction, is automatically replicated on a near real-time basis to the secondary site and is backed up on a nightly basis and stored on backup media for an additional 30 days in production environments after which it is securely overwritten or deleted from the RapidBee Services.
RapidBee Services utilize secondary facilities that are geographically remote from their primary data centers, along with required hardware, software, and Internet connectivity, in the event RapidBee production facilities at the primary data centers were to be rendered unavailable.
The RapidBee Services’ disaster recovery plans currently have the following target recovery objectives: (a) restoration of the RapidBee Service within 48 hours after RapidBee’s declaration of a disaster; and (b) Customer Data will be restored in 24 hours; excluding, however, a disaster or multiple disasters causing the compromise of both data centers at the same time.
The RapidBee Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the RapidBee Services by a customer. Uploaded attachments, however, are not executed in the RapidBee Services and therefore will not damage or compromise the RapidBee Services by virtue of containing a virus.
RapidBee Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the RapidBee Services using HTTPS.
Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the RapidBee Services. RapidBee shall provide such Customer Data via a downloadable file in comma separated value (.csv) format and attachments in their native format.
After contract termination, Customer Data submitted to the RapidBee Services is retained in inactive status within the RapidBee Services for 90 days, after which it is securely overwritten or deleted. In accordance with the Reliability and Backup section above, Customer Data submitted to the RapidBee Services (including Customer Data retained in inactive status) will be stored on backup media for an additional 7 days after it is securely overwritten or deleted from the RapidBee Services.
Without limiting the ability for customers to request return of their Customer Data submitted to the RapidBee Services, RapidBee reserves the right to reduce the number of days it retains such data after contract termination. RapidBee will update this RapidBee Security, Privacy, and Architecture Documentation in the event of such a change.
RapidBee does not track individual user's usage on its service site hosted at us.RapidBee.com.
RapidBee’S COMMITMENT TO PROTECT CUSTOMER DATA
RapidBee is committed to achieving and maintaining the trust of our customers. Integral to this mission is following a consistent data privacy and security policy that carefully considers data protection matters for our services, including data submitted by customers when accessing our services (“Customer Data”).