Rapyd Security

From day one Rapyd has embedded security into every aspect of our business.

Security is fundamental to how we develop our product and applications, our infrastructure, data storage, and even corporate operations such as employee onboarding & life cycle, data retention & access, and more.

Our top priorities include protecting sensitive individuals and company data and developing products and services that meet and exceed security, privacy, and regulatory requirements and best practices. Below is an outline of the many components of Rapyd’s strict security measures. For questions or additional information contact our security team at [email protected].

SECURITY POLICY AND GOVERNANCE

This section delves into Rapyd’s Information Security Policy and its governance model. The company security policy defines the principles, rules, and guidelines for securing data, infrastructure, and operations. The governance model outlines the roles and responsibilities of individuals involved insecurity decision-making and enforcement.

Rapyd’s cloud-based platform infrastructure is stored in the AWS cloud environment. All data and infrastructure are replicated to remote AWS availability zones located in the US East 1 region. In addition, Rapyd holds a data center in the AWS Europe West 1 region, as a data recovery solution. To maintain the most up-to-date security measures, we frequently conduct security assessments on systems and infrastructure. Rapyd maintains a comprehensive asset inventory of our current network infrastructure, which allows us to perform daily vulnerability scans, on both infrastructure and applications and APIs. Any compromised asset is being remediated instantly. All endpoints are managed and covered by a leading endpoint protection platform with additional managed services. Contractors’ endpoints have additional security control installed as a precautionary measure.

Rapyd puts great effort into protecting its products, actively implementing measures and best practices to mitigate the OWASP top 10 risks and security considerations throughout the entire application lifecycle, and performing continuous risk assessments and monitoring. Rapyd utilizes threat modeling, design and code reviews, periodic penetration testing, and a bug bounty program as well as other security measures.

Rapyd utilizes Cloud Security Posture Management (CSPM) tools to continuously monitor and assess the security posture of its cloud infrastructure. CSPM enables real-time visibility into the security configuration of cloud resources, ensuring compliance with best practices and security policies. Automated alerts and remediation capabilities assist in addressing potential misconfigurations or security gaps promptly.

Databases are managed by a dedicated team, engaged in keeping them up to date, scalable and replicated, and accessed on the need-to-know principle. Databases are replicated through AWS availability zones to ensure continuous operations of our products and services. Rapyd’s operations center monitors the databases and in case of failure, traffic is immediately routed to the backup database, making it the master. Rapyd personnel stand ready 24/7 to analyze and correct any faults.

Rapyd conducts regular and automated backups of its critical systems and databases, ensuring that data is captured at frequent intervals. The backup strategy takes into account the volume of data and the required recovery point objectives (RPOs) to ensure that data loss is minimized in the event of an incident. Backups are encrypted during transit and at rest, guaranteeing the confidentiality of the data throughout the backup process.

Rapyd defines data retention policies to govern the duration for which backup data is retained. These policies are aligned with regulatory requirements and business needs. By adhering to these policies, Rapyd avoids unnecessary storage costs while ensuring the availability of historical data when required.

Rapyd enforces strong and complex password policies and mandatory multi-factor authentication (MFA)for all connections and applications. All systems are accessed via a Single Sign On (SSO) mechanism. Additional MFA challenges exist for access to sensitive information and infrastructure. Rapyd has strict access control processes, based on the need-to-know principle, and access to company resources is granted only from company-managed devices. The Information Security team conducts a periodic review of access authorization and permissions of internal and external users. Privileged accounts are managed by the IT team and are validated periodically by the Information Security Team.

Data protection measures include encryption, passkey-protected access control, hardware security modules (HSM), tokenization methods, certificates, and more. For data at rest, we employ strong encryption and length standards, and for data at motion, internally and externally, we use SSL and TLS certificates by trusted providers. Rapyd has built-in processes for data classification and data retention, as a basis for access control management.

Rapyd’s privacy program is comprehensive and takes into account data privacy regulations around the globe, with the EU GDPR as the guiding principle for practicing privacy. Rapyd is committed to protecting personally identifiable information (PII) and employs a global privacy team, conducting continuous
compliance analysis and internal audits, and remediation. Rapyd has a clear data subject request process that allows individuals to approach Rapyd with requests concerning their personal information.
Rapyd has a level 1 PCI-DSS certification from a leading global QSAa and a SOC2 Type II report by a global top-5 accounting firm. Cardholder data is stored encrypted in a separate database, located in a separate and isolated virtual privacy cloud (VPC) also known as Vault, which is secured and compliant with the strictest standards. All connections between the Vault VPC and API VPC are done through an AWS peerconnection and a dedicated VPN-like connection, with matching certificates and a managed firewall.
Each new user completes security awareness training with an emphasis on PCI-DSS, GDPR plus other security guidelines. Training is mandatory and at least annually for all users. Additionally, the information security team periodically engages users with internal email campaigns and gamification techniques.
Rapyd is engaged with multiple vendors, service providers, and other 3rd parties to provide its products and services, some of them are considered subprocessors. Vendors are going through a due diligence process prior to onboarding, including both security and privacy teams. reviewing data protection, authentication methods, privacy practices, and more. 3rd parties sign an NDA with Rapyd and go through security training once onboarded to Rapyd systems.
Rapyd invests heavily in risk management practices to gain visibility on potential threat and loss events. Such practices include a periodical business impact analysis which allows us to recognize our crown jewels – assets and liabilities that may cause a substantial impact on Rapyd operations, security risk assessments on both corporate assets and our products, operational risks, and more.
Rapyd maintains a robust incident response plan to promptly detect, respond to, and recover from security incidents. The plan outlines roles, responsibilities, and escalation procedures to effectively handle security breaches, data breaches, or other incidents that may compromise the confidentiality, integrity, or availability of data and services. The incident response team is well-trained and conducts regular simulations and exercises to ensure a swift and coordinated response during actual incidents.
Rapyd employs cloud-based high availability and different Availability Zones, complemented by a thorough Business Impact Analysis (BIA) to ensure uninterrupted operations during disruptions. BCP includes redundancy, clear protocols, Crisis Management, and staff training.
Rapyd’s DRP leverages cloud-based solutions, different Availability Zones, and regular testing to rapidly restore critical systems and data. Redundant storage, disaster recovery sites, and real-time replication enhance data resilience. Comprehensive documentation supports effective execution during disasters.

RAPYD BUG BOUNTY

Report a bug on Rapyd.net or the Client Portal. 

For questions or additional information, please contact us:

Security: [email protected]