RapixEngine System (Cloud) Information Security and Privacy Statement
2024.11 First Edition
When you use the “RapixEngine System (Cloud)” (hereinafter referred to as “the System”) provided by Rapixus Co., Ltd. (hereinafter referred to as “the Company”), you entrust your valuable data to the Company for safekeeping. The Company greatly values the security and privacy of your data. Therefore, when you use this service, the Company complies with applicable laws and regulations (such as the Personal Data Protection Act) and uses your data in a lawful manner. In accordance with internal procedures and information security policies, the Company is committed to safeguarding the privacy and security of your data as its primary goal.
I. INFORMATION SECURITY POLICY:
This service provides you with real-time information security monitoring services to ensure the security of cloud networks. The Company will continuously monitor the System availability 5x8 hours to minimize the impact of system interruptions on you. In the unfortunate event of an information security incident (including but not limited to the System downtime, data breaches, or unauthorized access to accounts, etc.), the Company will make every effort to preserve relevant evidence and records and make them available for your review.
(1) Definition of Customer Data:
The term “Customer Data” refers to the data you provide while using this service, excluding the “Account Information” required for the service. Account information is defined as the information you provide to the Company for account management purposes, such as account names, email addresses, etc. Account information is subject to the “Privacy Protection Statement” separately. To exercise your rights related to personal data, please refer to the “Exercise of Data Subject Rights” section in the “Privacy Protection Statement.”
(2) Roles and Responsibilities of Both Parties in Information Security and Privacy:
This service is developed, deployed, and maintained by the Company, utilizing infrastructure provided by internationally renowned cloud service providers. This includes virtualization environments, physical host equipment supporting virtualization, related network infrastructure, storage devices, user operation platforms, physical security of cloud data centers, etc.
The company is responsible for system development, deployment, and maintenance, as well as the information security requirements, and service monitoring/controlling of cloud service providers. Any significant changes to services or control measures will be announced through public channels; However, the information security of devices and systems deployed on the customer’s premises to collect information security data, as well as the terminal devices used to access the service (including but not limited to personal computers and handheld devices), are under the responsibility of the customer.
You are the controller and processor of your data. When the Company acts as the processor of your data, it will only process data based on your operations or instructions and will never process customer data without proper authorization.
(3) Information Security Act:
1. The information security of the services provided by the Company complies with the standards of ISO 27001, ISO 27701, ISO 27017, and ISO 27018, and is regularly audited by an impartial third-party.
2. The development process of this service takes into consideration the possibility of information security issues and the specifications and countermeasures that may be required, and implement them in the management cycle of analysis, development, testing, deployment, and maintenance. Additionally, continuous monitoring is conducted to identify potential technical vulnerabilities in the components, service platforms, and infrastructure used, with ongoing efforts to address and strengthen them.
3. The management of the infrastructure and user operation platforms is conducted in accordance with the Company’s Information Security Management System (ISMS), with regular backup and restoration drills performed regularly.
4. The system components and data required by the Company to provide this service are regularly backed up, and appropriate backup environments are planned to ensure minimal service interruption (the actual service availability level is 97%, meaning service interruptions do not exceed 7 hours and 25 minutes per year, excluding service interruptions caused by officially announced planned maintenance) ; If you need to keep your data in a location or storage media outside of this service, you should use the download function to export your data.
(1) The System reserves the right to modify the website’s terms and conditions of use at any time without prior notice. By using this website, you agree to be bound by the terms and conditions of use in their current version.
(2) The Company may suspend or terminate the operation of all or part of the Service due to changes in circumstances or business needs. Except for proportional refunds of unused fees collected for paid services (with remittance fees deducted), and unless users submit applications for special reasons, users may not raise objections or request any compensation. The Company will announce and notify users at least one month before the scheduled suspension or termination date and will refund service rental fees based on the proportion of unused days.
(3) The System reserves the right to interrupt or suspend the service under the following circumstances:
i. The user violates any government regulations or the terms of use of this service.
ii. When the System’s equipment needs necessary maintenance and repair.
iii. When unexpected failure occurs in the system equipment.
iv. When services cannot be provided due to force majeure factors such as natural disaster or other causes not attributable to the System.
(4) The Company shall not be liable for any damages caused by your use (or inability to use) the System.
(5) If there are any major changes to the System that may affect the operation of your system, the Company will notify you via email before the changes take effect.
5. In terms of access management, the administration backend of this service operates through highly secure channels, such as restricting connection sources for privileged administrators, identity authentication, and the segregation of system/development/maintenance/test environment and real environment.
6. All users of this service access the service with their own unique user ID to ensure that the risk of data misuse and infringement is minimized.
7. You can independently manage access permissions of the System.
8. The System performs daily backups and can restore data from the previous day.
9. You can use log records to inquire your operational activities on the System, such as login, logout, modifications, etc. Logs are retained for at least 6 months and are securely protected and preserved.
10. The Company enforces strict security controls measures to manage cloud service providers, to ensure the integrity, security, and confidentiality of your data.
11. The Company’s infrastructure adheres to the NTP calibration standards of internationally recognized time servers. However, due to potential Internet transmission delays, the displayed time may differ from the national standard time.
(4) Suppliers
By using the System, you agree to authorize the suppliers entrusted by the Company to process the system’s data and perform any actions based on your requirements. If you do not make any request, the suppliers will not make any changes to your data. If you disagree with this supplier, you may terminate the service.
The 24-hour cloud data center, user service operations, system operations, instructions, and related services are managed by suppliers under a contractual agreement with the Company, which includes information security requirements. If you have any issues related to the suppliers, please contact us.
(5) Data Protection Measures
1. We are obligated to keep your information confidential. Please properly safeguard your account, password, and any information. Do not provide any important information to anyone. When you are no longer using the System, please remember to log out of your account.
2. When using a public computer or someone else’s computer, please ensure that you close the browser or clear the cookie records to prevent others from accessing your information.
(6) Laws
1. The Company strictly abides by the laws and regulations of the Republic of China, including the Personal Data Protection Act. If the Company becomes aware that your instructions or operation methods (including the use of personal data) may violate any laws or regulations, the Company will notify you through appropriate means.
2. When using the System, you must comply with all relevant laws and regulations, including the Personal Data Protection Act and any administrative orders issued by the competent authorities applicable to you.
II. PRIVACY RIGHTS ACT
(1) Storage Location
All customer system data and customer information for this service are stored within the territory of the Republic of China and strictly abides with its laws. Without your consent, we will not move or replicate your data outside of the country. Any changes will be announced on the official website. If you disagree with the changes, you may terminate the service.
(2) Encryption or Hashing Protection Mechanism
The data transmission generated from your access to the System over public networks is encrypted to protect the integrity and confidentiality of the data during transmission ; Additionally, the password that you use for the System is stored after being hashed, and the Company’s backend administrators have no way of knowing your password, reducing the risk of misuse or malicious infringement/access by internal or external parties.
(3) Deletion of Data on Physical Storage Devices
The cloud storage service provided by the Company ensures that in the event of a storage equipment of its infrastructure fails or replaced, the data on the equipment and temporary electronic information generated by the Company in collecting, processing, or using your personal data, will be securely erased or destroyed within 180 days to ensure that the data cannot be recovered by any means.
(4) Information Security Incident Reporting
1. If you find any suspicious activity while using the System, please notify the Company using the contact information displayed on the website. The Company will follow procedures to understand and analyze the possible situation, and will do its best to reduce the impact on you. During this process, you may be asked to provide information and will notify you of the results. If the Company confirms that the suspicious activity mentioned previously exists and likely to affect other customers of the Company, the Company will notify them individually via announcement or email.
2. According to the aforementioned information security policy, the Company will do its best to protect your data. However, if the Company finds any suspicious activities related to your data (such as loss, leakage, or tampering), and the issue is attributable to the Company, we will notify you within one hour upon becoming aware of the incident, as required by the agreement. This notification timeline excludes situations caused by uncontrollable natural disasters.
(5) Violation of Intellectual Property Rights
1. The Company is committed to assisting users and organizations in protecting their intellectual property rights. The Company also strictly prohibits anyone from illegally downloading or installing content that violates the intellectual property of others (including but not limited to audio-visual materials, software, information, images, websites, etc.) including copyrights and trademarks.
2. If you discover any violations of intellectual property rights or other illegal activities, you may use the "Contact Us" feature on the Company’s official website to report the issue. The Company will make every effort to assist you in handling the relevant matters.
(6) Termination of Service
When you no longer wish to use the System, you should apply to the Company to terminate the service. The Company will no longer retain any of your information, or, upon your request, will return or transfer the data to you, while keeping execution records of the execution.