Security & Compliance

Security & Compliance FAQ Responses

Rewst develops and delivers SaaS products that provide our customers with a Robotic Process Automation platform for automating workflows. Recognizing the need by many of our customers to satisfy vendor due diligence questionnaires, the following responses have been prepared by our security and compliance team.

If you have additional questions, please work with your Rewst point of contact to submit them for a response or contact our security team. To request a copy of the most recent SOC 2 Type 2 audit report, please visit our Trust Center to begin the process.

This page was last updated: 10/07/2025

General Security Program Information

Does your information security program align with industry standards or frameworks?

Rewst is SOC 2 Type 2 certified and aligns our information security program with NIST Cybersecurity Framework (NIST CSF). In addition, we have been successfully audited by a third-party for GDPR compliance.

Do you have a formal Information Security Program in place?

Yes, Rewst is committed to implementing cybersecurity best practices in both our internal IT systems, as well as our Rewst application and associated services.

Do you have a formal authorization process that restricts and controls privileged access rights?

Yes, more information on our process is documented in our SOC 2 Type 2 report.

Is your Privacy Notice/ Privacy Policy externally available?

Yes, policy is publicly available on our website: rewst.io/privacy-policy.

Data Handling

Do services provided include processing of company data?

Rewst is an automation platform that serves managed service providers (MSPs). MSP customers can utilize this platform to automate their workflows. Through the workflow configuration process, customers choose which types of data and accounts they process and manage with the toolset.

Where is data processed? Do your services involve transfer of information?

All Rewst application data processing occurs within Amazon Web Services, Inc., a sub-service organization, for cloud hosting and managed services. Application data processing occurs in the region specified by the customer at the time of tenant provisioning. MSP customer information follows GDPR requirements and processed under contractual clause with sub-processors as part of Data Processing Agreement (DPA) when required.

How do you encrypt customer data?

Data encryption both at-rest and in-transit, more detailed findings are included in SOC 2 audit report, available in our Trust Center.

Do you have a formal process for the removal of data at the end of the engagement?

Yes, we collect, retain, and use collected data in accordance with our publicly available Privacy Policy. Details on data rights and erasure timelines can be found in this document as well.

Does your organization have a Disaster Recovery Plan?

Yes, Disaster Recovery Plan (DRP) is in place. Plan is considered internal/confidential and is not available for distribution to external parties. However, it is included in our SOC 2 Type 2 audit with an independent third-party to ensure that required continuity, disaster recovery, and security controls are met.

Does your organization have an Incident Response Plan?

Rewst has an incident response process, which includes escalation procedures, rapid mitigation, and clear communication.

Policies

Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?

Yes, required prior to start on first day of employment.

Are all personnel required to sign an Acceptable Use Policy?

Yes, all personnel are required to sign an Acceptable Use Policy.

Do you have an access control policy in place?

Yes, Rewst has access control policies in place that are based on the principles of role-based access and principle of least privilege.

Security Program Solutions and Vulnerability Management

Is MFA required for employees to log in to production systems?

Does Rewst regularly evaluate patches and updates for your systems, infrastructure, and code vulnerabilities?

Yes, we have an in-depth vulnerability identification and remediation process in place.

How do you ensure code is being developed securely?

Throughout the development process, Rewst has integrated security tools and processes including, but not limited to automated DevSecOps code tests/checks, static and dynamic code testing reviews - SAST & DAST, secrets scanning, dependency security review, and code update (PR) change management processes. Rewst also utilizes third-party pentesting services to test web application security.

Vulnerability Disclosure Program (VDP)

We have partnered with Bugcrowd to manage our vulnerability disclosure program. The Bugcrowd platform allows us to collaborate with security researchers and responsibly address any potential security issues. To learn more, please visit our vulnerability disclosure program page: rewst.io/vulnerability-disclosure.

Do you perform logging and monitoring?

We continuously monitor and log activities across various cloud services, including, but not limited to our Microsoft and Amazon AWS.

Do you have a security awareness training program?

Yes, Rewst has a continuous security awareness training program with metrics reported to management and also conducts internal simulated phishing campaigns on employee accounts.

RoboRewsty AI Processing

Which LLMs are being used?

Rewst and RoboRewsty use the following LLM providers to power our in-platform assistant, RoboRewsty’s, capabilities:

Anthropic’s Claude, hosted on AWS Bedrock (primary LLM).
OpenAI, hosted on AWS Bedrock (backup if Claude is unavailable).

These Bedrock-hosted models do not retain your inputs or outputs and do not use your data to train their services. RoboRewsty uses a private, Bedrock-hosted model path; chats are not fed back into Anthropic or OpenAI for training.

What protections are in place for credentials and secrets when using RoboRewsty?

RoboRewsty and our LLM providers never have access to your credentials, API keys, or other sensitive secrets. To further protect your data, we’ve implemented multiple safeguards:

Sensitive information filtering via Amazon Bedrock Guardrails
- Blocked/Denied topics. RoboRewsty will not process or pass through sensitive strings or keys that provide access to systems, APIs, or accounts. This includes API keys, bearer tokens, OAuth tokens, JWTs, session cookies, and similar secrets. These are automatically blocked from ever being sent to an LLM.
- Masked data. Personally identifiable information (PII) such as email addresses, phone numbers, and physical addresses, as well as user passwords, are automatically masked. If detected in a prompt or response, they are replaced with placeholders like {EMAIL}, {PHONE}, or {NAME} before being processed.
Controlled access through tools and resources. RoboRewsty can only request information through a strict set of pre-approved queries that are non-sensitive in nature.
Encryption in transit. All data exchanged with LLM providers is encrypted using industry-standard protocols.

Is any data transferred outside of Rewst?

When you use RoboRewsty, only minimal data is sent outside of Rewst to our private, Bedrock-hosted LLM providers in order to generate a response. These providers cannot browse your environment. Instead, they can only request that Rewst run pre-approved tools, and Rewst returns only the minimum data required, based on your existing permissions. All such requests are verified and processed by Rewst.

Our LLM providers are stateless, so any data shared to generate a response is discarded after processing and never used to train their models. Because they are hosted on Amazon Bedrock, all data is also protected with encryption at rest and in transit.

How is my data protected when I use RoboRewsty?

Your data is protected through multiple layers of security controls designed to ensure RoboRewsty can only access what you’re already permitted to see, and that your data remains secure throughout the entire process.

Controlled Data Requests

RoboRewsty, and the LLM providers that power its features, cannot browse your data freely. Instead, it can only request information through a list of controlled and pre-approved tools and resources that Rewst has created. When these requests come in Rewst verifies if the request fits within these pre-approved tools and whether they should be accepted based on existing roles and permission.

Data in Transit

All data transferred to our AI providers is encrypted using industry-standard protocols to protect your information during transmission.

Access Control & Permissions

RoboRewsty inherits your exact permissions. It can only access data that your user account already has permission to view. This means:

No access to other users’ or organizations’ data
No access to workflows, executions, or information beyond your role-based permissions
No system-level or administrative data outside your scope

No Data Storage or Memory

Your data is never stored by AI providers:

Stateless processing. AI providers don’t retain conversation history between interactions.
No model training. Your data is never used to train AI models.
No data retention. Once your question is answered, your data is not kept by the provider.

Do any of the LLM providers store customer data?

No. The private, Bedrock-hosted Anthropic and OpenAI models we use are stateless by design, and never store any data used to create a response from RoboRewsty.

Can Rewst Users Opt Out of Using RoboRewsty?

Yes. If your team prefers not to use RoboRewsty, we can accommodate opt-out requests, and turn the feature off for you. An opt-in/out toggle is on our roadmap, and if we see enough demand, we’ll prioritize making it broadly available as a self-service option.

Are my inputs and outputs used to train Rewst’s products or services?

No. Your chats and feedback are stored securely inside Rewst only to improve your organization’s experience, such as enabling conversation history or generating workflow documentation. They are not shared across customers and are not used to train Anthropic or OpenAI models.

Is RoboRewsty using my data to serve other customers?

No. Your prompts, responses, and context remain private to your own Rewst organization. RoboRewsty can never share your data with other customers.

Does RoboRewsty respect existing permissions?

Yes. All RoboRewsty features honor existing role-based permissions. Users cannot generate answers that rely on resources they cannot access.

MUTUAL NON-DISCLOSURE AGREEMENT

THIS MUTUAL NON-DISCLOSURE AGREEMENT ("Agreement") is made and entered into as of today's date, between you and the company you represent and Rewst Inc, a Delaware corporation, with its principal place of business located at 17350 Gunn Hwy Odessa, FL 33556 ("Rewst Inc"). By confirming submission of this agreement, you are also confirming that you are authorized to enter into the non-disclosure agreement for the company you are representing.

WHEREAS, the parties desire to commence business discussions with respect to, among other things, (“Purpose”), and in the course of those discussions either party may disclose (“Discloser”) to the other party (“Recipient”) certain Confidential Information (defined below).

NOW, THEREFORE, for and in consideration of the mutual promises contained in this Agreement, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties, intending to be legally bound, do hereby agree as follows:

1. Confidential Information

“Confidential Information” shall mean all information and data relating to the Purpose (including the existence of the Purpose and any past, present or future negotiations and/or discussions with respect thereto) and/or to either party’s products, technology, trade secrets, intellectual property rights, confidential information, proprietary information, business or affairs, which shall include without limitation:
1. Information in documentary or other tangible form, and is at the time of disclosure expressed to be disclosed in confidence or might reasonably be expected to be so disclosed;
2. Information disclosed orally or by demonstration, and is at the time of disclosure designated as being imparted in confidence;
3. Information imparted orally or by demonstration, and includes any note or record of the disclosure;
4. Non-public information that the Recipient reasonably should have known was Confidential Information;
5. All notes, files or other documents or materials, which are based on, contain or otherwise reflect such information and any copies of the foregoing.
This Agreement shall not apply to any information which:
1. Is or falls into the public domain without breach of this Agreement by the Recipient;
2. The Recipient can show from its files and records:

2. Recipient’s Undertakings

The Recipient undertakes:

Not (except as contemplated in Clause 3 below) to disclose the Discloser’s Confidential Information in whole or in part to any third party;
To use the same only for and to the extent necessary for the Purpose;
Not to make any commercial use of the same or of any part thereof;
Not to permit the Discloser’s Confidential Information to go out of its possession, custody or control;
To immediately inform the Discloser if at any time it has knowledge that Confidential Information has or may come into the hands of third parties other than as permitted in accordance with the terms of this Agreement.

3. Handling of Confidential Information

The Recipient shall maintain the Discloser’s Confidential Information in strict confidence and shall exercise, in relation thereto, no lesser security measures and degree of care (and in no event, less than a reasonable degree of care) than those which the Recipient applies to its own Confidential Information.
The Recipient shall ensure that disclosure of Confidential Information is restricted to those of its employees, agents, officers, directors, consultants and professional advisors (“Associates”) to whom such disclosure is necessary for the Purpose, and, except with the prior written consent of Discloser, will not be disclosed by Recipient to any other third party.
The Associates referred to in Clause 3.2 shall be informed of the confidential nature of the Confidential Information and shall be bound by the obligations contained herein. Recipient shall be liable to Discloser for any action or failure to act by the Associates referred to in Clause 3.2 that would constitute a breach of this Agreement.
Without the prior written consent of Discloser, Recipient will not disclose to any third party (unless such disclosure is legally compelled) either the fact that the Confidential Information has been made available to such Recipient or the status of any discussions between the parties (all of which shall be considered Confidential Information).
Notwithstanding anything in this Agreement to the contrary, Recipient may disclose Confidential Information to the extent that such disclosure is required by law, court order, or similar legal process; provided that, unless prohibited by law, Recipient shall give prompt written notice of any such request or requirement to Discloser and cooperate with any reasonable efforts to avoid or minimize such disclosure.
Copies or reproductions shall only be made for the Purpose and all copies made shall be the property of the Discloser. The Recipient shall return all Confidential Information upon written request and destroy all documentation incorporating any Confidential Information.

4. Property

All Confidential Information submitted by one party to the other shall remain the property of the party from which it originates. Nothing herein contained shall be construed as a grant of any intellectual property rights to the Recipient. Neither party makes any representation or warranty as to the accuracy or completeness of any Confidential Information disclosed by it.

5. Termination

This Agreement shall continue in full force and effect until terminated by mutual consent or thirty (30) days prior written notice. Provisions that by their nature survive termination, including Clauses 2, 3, 4, 7, and 9, shall survive for five (5) years; trade secrets remain protected indefinitely.

6. Non-Assignment

This Agreement is personal to the parties and shall not be assigned without prior written consent, except in connection with mergers or asset sales.

7. Remedies

No failure or delay in exercising any right under this Agreement shall operate as a waiver.
Damages may not be adequate; parties are entitled to seek injunction, specific performance, or other equitable relief.

8. Counterparts

This Agreement may be executed in one or more counterparts, including electronic copies, all constituting the same Agreement.

9. Governing Law and Jurisdiction; Attorneys’ Fees

This Agreement shall be governed by the laws of Florida. Parties submit to Hillsborough County courts. Prevailing party may recover costs and attorneys' fees.

10. Severance of Terms

If any provision is unenforceable, it shall be severed and the remainder enforced with reduced scope or term if necessary.

11. English Language

The parties agree that this Agreement be drafted in English only.

12. Notices

Notices must be in writing, delivered by hand, mail, or courier. Parties may change addresses by written notice.