Security & Compliance

Security & Compliance FAQ Responses

Rewst develops and delivers SaaS products that provide our customers with a Robotic Process Automation platform for automating workflows. Recognizing the need by many of our customers to satisfy vendor due diligence questionnaires, the following responses have been prepared by our security and compliance team.

If you have additional questions, please work with your Rewst point of contact to submit them for a response or contact our security team. To request a copy of the most recent SOC 2 Type 2 audit report, please visit our Trust Center to begin the process.

This page was last updated: 9/05/2025

General Security Program Information

Does your information security program align with industry standards or frameworks?

Rewst is SOC 2 Type 2 certified and aligns our information security program with NIST Cybersecurity Framework (NIST CSF). In addition, we have been successfully audited by a third-party for GDPR compliance.

Do you have a formal Information Security Program in place?

Yes, Rewst is committed to implementing cybersecurity best practices in both our internal IT systems, as well as our Rewst application and associated services.

Do you have a formal authorization process that restricts and controls privileged access rights?

Yes, more information on our process is documented in our SOC 2 Type 2 report.

Is your Privacy Notice/ Privacy Policy externally available?

Yes, policy is publicly available on our website: rewst.io/privacy-policy.

Data Handling

Do services provided include processing of company data?

Rewst is an automation platform that serves managed service providers (MSPs). MSP customers can utilize this platform to automate their workflows. Through the workflow configuration process, customers choose which types of data and accounts they process and manage with the toolset.

Where is data processed? Do your services involve transfer of information?

All Rewst application data processing occurs within Amazon Web Services, Inc., a sub-service organization, for cloud hosting and managed services. Application data processing occurs in the region specified by the customer at the time of tenant provisioning. MSP customer information follows GDPR requirements and processed under contractual clause with sub-processors as part of Data Processing Agreement (DPA) when required.

How do you encrypt customer data?

Data encryption both at-rest and in-transit, more detailed findings are included in SOC 2 audit report, available in our Trust Center.

Do you have a formal process for the removal of data at the end of the engagement?

Yes, we collect, retain, and use collected data in accordance with our publicly available Privacy Policy. Details on data rights and erasure timelines can be found in this document as well.

Does your organization have a Disaster Recovery Plan?

Yes, Disaster Recovery Plan (DRP) is in place. Plan is considered internal/confidential and is not available for distribution to external parties. However, it is included in our SOC 2 Type 2 audit with an independent third-party to ensure that required continuity, disaster recovery, and security controls are met.

Does your organization have an Incident Response Plan?

Rewst has an incident response process, which includes escalation procedures, rapid mitigation, and clear communication.

Policies

Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?

Yes, required prior to start on first day of employment.

Are all personnel required to sign an Acceptable Use Policy?

Yes, all personnel are required to sign an Acceptable Use Policy.

Do you have an access control policy in place?

Yes, Rewst has access control policies in place that are based on the principles of role-based access and principle of least privilege.

Security Program Solutions and Vulnerability Management

Is MFA required for employees to log in to production systems?

Does Rewst regularly evaluate patches and updates for your systems, infrastructure, and code vulnerabilities?

Yes, we have an in-depth vulnerability identification and remediation process in place.

How do you ensure code is being developed securely?

Throughout the development process, Rewst has integrated security tools and processes including, but not limited to automated DevSecOps code tests/checks, static and dynamic code testing reviews - SAST & DAST, secrets scanning, dependency security review, and code update (PR) change management processes. Rewst also utilizes third-party pentesting services to test web application security.

Vulnerability Disclosure Program (VDP)

We have partnered with Bugcrowd to manage our vulnerability disclosure program. The Bugcrowd platform allows us to collaborate with security researchers and responsibly address any potential security issues. To learn more, please visit our vulnerability disclosure program page: rewst.io/vulnerability-disclosure.

Do you perform logging and monitoring?

We continuously monitor and log activities across various cloud services, including, but not limited to our Microsoft and Amazon AWS.

Do you have a security awareness training program?

Yes, Rewst has a continuous security awareness training program with metrics reported to management and also conducts internal simulated phishing campaigns on employee accounts.

MUTUAL NON-DISCLOSURE AGREEMENT

THIS MUTUAL NON-DISCLOSURE AGREEMENT ("Agreement") is made and entered into as of today's date, between you and the company you represent and Rewst Inc, a Delaware corporation, with its principal place of business located at 17350 Gunn Hwy Odessa, FL 33556 ("Rewst Inc"). By confirming submission of this agreement, you are also confirming that you are authorized to enter into the non-disclosure agreement for the company you are representing.

WHEREAS, the parties desire to commence business discussions with respect to, among other things, (“Purpose”), and in the course of those discussions either party may disclose (“Discloser”) to the other party (“Recipient”) certain Confidential Information (defined below).

NOW, THEREFORE, for and in consideration of the mutual promises contained in this Agreement, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties, intending to be legally bound, do hereby agree as follows:

1. Confidential Information

“Confidential Information” shall mean all information and data relating to the Purpose (including the existence of the Purpose and any past, present or future negotiations and/or discussions with respect thereto) and/or to either party’s products, technology, trade secrets, intellectual property rights, confidential information, proprietary information, business or affairs, which shall include without limitation:
1. Information in documentary or other tangible form, and is at the time of disclosure expressed to be disclosed in confidence or might reasonably be expected to be so disclosed;
2. Information disclosed orally or by demonstration, and is at the time of disclosure designated as being imparted in confidence;
3. Information imparted orally or by demonstration, and includes any note or record of the disclosure;
4. Non-public information that the Recipient reasonably should have known was Confidential Information;
5. All notes, files or other documents or materials, which are based on, contain or otherwise reflect such information and any copies of the foregoing.
This Agreement shall not apply to any information which:
1. Is or falls into the public domain without breach of this Agreement by the Recipient;
2. The Recipient can show from its files and records:

2. Recipient’s Undertakings

The Recipient undertakes:

Not (except as contemplated in Clause 3 below) to disclose the Discloser’s Confidential Information in whole or in part to any third party;
To use the same only for and to the extent necessary for the Purpose;
Not to make any commercial use of the same or of any part thereof;
Not to permit the Discloser’s Confidential Information to go out of its possession, custody or control;
To immediately inform the Discloser if at any time it has knowledge that Confidential Information has or may come into the hands of third parties other than as permitted in accordance with the terms of this Agreement.

3. Handling of Confidential Information

The Recipient shall maintain the Discloser’s Confidential Information in strict confidence and shall exercise, in relation thereto, no lesser security measures and degree of care (and in no event, less than a reasonable degree of care) than those which the Recipient applies to its own Confidential Information.
The Recipient shall ensure that disclosure of Confidential Information is restricted to those of its employees, agents, officers, directors, consultants and professional advisors (“Associates”) to whom such disclosure is necessary for the Purpose, and, except with the prior written consent of Discloser, will not be disclosed by Recipient to any other third party.
The Associates referred to in Clause 3.2 shall be informed of the confidential nature of the Confidential Information and shall be bound by the obligations contained herein. Recipient shall be liable to Discloser for any action or failure to act by the Associates referred to in Clause 3.2 that would constitute a breach of this Agreement.
Without the prior written consent of Discloser, Recipient will not disclose to any third party (unless such disclosure is legally compelled) either the fact that the Confidential Information has been made available to such Recipient or the status of any discussions between the parties (all of which shall be considered Confidential Information).
Notwithstanding anything in this Agreement to the contrary, Recipient may disclose Confidential Information to the extent that such disclosure is required by law, court order, or similar legal process; provided that, unless prohibited by law, Recipient shall give prompt written notice of any such request or requirement to Discloser and cooperate with any reasonable efforts to avoid or minimize such disclosure.
Copies or reproductions shall only be made for the Purpose and all copies made shall be the property of the Discloser. The Recipient shall return all Confidential Information upon written request and destroy all documentation incorporating any Confidential Information.

4. Property

All Confidential Information submitted by one party to the other shall remain the property of the party from which it originates. Nothing herein contained shall be construed as a grant of any intellectual property rights to the Recipient. Neither party makes any representation or warranty as to the accuracy or completeness of any Confidential Information disclosed by it.

5. Termination

This Agreement shall continue in full force and effect until terminated by mutual consent or thirty (30) days prior written notice. Provisions that by their nature survive termination, including Clauses 2, 3, 4, 7, and 9, shall survive for five (5) years; trade secrets remain protected indefinitely.

6. Non-Assignment

This Agreement is personal to the parties and shall not be assigned without prior written consent, except in connection with mergers or asset sales.

7. Remedies

No failure or delay in exercising any right under this Agreement shall operate as a waiver.
Damages may not be adequate; parties are entitled to seek injunction, specific performance, or other equitable relief.

8. Counterparts

This Agreement may be executed in one or more counterparts, including electronic copies, all constituting the same Agreement.

9. Governing Law and Jurisdiction; Attorneys’ Fees

This Agreement shall be governed by the laws of Florida. Parties submit to Hillsborough County courts. Prevailing party may recover costs and attorneys' fees.

10. Severance of Terms

If any provision is unenforceable, it shall be severed and the remainder enforced with reduced scope or term if necessary.

11. English Language

The parties agree that this Agreement be drafted in English only.

12. Notices

Notices must be in writing, delivered by hand, mail, or courier. Parties may change addresses by written notice.