Rescale Security Policy

Last Updated – May 30, 2025

INTRODUCTION

This Security Addendum is incorporated into and made a part of the written agreement between Rescale, Inc. (“Rescale”) and Customer that references this Security Addendum (“Agreement”).

Rescale maintains a comprehensive documented security program that is based on industry standard security frameworks including NIST 800-53 and ISO 27001 (the “Security Program”). Pursuant to the Security Program, Rescale implements and maintains administrative, physical, and technical security measures to protect the Rescale Platform and the security and confidentiality of Customer Data (each as defined in the Agreement) under Rescale’s control that is processed by Rescale in its provisioning of the Rescale Platform (the “Security Measures”). Rescale regularly tests and evaluates its Security Program, and may review and update this Security Addendum at any time, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Data by these Security Measures.

Cross-functional Security Teams

Rescale has two teams that work together to achieve, maintain, and improve various aspects of the Security Program. First, the Security Committee is the cross-function, executive-level team that sets the broader security vision, reviews and assesses the latest risks, and aligns the overall security posture with company goals. Second, the technical security team lives along with the engineering teams, and is responsible for the assessment, planning, implementation, testing, deployment, monitoring, and reporting of security operations. 

CUSTOMER SECURITY FEATURES

The Rescale Platform  has access to 700+ software applications to run Jobs via on-demand clusters on CSP Infrastructure. Users are able submit simulation Jobs via a simple GUI or powerful CLI/API. Jobs are run on ultra high-performance servers on the cloud, and Jobs run on compute power. Rescale offers user access and admin controls to a managed secured multi-cloud environment.

Account Structure

Users are grouped into two types of Customer account roles:: regular user accounts and company administrator accounts. Company administrators have higher privileges than regular users and are designated during onboarding. Customer administrative controls are available to tailor access and security to the Rescale Platform.

Single Sign On (SSO)

Rescale supports Single Sign On (SSO) through SAML 2.0 as an option for Customers so Users can use their Customer’s existing identity provider. Authentication through Active Directory is supported when configured to use SAML 2.0. Additional information on SSO implementation can be found here: https://rescale.com/articles/sso/

Multi Factor Authentication (MFA)

Rescale requires Time-based OTP (TOTP) as a mechanism for Multi Factor Authentication (MFA) for Customers. Additional information on MFA configuration can be found here: https://rescale.com/articles/multi-factor-authentication/

Password Complexity

Rescale offers custom definition of requirements, including requirements on minimum length, upper/lower case, numbers, special characters, and expiration.

Company Audit Log

All Rescale Platform events are logged and are available for the company administrators to review and audit.

IP Restrictions

Customer administrators can configure per-company IP CIDR restrictions to access the Rescale Platform.

Data Sharing

Customer Data (i.e.,  User Jobs and files) are accessible by that User only unless explicitly shared to another member of the same company or to Rescale’s Support Team.). In certain circumstances, if requested by Customer, Customers may receive various support services from ISVs or authorized Rescale resellers and may share Customer Data with those parties. Rescale is not responsible for ISV or partner provided support services. 

Job, Team, and Budget Restrictions

Company administrators can set up subdivisions within a company account with Groups and Projects. Available list of hardware core types, software applications, and budgets can be set for each subdivision. Jobs can be required to be attached to Projects.

CORPORATE, PHYSICAL AND PERSONNEL SECURITY

Security Training

Rescale personnel receive comprehensive training on the Security Program upon hire and refresher training annually. Rescale personnel are required to certify and agree to the Security Program and personnel who violate the Security Program are subject to disciplinary action, including warnings, suspension and up to (and including) termination. Rescale personnel are required to sign confidentiality agreements. 

Background Checks

Background checks are performed on all employees prior to joining Rescale, unless prohibited by law. The background check may include but is not limited to education verification, previous employment verification, and criminal checks.

Employee Workstation Security

Anti-virus software is installed on all Rescale employee workstations (desktops and laptops) with automatic daily updates for malware protection. All Rescale employee workstations are encrypted and centrally managed. Portable media devices are not permitted for conducting Rescale business. Confidential Information, including Customer Data, is not allowed to be accessed from mobile devices.

Appropriate endpoint security solutions are deployed on workstations. Employees do not have administrative privileges (root accounts) on their computers.

Rescale follows a clean desk policy indicating that information on desks and workstations have appropriate protections depending on data classification. Unattended Confidential Information is not permitted to be left out in plain sight.

Physical Security – Data Centers

Rescale does not operate a physical data center footprint and relies on cloud service providers (CSPs) to provide physical security to their respective data centers. These data centers are provided with 24/7 armed security, biometric access, backup systems and protections against environmental threats (e.g. fire, flood). Please see below for security documentation for primary CSPs (“Primary CSPs”). For security policies of CSPs not listed below, please contact Rescale for further information.

Physical Security – Headquarters

Rescale’s physical offices are protected by multiple layers of keycard with access control, and security cameras. Rescale’s office doors always remain closed and locked at all times.

All visitors to Rescale are escorted by staff and checked into the office.

Employee Account Access Control

Internally, employee access control is managed by the principle of least privilege. Access control to various parts of the production environment needs to be approved and is periodically reviewed to ensure accuracy. Rescale uses SSO for internal and external systems wherever possible. Upon employee termination, access to systems is removed immediately.

Intranet

Rescale does not maintain an intranet and does not assume trusted networks.

DATA SECURITY

Encryption

Customer Data is always encrypted in transit and at rest. When stored, Customer Data is encrypted using AES-256 and Customer Data in transit is always transferred with TLS 1.2 or higher. Where available and depending on the method of file transfer, files are encrypted and decrypted on the end-user machine.

Data Access Control

Rescale staff’s handling of Customer Data is only to the extent that Jobs are shared with Rescale Support. Rescale Support is a function within Rescale and is not an implied privilege by being a Rescale employee or a member of the technical teams.

Backups

Customer Data stored in one geographical region will use redundancy features provided by CSPs where available. This is an automatic redundant replication across multiple data centers offered by, for example, many object storage services.

Rescale performs daily database backups and fulfills relevant SLA and disaster recovery Recovery Point Objective (RPO) and Recovery Time Objective (RTO). 

INFRASTRUCTURE AND NETWORK SECURITY

Network Access Control and Firewalls

Rescale divides its internal networks into logical subnets for security and availability. Networks are configured automatically and do not involve humans in the network. Direct access to the production network infrastructure by Rescale staff follows the principle of least privilege. Network access control and firewall configurations are tracked and periodically reviewed. Privileged and unprivileged network penetration testing is also regularly performed.

Server and OS Security

Servers are subject to centralized monitoring and configuration change control, vulnerability scans and penetration testing. Rescale performs system hardening and subscribes to security bulletins.

Availability

Rescale is designed with availability as a fundamental consideration. Every layer of the infrastructure is set up with high availability or failover mechanisms.

Monitoring and Alerting

Rescale has implemented monitoring and alerting at application, OS, and network layers. Email and other alerts are sent to administrators as events are detected. Hardware-level monitoring and maintenance is provided by relevant CSPs.

APPLICATION SECURITY

OWASP

Rescale has reviewed OWASP Top 10 application security risks and has implemented explicit measures for each applicable risk. Web frameworks and other mature components are used in the application to leverage well-reviewed code and quick security responses.

Input Sanitization

Rescale validates and properly handles all input data via input sanitization as a security measure against a variety of attack families including data injection, Cross-Site Scripting (XSS), SQL injection attacks, and deserialization attacks. Rescale code does not construct SQL queries directly.

Password Handling

If password-based authentication method is configured, all passwords are hashed using PBKDF2 with an appropriate work factor.

Cross-Site Request Forgery (CSRF)

Rescale uses CSRF tokens to prevent Cross-Site Request Forgery attacks.

User Account Logins

Rescale monitors for abnormal login attempts including brute force, and blocks as appropriate based on attempt characteristics.

Logging, Monitoring and Alerting

Rescale logs events at the platform level and monitors for notable events and operations performed. Any anomalies are reported through a centralized alerting system.

SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)

Product Lifecycle

Rescale’s products and features follow standard lifecycle stages comprising of requirements gathering, design, implementation, testing, deployment, and maintenance. In each of the stages, the relevant teams consider changes for security impact and involve the security team for any necessary assessments. Teams that are part of the product lifecycle are trained to recognize and raise potential security concerns.

Source Code Development

Rescale follows Secure Software Development Lifecycle policy and requires all code to be peer reviewed and tested prior to production deployment. Automated testing is performed in the form of unit tests and integration tests, and have to pass before being deployed to production environments. 

Configuration Management

All infrastructure and environment definitions, such as network configuration, are set in reusable configuration files or scripts. They are subject to the same review process as platform code. Tests are performed in staging environments built as replicas to the production environments. Deployments occur without human participation based on the definition files.

Vulnerability Scanning and Penetration Testing

Rescale performs internal and third-party vulnerability scanning and penetration testing at least annually, covering in scope the web platform, API, server operating system, external network, and internal network. Any findings are triaged, tracked in an internal task management tool, and addressed.

INCIDENT RESPONSE & DISASTER RECOVERY

Planning

Rescale has an Incident Response and Disaster Recovery plan that outlines and specifies the different stages of an incident including identification, containment, investigation, remediation, and reporting. If an attack is suspected to be occurring or has occurred, Rescale staff follows the relevant sections of the plan to perform necessary actions.

The plan is developed to incorporate company team structures and resources. It is periodically reviewed and updated as needed.

Exercises

Rescale performs annual incident response exercises and disaster recovery exercises. Any gaps or findings are documented and addressed. Incident response procedures are also part of security training if an employee’s role is relevant.

HOSTING LOCATION

Customer Data is stored and Jobs are executed in the same region as the location selected for the Rescale Platform unless requested otherwise.

AUDITS AND CERTIFICATIONS

Rescale uses independent third-party auditors to assess the Rescale Security Program at least annually, as described in the following audits, regulatory standards, and certifications: SOC 2 Type II,  ISO 27001, and FedRAMP Moderate. To the extent that Rescale chooses not to continue adherence with one or more of the standards mentioned, Rescale will adopt or maintain an equivalent, industry-standard framework. 

HIPAA

Rescale has security measures in place to enable compliance with the Health Insurance Portability and Accountability Act of 1996, as amended and supplemented from time to time (“HIPAA”).  Customers shall not include in Customer Data any protected health information as defined under HIPAA unless Customer has entered into Business Associate Agreement with Rescale.  

DATA CENTERS

Depending on the CSP Infrastructure selected and used, Primary CSPs may be further certified or support the following standards: PCI DSS Level 1, SOC 1/ ISAE 3402, SOC 2, SOC 3, ISO 9001, FIPS 140, CSA, FERPA, HIPAA/HITECH, HITRUST, FedRAMP (SM), DoD Impact Levels 2, 4-6, DIACAP and FISMA, ISO 27001, ITAR, Cyber Essentials Plus (UK) and/or more depending on specific data centers. Non-primary CSPs may not meet the certification or standards listed herein and Customer is responsible for reviewing CSP certifications and security practices of CSPs when selecting use of CSP Infrastructure. 

SHARED SECURITY RESPONSIBILITIES

Without diminishing Rescale’s commitments above, Customer agrees Rescale has no obligation to assess the content, accuracy or legality of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Rescale Platform and CSP Infrastructure to ensure a level of security appropriate to the particular content of Customer Data. Customer is responsible for managing and protecting its User roles and credentials, including but not limited to ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Rescale any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised) by submitting a support ticket, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration. To the extent that Customer uses the Rescale Platform on a “bring-your-own-compute” (BYOC) basis (where Customer may use the Rescale Platform but usage of CSP Infrastructure is subject to the terms and fees as agreed between the applicable CSP and Customer), Customer is solely responsible for the security of the CSP Infrastructure. In the event of providing professional or support services,  Rescale may provide recommendations regarding implementation or configuration of the Rescale Platform and/or any customer systems (“BYOC Recommendations”), provided that Customer is solely responsible to determine whether such BYOC Recommendations are appropriate for Customer’s security requirements or needs.

ITAR/FEDRAMP PLATFORMS

Rescale has registered and maintains active registrations under ITAR with Directorate of Defense Trade Controls (DDTC) of United States Department of State for Rescale’s ITAR Platform. Rescale has a shared responsibility model for customers utilizing the Rescale Platform for ITAR/FedRAMP. This model clarifies the division of security and compliance obligations between Rescale and the Customer,
particularly in relation to export-controlled data and/or software.

Rescale’s Responsibilities

Rescale Platform and Security: Rescale is responsible for making the Rescale Platform for ITAR/FedRAMP available to customers in accordance with the applicable agreement between Rescale and Customer, including as described this Security Policy.

Rescale Personnel Compliance: Rescale is responsible for ensuring the Rescale Platform for ITAR/FedRAMP is hosted in the U.S. and Rescale personnel who access the Rescale Platform for ITAR/FedRAMP are U.S. Persons. However, Rescale is not responsible for the Customer’s users or their compliance status.

Customer’s Responsibilities

User Access and Compliance: Customer is solely responsible for managing their own users, including (i) ensuring that only authorized personnel have access to export-controlled data, and/or (ii) obtaining necessary export licenses. If U.S. Person status or US Citizenship is required for certain users due to Customer Data or the Licensed Application Software used by Customer, Customer—not Rescale—must verify and enforce this requirement.

Access Control: and Security Configuration Customer is responsible for managing identity and access controls for their users, including policies, role-based access, and data security configurations. Customer must maintain the security of their data and software in accordance with all applicable laws and regulations.

Data Management: Customer is responsible for the content they upload, store, and process within the Rescale Platform for ITAR/FedRAMP, including ensuring compliance with export control regulations.

Software Usage: Customer must properly license and ensure compliance with all applicable laws and regulations governing the use of the licensed application software on the Rescale Platform for ITAR/FedRAMP.

Compliance and Auditing: Customer is responsible for ensuring that its use (including its users) of Licensed Application Software and ITAR/GovCloud environment adheres to all applicable laws, regulations, and compliance requirements, including export controls. Customer acknowledges, agrees to, and certifies its compliance with all responsibilities and obligations set forth above.



×