Security Statement

rackAID LLC — 221 N. Hogan Street #308, Jacksonville, FL 32202
Effective date: June 23, 2026

rackAID takes the security of our customers’ systems and data seriously. This statement summarizes the practices we use to protect the services we provide. It is a general overview, not a warranty; our specific obligations are set out in our Master Service Agreement and Privacy Policy. We maintain more detailed internal security policies, which we do not publish.

Shared responsibility

Security is a shared responsibility across three layers:

• Our upstream providers (such as Amazon Web Services and PhoenixNAP) secure the underlying data centers, hardware, and core infrastructure.
• rackAID manages, monitors, and supports the specific elements set out in your Order, and applies the practices described below to those elements.
• You, the customer are responsible for everything you deploy to or run on the services, as described in “Scope of our responsibility” below.

Scope of our responsibility

What we are responsible for. rackAID’s security responsibility is limited to the specific elements we manage under your Order. This generally means operating-system patching and updates for the servers we manage, and patching of a control panel only where that control panel was provided and installed by rackAID. Anything not expressly listed as managed in your Order is not rackAID’s responsibility.

What you are responsible for. You are solely responsible for the security of everything you deploy to or run on the servers, including your applications, code, plugins, themes, databases, website content, and any third-party or open-source software — and for keeping those components updated, configured, and free of vulnerabilities. You are also responsible for your data, your user accounts and credentials, and the actions of your users. rackAID does not monitor, patch, secure, or assume responsibility for customer-deployed applications or assets unless a specific managed service for them is stated in your Order.

This allocation reflects the terms of our Master Service Agreement (see MSA §3.1.1, §4, §7.2–§7.3, and §13.2), which govern in the event of any conflict.

Infrastructure and physical security

We deliver services using established cloud and hosting providers, including Amazon Web Services and PhoenixNAP. These providers maintain independent, third-party security certifications (such as SOC 2, ISO 27001, and PCI DSS) and are responsible for physical and environmental security of their facilities. rackAID does not operate its own data centers and does not hold its own certifications; we rely on the certified infrastructure of our providers. Details of each provider’s certifications are available on their respective websites.

Encryption

Our operational connections and management interfaces use industry-standard encryption in transit (TLS). Encryption at rest is applied where it is supported and appropriate for the service; not all data is encrypted at rest, and you are responsible for any application-level encryption your data requires. You should not store data on the services that you are not permitted to store unencrypted.

Payment data

We do not store your full payment card details. Card payments are processed by our payment provider, Authorize.net, which maintains PCI DSS compliance. We retain only limited transaction records as described in our Privacy Policy.

Access control and authentication

We follow the principle of least privilege: our personnel are granted only the access needed to perform their work. Multi-factor authentication (MFA) is required for access to high-value and privileged systems. Our staff are bound by an internal Acceptable Use Policy and confidentiality obligations governing how they access customer systems and data.

Patching, monitoring, and vulnerability management

We apply security updates and configuration changes using commercially reasonable practices, and we monitor the services we manage for availability and security issues. Where we identify a risk to our network or to other customers, we may act to mitigate it as described in our Master Service Agreement.

Backups

Backup services are provided only where stated in your Order. Regardless of any backup service we provide, you remain responsible for maintaining your own backups of your data. It is your responsibility to export or retrieve your data before any service is terminated.

Incident response and breach notification

We maintain an internal process for responding to security incidents. If we become aware of a security incident affecting your data, we will notify you without undue delay and provide the information reasonably available to us. You are responsible for any notifications required to your own users, regulators, or other third parties.

Subprocessors

We use a limited set of third-party providers to deliver and support our services (for example, infrastructure, payment processing, email delivery, and analytics). A current list of our principal subprocessors is available to customers on request through the helpdesk.

Your responsibilities

To keep your services secure, you should: protect your credentials and enable available security features; keep software you control patched and free of known vulnerabilities; upload only data and software you have determined to be free of security issues; maintain your own backups; and comply with our Acceptable Use Policy. If your service involves regulated data (such as protected health information), contact us before transmitting it, as additional agreements may be required.

No guarantee

No method of transmission or storage is completely secure. While we use commercially reasonable measures to protect the services, we cannot guarantee absolute security. The services are provided as described in our Master Service Agreement.

Reporting a security concern

If you believe you have found a security vulnerability or a security issue affecting our services, please contact us at contact@rackaid.com or through the helpdesk. We appreciate responsible disclosure and will work with you to investigate and address legitimate concerns.

Version 20260623.01