Skip to content
Get Started

Netgraph Data Processing & Privacy Annex

Version: 8.0 (Revised Structure)
Applies to: Netgraph Connectivity Platform (All modules)

Effective Date: 2026-03-23

Data Exporter (Controller)

The Customer (as defined in the Agreement), acting as Data Controller.

Data Importer (Processor)

Netgraph Sverige AB
Org. No: 559033-1141
Biblioteksgatan 6A
831 30 Östersund
Sweden

Email: dpo@netgraph.se

Role: Data Processor

  • Customer administrators
  • End users (guests, employees, residents, visitors)
  • Device users
  • Self-service portal users
  • Name
  • Email address
  • Username
  • Authentication credentials (password or SSO identity)
  • Name (optional)
  • Email address (optional)
  • Phone number (optional)
  • Company / organization (optional)
  • MAC address
  • IP address
  • Device identifiers
  • Authentication method
  • VLAN / network assignment
  • Session metadata (timestamps, activity logs)
  • Authentication logs
  • Audit logs
  • Policy assignments
  • Access control attributes

The service is not intended to process special categories of personal data under Article 9 GDPR.
Any such processing remains the sole responsibility of the Customer.

  • Collection
  • Registration
  • Organization
  • Storage
  • Retrieval
  • Use
  • Disclosure (to authorized systems only)
  • Erasure
  • Provide secure network access (WiFi / NAC)
  • Authenticate users and devices
  • Enforce access control policies
  • Enable onboarding (guest, BYOD, IoT)
  • Maintain audit logs and traceability
  • Provide support and troubleshooting

Processing takes place:

  • During the duration of the Agreement
  • With retention periods configurable by the Customer

Default values:

  • End-user/device data: approx. 1 month
  • Administrator data: contract duration + 6 months

Processing is performed within:

  • Sign In (Captive Portal & onboarding)
  • EntryPoint (RADIUSaaS)
  • EasyPSK (Private WiFi segmentation)
  • Endpoint Manager (Cisco ISE integration)

The competent supervisory authority shall be:

  • The authority where the Data Exporter is established

For Sweden:
Integritetsskyddsmyndigheten (IMY)

2. ANNEX II – TECHNICAL & ORGANIZATIONAL MEASURES

Section titled “2. ANNEX II – TECHNICAL & ORGANIZATIONAL MEASURES”
  • Role-Based Access Control (RBAC)
  • Tenant-level logical isolation
  • Least privilege principles
  • Secure authentication (password or SSO)
  • Administrative access restricted and logged
  • Data at rest: AES-256
  • Data in transit: TLS 1.2 or higher

Applies to all personal data processed within the platform.

  • Logical isolation between tenants
  • No cross-tenant access possible
  • Policy-based segmentation and enforcement
  • Centralized audit logging of:

    • Administrative actions

    • Authentication events

    • Policy changes

  • Full traceability across all modules

  • Deployment across multiple Availability Zones
  • Load balancing and automatic failover
  • Microservices-based architecture
  • Horizontal scalability
  • Dedicated Data Protection & Privacy function
  • Documented incident response procedures
  • Incident Commander role
  • Notification to customers in accordance with DPA and GDPR

2.7 Data Minimization & Purpose Limitation

Section titled “2.7 Data Minimization & Purpose Limitation”
  • Only data necessary for service delivery is processed
  • Optional data fields configurable by the Customer
  • No processing for marketing or unrelated analytics
  • Secure API integrations (Cisco, Auth0, Microsoft, etc.)
  • Controlled access to integrations
  • Continuous monitoring and system hardening

3. APPENDIX A – DETAILED PROCESSING (Module Tables)

Section titled “3. APPENDIX A – DETAILED PROCESSING (Module Tables)”
ModuleData CategoriesPurpose
Sign InEnd-user identifiers, device dataAuthentication, onboarding
EntryPointDevice identifiers, RADIUS attributesNetwork access control
EasyPSKUser + device dataPrivate WiFi segmentation
Endpoint ManagerDevice + policy dataIoT & Cisco ISE integration

A.2 Sign In – Authentication Methods & Data

Section titled “A.2 Sign In – Authentication Methods & Data”
MethodPersonal Data CollectedOptional FieldsPurpose
Meeting HostHost email, end user name, company, MAC, IP, statsIdentify host, authenticate guest
ConferenceEmail, phone, name, company, MAC, IPEmail, phoneGuest authentication
Self-provision (email)Email, MAC, IPEmail validation
Self-provision (SMS)Phone, MAC, IPSMS validation
SAML FederationUsername, MAC, IPFederation login
PasswordMAC, IPLocal authentication
Click-to-connectMAC, IPOpen access tracking
Event AccessMAC, IPTemporary access
WhitelistingMAC, IPAllow-list
Username & PasswordUsername, MAC, IPCredential-based authentication
ScenarioPersonal DataPurpose
802.1X (EAP-TLS / PEAP)MAC, username, IPSecure authentication
MABMAC, IPIoT onboarding
Static credentialsUsername, MAC, IPManual authentication
ActionPersonal DataPurpose
PSK AssignmentEmail, MAC, PSK name, WPA2 keyPersonal network provisioning
Device onboardingMAC, IPDevice mapping
Key rotationWPA2 keySecurity maintenance
FunctionPersonal DataPurpose
Device registrationMAC, emailIoT onboarding
Policy assignmentDevice profile, attributesAccess control
Sub-ProcessorLegal EntityRegistration No.AddressPurposeData TypeLocation
Amazon Web Services EMEA SARLAWSB18628438 Avenue John F. Kennedy, L-1855 LuxembourgCloud hosting & infrastructurePlatform dataSweden / Germany
Amazon Web Services EMEA SARL (SES)AWS SESB186284Luxembourg (EU infrastructure)Email delivery servicesEmail addressesIreland
ELASTX ABElastx556906-5617Kungsgatan 12, 111 35 Stockholm, SwedenCloud hosting (Swedish option)Platform dataSweden
  • Data Processing Agreements are in place with all sub-processors
  • Standard Contractual Clauses (SCCs) are implemented where applicable
  • Data is hosted within the EU by default
  • Sub-processors are contractually bound to equivalent security standards
  • Regular vendor assessments and security reviews are performed

A current list of sub-processors is maintained and made available to Customers upon request or via Netgraph documentation.

  • Data subjects exercise their rights via the Customer (Controller)
  • Netgraph provides assistance upon documented request

Supported rights include:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability

The Customer is responsible for:

  • Establishing lawful basis for processing
  • Informing end users of applicable privacy policies
  • Configuring retention policies
  • Managing optional personal data fields
  • Handling data subject requests

Next