Skip to content
Get Started

Data Privacy Sheet

Version: 9.0 Applies to: Netgraph Connectivity Platform (All modules) Effective date: April 2026

This Privacy Data Sheet describes the processing of personal data (or personally identifiable information) by the Netgraph Connectivity Platform.

This Data Privacy Sheet is provided for informational and transparency purposes.

The binding description of personal data processing is set out in the applicable Data Processing Agreement (DPA), including the Netgraph Data Processing & Privacy Annex.

Netgraph Connectivity Platform is a cloud-based enterprise networking solution made available by Netgraph Sverige AB to partners or companies who acquire it for use by their authorized users.

For the purposes of data protection:

The Customer acts as Data Controller or, where applicable, as Data Processor on behalf of its end customers.

Netgraph acts as:

  • Data Controller for personal data processed to administer and manage the customer relationship (e.g., administrator accounts, billing, and support);
  • Data Processor where personal data is processed on behalf of the Customer; or
  • Sub-processor where the Customer acts as a Data Processor.

Where Netgraph acts as a Data Processor or Sub-processor, processing of personal data is carried out solely on documented instructions from the Customer or, where applicable, from the Customer acting as Data Processor.

Netgraph will process personal data in accordance with the applicable Data Processing Agreement (DPA), including the Netgraph Data Processing & Privacy Annex, and in compliance with applicable data protection legislation. This Data Privacy Sheet provides additional information regarding such processing.

Based on the roles defined above, the Netgraph Connectivity Platform follows a shared responsibility model, where responsibilities are clearly divided between the Customer, Netgraph, and, where applicable, authorized partners.

Customer Responsibilities (Data Controller)

The Customer is responsible for:

  • Ensuring lawful collection and processing of personal data
  • Defining access policies, authentication requirements, and retention settings
  • Informing end users of applicable privacy policies and obtaining required consents
  • Handling data subject requests (e.g. access, rectification, deletion)
  • Configuring the service in accordance with applicable laws and internal policies

Netgraph Responsibilities (Data Processor / Sub-processor)

Netgraph is responsible for:

  • Secure operation and availability of the platform
  • Implementation of technical and organizational security measures
  • Authentication and authorization mechanisms
  • Protection of personal data (including encryption and access control)
  • Logging, monitoring, and audit capabilities
  • Incident detection, response, and support

Partner Responsibilities (where applicable)

Where the Netgraph Connectivity Platform is delivered via an authorized partner:

  • The partner may act as Data Processor towards the end customer
  • Netgraph acts as Sub-processor
  • Partner responsibilities vary depending on the partner model:
    • Managed Partners may provide customer relationship management, service delivery coordination, and first-line support, and may be granted limited access to personal data strictly as required for service delivery.
    • License Partners are limited to commercial engagement and do not process personal data or provide operational or support functions.
  • Responsibilities are contractually defined between the Customer, partner, and Netgraph.

Service Delivery via Partners

The Netgraph Connectivity Platform may be delivered directly or through authorized partners.

In such cases, roles and responsibilities are defined in the Shared Responsibility Model above and governed by applicable agreements between the parties.

Authorized partners are contractually bound to data protection and security obligations equivalent to those of Netgraph.

The Netgraph Connectivity Platform is a cloud-based and innovative connectivity platform that can be integrated into any network. It consists of four main modules:

  • Sign In — Guest Wi-Fi and BYOD onboarding with policy-based network access.
  • EntryPoint (RADIUSaaS) — Cloud-based RADIUS service for device authentication, VLAN assignments, and network policy enforcement.
  • Netgraph EasyPSK — Private, per-user PSK environments for secure, isolated Wi-Fi access.
  • Endpoint Manager for Cisco ISE — Integration with Cisco ISE for unmanaged device control, MAC orchestration, and iPSK key management.

Each module can be deployed individually or in combination, enabling a wide range of network access control scenarios.

The platform enables full control and traceability over users, devices, and applications. Self-service portals and delegated administration tools help minimize the administrative burden for IT teams and reception staff.

The service is flexible and scalable without limitations in geographic expansion, number of users, or capacity utilization.

The Netgraph Connectivity Platform is architected as a cloud-native, microservices-based platform, built for horizontal scalability and high availability. The system is actively distributed across three Availability Zones within our cloud provider’s infrastructure (AWS & ELASTX), enabling resilient operations, load balancing, and fault tolerance by design.

This architecture ensures that:

  • Services can be scaled independently based on demand
  • High availability is maintained even in the event of a failure in one Availability Zone
  • Resource utilization can be optimized in real-time to maintain performance

The platform processes personal data required for authentication, authorization, and network access control.

Typical categories include:

  • User identifiers (email, username)
  • Device identifiers (MAC address, IP address)
  • Authentication data
  • Access logs and session metadata
ModulePersonal Data CategoryTypes of Personal DataPurpose of Processing
Sign InAdministrator Log-InAdmin username, email, password or (if SSO enabled) emailProvision of the service, authentication, troubleshooting, support
End User IdentifiersName, email, phone (optional), company, device MAC address, device IP, online statisticsAuthenticate end users, policy enforcement, troubleshooting, auditing
EntryPoint (RADIUSaaS)Administrator Log-InAdmin username, email, password or SSO emailProvision of service, manage RADIUS policies, support
Device IdentifiersDevice MAC address, IP address, RADIUS authentication method, assigned VLAN, RADIUS attributesAuthenticate and authorize devices, apply access policies, generate audit logs
Netgraph EasyPSKAdministrator Log-InAdmin username, email, password or SSO emailProvision of the service, authentication, troubleshooting, support
End User IdentifiersName, email, device MAC address, device IP, assigned SSID, WPA2 keysProvision of dedicated Private Network, ensure network isolation, support and troubleshooting
Endpoint ManagerAdministrator Log-InAdmin username, email, password or SSO emailProvision of service, integration with Cisco ISE, delegated admin
Device IdentifiersDevice MAC address, endpoint profile, assigned access policy, iPSK keysManage unmanaged devices, IoT onboarding, MAC-based orchestration, audit logs

Sign In — Authentication Methods & Data

MethodPersonal Data CollectedOptional FieldsPurpose
Meeting HostHost email, end user name, company name, device MAC, device IP, online statsIdentify meeting host, authenticate guest, audit logs
ConferenceEnd user email, phone, name, company name, device MAC, device IP, online statsEmail, phoneEvent guest authentication, policy enforcement
Self-provision (email)End user email, device MAC, device IP, online statsSelf-onboarding via email validation
Self-provision (mobile phone)End user phone, device MAC, device IP, online statsSelf-onboarding via SMS validation
Self-provision (SAML federation)End user username, device MAC, device IP, online statsFederation-based onboarding
PasswordDevice MAC, device IP, online statsLocal password-based authentication
Click to ConnectDevice MAC, device IP, online statsOpen access tracking & auditing
Event AccessDevice MAC, device IP, online statsTime-limited event access
WhitelistingDevice MAC, device IP, online statsPermanent/temporary MAC allow-list
Username & PasswordDevice MAC, device IP, online statsCredential-based authentication
Self-service Portal (Activated Service)End user email or SSO emailAccess to account management

EntryPoint (RADIUSaaS) — Authentication & Data

Authentication ScenarioPersonal Data CollectedOptional FieldsPurpose
802.1X (EAP-TLS/EAP-PEAP)Device MAC, username (if provided), device IPCertificate or credential-based authentication
MAC Authentication Bypass (MAB)Device MAC, device IPIoT or unmanaged device onboarding
Static CredentialsUsername, device MAC, device IPManual provisioning of credentials
Self-service Portal (Activated Service)End user email or SSO emailAccess to account management

Netgraph EasyPSK — Private Network Provisioning & Data

ActionPersonal Data CollectedOptional FieldsPurpose
PSK AssignmentEnd user email, device MAC, Personal PSK name, WPA2 passphraseAssign unique PSK (Personal Network) to user
Device OnboardingDevice MAC, device IP, Personal Network nameMap device to Personal Network
Key RotationWPA2 passphraseMaintain network security
Self-service Portal (Activated Service)End user email or SSO emailAccess to account management

Endpoint Manager for Cisco ISE — Integration & Data

FunctionPersonal Data CollectedOptional FieldsPurpose
Device RegistrationDevice MAC, End user emailAdd unmanaged/IoT devices to ISE
Self-service Portal (Activated Service)End user email or SSO emailAccess to account management and distributed IoT management

5.1 Data Minimization and Purpose Limitation

Section titled “5.1 Data Minimization and Purpose Limitation”

Netgraph processes only personal data necessary to deliver the service.

Data is not used for marketing, profiling, or unrelated purposes.

The Customer retains full ownership and control of all personal data processed within the Netgraph Connectivity Platform.

Netgraph processes personal data solely on behalf of the Customer and in accordance with documented instructions provided through the applicable agreement and service configuration.

Netgraph does not use customer data for marketing, profiling, or any purposes unrelated to the provision of the service.

Upon termination of the service, personal data will be deleted or anonymized in accordance with agreed retention policies and applicable legal requirements.

Where technically feasible, data export capabilities may be provided to support data portability.

The Customer is responsible for:

  • Lawful data collection
  • Configuration of optional data fields
  • Informing end users
  • Compliance with local regulations

Netgraph has implemented appropriate technical and organizational measures designed to secure personal data from accidental loss and unauthorized access, use, alteration, and disclosure.

These include:

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • Role-based access control
  • Multi-factor authentication (MFA) for administrative access
  • Secure API communication
Personal Data CategorySecurity controls and measures
Administrator Log-In informationEncrypted at rest with AES-256 algorithm. Encrypted in transit with TLS 1.2 or higher. Role-based access control and multi-factor authentication (MFA).
End User & Device IdentifiersEncrypted at rest with AES-256 algorithm. Encrypted in transit with TLS 1.2 or higher. Access controlled via role-based access control (RBAC).

Access to personal data is restricted based on role and necessity and is granted only to authorized parties.

Access may be granted to:

  • Authorized Netgraph personnel (support, operations, and platform maintenance)
  • Customer administrators
  • End users (via self-service functionality, where applicable)
  • Authorized partners (where applicable), acting under contractual obligations and only to the extent required for service delivery and support

Where partners are involved:

  • Managed Partners may be granted limited access to personal data strictly as required for support and service delivery
  • License Partners do not have access to personal data and do not perform operational or support functions

All access is governed by role-based access control principles and limited to what is necessary for the intended purpose. Access is logged and monitored in accordance with Netgraph’s security policies.

Personal Data CategoryWho has accessPurpose of access
Administrator Log-In informationNetgraphProvide troubleshooting and technical support for the service, provision of the service, communicate service and product updates to customer
CustomerUse the service (authenticate authorized users of the solution)
End User Identifiers & Device IdentifiersNetgraphProvide troubleshooting and technical support for the service
CustomerProvide troubleshooting and technical support for end users, configure access and service policies based on identifiers
End UserUse the optional Self-Service Portal
Personal Data CategoryRetention PeriodReason for Retention
Administrator Log-In informationDuring customer’s active Netgraph Connectivity Platform subscription, plus 6 months thereafterCustomer’s use of the service, troubleshooting and technical support, insights and statistics
End User Identifiers & Device IdentifiersDuring customer’s active Netgraph Connectivity Platform subscription — minimum retention period configurable by customer (default 1 month)Customer’s use of the service, troubleshooting and technical support, insights and statistics
iPSK KeysDuring active subscription, automatically removed upon device/account deletionNetwork security, authentication, device isolation

Data is deleted or anonymized upon termination, unless retention is required by law.

Data Center LocationsData Centers
Sweden, Germany (AWS)Customers that order Netgraph Connectivity Platform standard services (NC-PL-GL), can choose one of the following region-specific data centers to store their data
Sweden (Elastx)Customers that order Netgraph Connectivity Platform optional Swedish hosting service (NC-PL-SE). A Swedish company acts as sub-processor partner. This data center will then store their data

Netgraph engages sub-processors as part of the service delivery. A current list of sub-processors is maintained and made available to Customers.

The use of sub-processors is governed by the applicable Data Processing Agreement and the Netgraph Data Processing & Privacy Annex.

Sub-processor (NC-PL-GL)Personal DataService TypeLocation of Data Center
Amazon Web Services EMEA SARL, reg. no. B186284Sys Admin Username and PasswordHosting of Netgraph Connectivity Platform Service (NC-PL-GL)Sweden, Germany
Primary data storage locationSweden
Email Relay (Amazon SES Service)Ireland
Sub-processor (NC-PL-SE)Personal DataService TypeLocation of Data Center
ELASTX AB, reg. no. 556906-5617Sys Admin Username and PasswordHosting of Netgraph Connectivity Platform Service (NC-PL-SE)Sweden
Primary data storage locationSweden
Email Relay (Elastx Relay Service)Sweden

The Data Protection & Privacy team within Netgraph coordinates the Data Incident Response Process and manages the response to data-centric incidents.

The Incident Commander (designated role within Netgraph) directs and coordinates Netgraph’s response.

The team works with customers, partners, consultants, and vendors to identify possible security issues with the Netgraph Connectivity Platform.

In the event of a personal data breach affecting Customer data, Netgraph will notify the Customer without undue delay.

Notifications will include relevant information available at the time, such as:

  • Nature of the incident
  • Categories of affected data
  • Potential impact
  • Measures taken or proposed to mitigate the incident

Notification timelines and communication channels may be further defined in the applicable Data Processing Agreement (DPA).

Netgraph is committed to maintaining a high level of information security and data protection.

The organization operates in alignment with ISO/IEC 27001 and ISO/IEC 27002 standards and maintains an active Information Security Management System (ISMS).

Netgraph is currently undergoing ISO/IEC 27001:2022 certification, with planned completion in mid-2026.

Data subjects whose personal data is processed through the Service have rights under applicable data protection laws (such as the EU General Data Protection Regulation – GDPR). These rights are exercised via the Customer acting as Data Controller.

  • Request access to their personal data.
  • Request rectification of inaccurate or incomplete personal data.
  • Request suspension or restriction of processing.
  • Request deletion (“right to be forgotten”) of their personal data.
  • Request a copy of their personal data in a portable format, where applicable.

All such requests must be submitted to and handled by the Customer acting as Data Controller.

The Customer is responsible for verifying the requester’s identity, assessing the request, and using the Service’s built-in functionality to fulfil it.

Netgraph does not process or respond directly to data subject rights requests from individual end users.

Upon receipt of a validated request from the Customer, Netgraph will provide assistance as required under the applicable Data Processing Agreement and relevant laws.

Netgraph Privacy Data Sheets are reviewed and updated annually, or as needed.

For the most current version, go to the Netgraph Connectivity Platform – Common section of the Netgraph Docs: https://netgraph-connect.com/docs/ncp/privacy-sheet/

1. Which Cloud Service Providers (CSPs) do you utilize for hosting your SaaS product? How do you implement and adhere to their best practices from a technical and security perspective?

Section titled “1. Which Cloud Service Providers (CSPs) do you utilize for hosting your SaaS product? How do you implement and adhere to their best practices from a technical and security perspective?”

Netgraph Connectivity Platform is hosted on Amazon Web Services (AWS) and ELASTX AB. Customers’ data is stored within AWS or ELASTX data centers located in Sweden or Germany, depending on service configuration.

We follow AWS-recommended security and operational best practices, including:

  • Data encryption at rest using AES-256
  • Data encryption in transit using TLS 1.2 or higher
  • Role-based access control and secure authentication for system administrators including multi-factor authentication (MFA)
  • A structured and documented security incident response process

All sub-processors, including AWS, are contractually bound to maintain the same high standard of data protection and information security as Netgraph.

2. How do you ensure the scalability and performance of your SaaS product? What measures are in place to handle increased load and ensure consistent performance?

Section titled “2. How do you ensure the scalability and performance of your SaaS product? What measures are in place to handle increased load and ensure consistent performance?”

The Netgraph Connectivity Platform is architected as a cloud-native, microservices-based platform, built for horizontal scalability and high availability. The system is actively distributed across three Availability Zones within our cloud provider’s infrastructure (AWS & ELASTX), enabling resilient operations, load balancing, and fault tolerance by design.

This architecture ensures that:

  • Services can be scaled independently based on demand
  • High availability is maintained even in the event of a failure in one Availability Zone
  • Resource utilization can be optimized in real-time to maintain performance

3. Can you describe your approach to designing and implementing security measures within your system?

Section titled “3. Can you describe your approach to designing and implementing security measures within your system?”

Security is an integral part of our system architecture. Our approach includes:

  • Role-based access controls to limit data access to authorized users only
  • Encryption of all personal data at rest and in transit
  • Audit logging for both administrative and end-user actions
  • Structured incident response management, led by a designated Incident Commander within our Data Protection & Privacy team
  • Sub-processors are selected based on their compliance with relevant data protection frameworks and are subject to strict contractual security obligations

4. How is data encrypted both at rest and in transit within your system? What encryption standards and protocols do you use?

Section titled “4. How is data encrypted both at rest and in transit within your system? What encryption standards and protocols do you use?”

As described in the Personal Data Security section we ensure robust data protection through encryption:

  • At rest: All stored data is encrypted using the AES-256 standard
  • In transit: Data is encrypted using TLS 1.2 or higher

This applies to all administrator credentials and end-user device data transmitted and stored by the platform.

5. How do you manage multi-tenancy within your system to ensure the separation and security of customer data?

Section titled “5. How do you manage multi-tenancy within your system to ensure the separation and security of customer data?”

Our platform is built to support multi-tenant environments with strict data separation:

  • Each customer instance is logically isolated
  • Access to data is restricted and governed by policy-based controls
  • Customers can configure access rules, usage policies, and retention periods independently
  • Data visibility is scoped so that only the customer, authorized Netgraph personnel, and where applicable authorized partners (for support purposes) can access the relevant data
  • This always ensures complete data segregation and confidentiality between tenants.

6. Do Netgraph utilize AI technologies when processing personal data?

Section titled “6. Do Netgraph utilize AI technologies when processing personal data?”

The Netgraph Connectivity Platform does not utilize artificial intelligence (AI) or machine learning technologies in the processing of personal data.

All data processing is based on deterministic logic and policy-driven authentication and authorization mechanisms.

No automated decision-making or profiling with legal or similarly significant effects is performed.

Next