Security and Data Protection
Security is built into how the platform is operated, not added on. This section summarizes the platform’s security posture. The binding obligations are set out in the Privacy Annex, the Privacy Data Sheet, and the Service Terms.
At a glance
- In transit
- TLS 1.2 or higher
- At rest
- AES-256
- Tenancy
- Logical isolation; no cross-tenant access
- Data roles
- Customer is data controller; Netgraph is data processor
- Assurance
- ISMS aligned to ISO/IEC 27001; certification planned mid-2026
Data protection
Section titled “Data protection”- Encryption in transit. All data in transit is protected with TLS 1.2 or higher.
- Encryption at rest. Personal data at rest is encrypted using AES-256.
- Tenant isolation. The platform is multi-tenant and enforces logical isolation between organizations. There is no cross-tenant access.
Access control
Section titled “Access control”Access is governed by role-based access control with least privilege, across the organization and context scopes described in Roles and Administration Levels. Administrator and self-service sign-in are separate, and single sign-on and multi-factor options are available; see Identity and Authentication.
Monitoring, resilience, and incident response
Section titled “Monitoring, resilience, and incident response”The platform is continuously monitored and is distributed across multiple availability zones for resilience. Administrative and authentication activity is centrally logged for traceability. Netgraph maintains incident response procedures and notifies affected customers of a personal-data breach without undue delay, with the information needed to assess and respond.
Data protection roles
Section titled “Data protection roles”The customer is the data controller for the personal data processed through the services, and Netgraph acts as a data processor (or sub-processor) on the customer’s documented instructions. The customer is responsible for the lawful basis of processing, for informing data subjects, for configuring retention, and for handling data subject requests. Netgraph is responsible for the secure operation of the platform and the technical and organizational measures that protect the data. The full allocation is in the Privacy Annex.
Information security management
Section titled “Information security management”Netgraph operates an information security management system aligned with ISO/IEC 27001 and ISO/IEC 27002. ISO/IEC 27001:2022 certification is planned for completion in mid-2026.
Related sections
Section titled “Related sections”- Logging, Reporting, and Retention: audit trail, retention, and data subject search.
- Architecture and Service Delivery: delivery options and data residency.