Security overview - Neon Docs

At Neon, security is our highest priority. We are committed to implementing best practices and earning the trust of our users. A key aspect of earning this trust is by ensuring that every touchpoint in our system, from connections, to data storage, to our internal processes, adheres to the highest security standards.

Secure connections

Neon requires that all connections use SSL/TLS encryption to ensure that data sent over the Internet cannot be viewed or manipulated by third parties.

Neon supports the verify-full SSL mode for client connections, which is the strictest SSL mode provided by PostgreSQL. When set to verify-full, a PostgreSQL client verifies that the server's certificate is issued by a trusted certificate authority (CA), and that the server host name matches the name stored in the certificate. This helps prevent man-in-the-middle attacks. For information about configuring verify-full SSL mode for your connections, see Connect securely.

In addition, Neon requires a 60-bit entropy password for all PostgreSQL roles. This degree of entropy ensures that passwords have a high level of randomness. Assuming a perfect distribution of choices for every bit of entropy, a password with 60 bits of entropy has 2^60 (or about 1.15 quintillion) possible combinations, which makes it computationally infeasible for attackers to guess the password through brute-force methods. For Neon users created via the Neon Console, API, and CLI, passwords are generated with 60-bit entropy. For SQL users created via SQL, user-defined passwords are validated at user-creation time to ensure 60-bit entropy.

IP allowlist support

Neon's IP Allow feature, available with the Scale plan, ensures that only trusted IP addresses can connect to the project where your database resides, preventing unauthorized access and helping maintain overall data security. You can limit access to individual IP addresses, IP ranges, or IP addresses and ranges defined with CIDR notation. To learn more, see Configure IP Allow.

Protected branches

You can designate any branch as a "protected branch". A protected status limits access to the branch based on IP addresses. Only IPs listed in your project’s IP allowlist can access this branch. Typically, the protected branch status is given to a branch or branches that hold production data or sensitive data. The protected branch feature is available on Neon's Scale plan. For information about how to configure a protected branch, refer to our Protected branches guide.

Data-at-rest encryption

Data-at-rest encryption is a method of storing inactive data that converts plaintext data into a coded form or cipher text, making it unreadable without an encryption key. Neon stores inactive data in NVMe SSD volumes. The data on NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance.

Secure data centers

Neon’s infrastructure is hosted and managed within Amazon’s secure data centers backed by AWS Cloud Security. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. For information about AWS data center compliance programs, refer to AWS Compliance Programs.

SOC 2 compliance

Neon has successfully completed SOC 2 Type 1 and Type 2 audits. For more information, see SOC 2 compliance.

You can request access to our SOC 2 report or directly download the public-facing SOC 3 compliance report on our Neon Trust Center.

Security reporting

Neon adheres to the securitytxt.org standard for transparent and efficient security reporting. For details on how to report potential vulnerabilities, please visit our Security reporting page or refer to our security.txt file.

Questions about our security measures?

If you have any questions about our security protocols or would like a deeper dive into any aspect, our team is here to help. You can reach us at security@neon.tech.