Security
At Neon, security is our highest priority. We are committed to implementing best practices and earning the trust of our users.
SOC2
Neon has successfully completed a SOC2 Type 1 audit. SOC2 (Service Organization Control 2) Type 1 report is an attestation by an independent auditing entity, acknowledging that an organization has processes and systems in place that comply with the principles of the American Institute of Certified Public Accountants (AICPA).
This audit report focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Our successful completion of this audit signifies that our design of systems and procedures, as of a specific date, meet these stringent criteria.
Please note that while the term "SOC2 Certified" is commonly used, it is not accurate and we refrain from using it. The AICPA explicitly advises against using this term. A SOC2 report is an attestation of the effectiveness of controls, not a certification.
Our SOC2 Type 1 report underscores our ongoing commitment to safeguarding customer data and maintaining a high level of security. We will continue to invest in regular audits and adhere to industry best practices to ensure the security, integrity, and privacy of the data you entrust us with.
Security reporting
Neon is currently in Technical Preview, and vulnerabilities may be present. We have established a security reporting procedure to address security issues quickly. We recommend using Neon only with public or non-sensitive data at this time.
important
If you have a security concern or believe you have found a vulnerability in any part of our infrastructure, please contact us at security@neon.tech. If you need to share sensitive information, we can provide you with a security contact number through Signal.
Our commitment to solving security issues
- We will respond to your report within three business days with an evaluation and expected resolution date.
- We will handle your report with strict confidentiality and not share any personal details with third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- Once the report has been resolved, we will credit the finding to you in our public
security.txt
document, unless you prefer to stay anonymous. - If we need to access proprietary information or personal data stored in Neon to investigate or respond to a security report, we shall act in good faith and in compliance with applicable confidentiality, personal data protection, and other obligations.
We strive to resolve all problems quickly and publicize any discoveries after their resolution.
Neon does not have a bug bounty program and does not pay financial bonuses or bounties for reporting bugs or vulnerability issues.
How to disclose vulnerabilities
Neon pays close attention to the proper security of its information and communication systems. Despite these efforts, it is not possible to entirely exclude the existence of security vulnerabilities.
If you identify a security vulnerability, please proceed as follows under the principle of responsible disclosure:
- Report the security vulnerability to Neon by contacting us at security@neon.tech. Provide as much information about the security vulnerability as possible.
- Do not exploit the security vulnerability; for example, by using it to breach data, change the data of third parties, or deliberately disrupt the availability of the service.
- All activities relating to the discovery of the security vulnerability should be performed within the framework of the law.
- Do not inform any third parties about the security vulnerability. All communication regarding the security vulnerability will be coordinated by Neon and our partners.
- If the above conditions are respected, Neon will not take any legal steps against the party that reported the security vulnerability.
- In the event of a non-anonymous report, Neon will inform the party that submitted the report of the steps it intends to take and the progress toward closing the security vulnerability.
Secure data centers
Neon’s infrastructure is hosted and managed within Amazon’s secure data centers backed by AWS Cloud Security. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. For information about AWS data center compliance programs, refer to AWS Compliance Programs.