Neon’s Security & Compliance
At Neon, security, compliance, privacy, and transparency are core to our platform. We protect customer data through industry leading security controls, independent audits, and strict adherence to global compliance standards.
Compliance Frameworks
SOC 2 Type II
Neon undergoes annual SOC 2 Type II audits performed by accredited independent third party auditors. The SOC 3 report, a public summary of our SOC 2 compliance, is available without an NDA in the Trust Center.
ISO/IEC 27001:2022 & ISO/IEC 27701:2019
Neon undergoes annual ISO/IEC 27001:2022 and ISO/IEC 27701:2019 audits for its security and privacy management systems. These certifications validate our commitment to global standards.
Privacy & Regulations
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Neon complies with CCPA and CPRA, ensuring data privacy and transparency. We don’t sell, share, or retain personal data beyond contractual obligations, allowing users to manage their preferences.
European General Data Protection Regulation (GDPR)
Neon follows the GDPR framework, ensuring user rights, data minimization, and lawful processing. We offer Data Processing Agreements (DPA) and support compliant cross-border data transfers.
United States Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Neon has achieved HIPAA compliance to support customers handling protected health information (PHI). Our security measures include encryption of electronic PHI, least-privilege access control, security monitoring for unauthorized data access, and comprehensive audit logging.
Trust Center
Request audit reports, certifications, and compliance documentation via our Trust Center.
For additional security inquiries, contact security@neon.tech.
Neon PostgreSQL Service
Secure, scalable, cloud-hosted PostgreSQL database.
Cloud Infrastructure
Hosted on AWS and Azure, leveraging built-in security controls.
Data Storage & Processing
Encryption, access controls, and secure data retention policies.
Access & Security Controls
Identity management, monitoring, and compliance enforcement.
Personnel Security
Employee background checks, security training, and access management.
Sub-Processors
Neon engages with carefully selected third-party sub-processors that assist in service delivery.
All sub-processors are reviewed annually and must comply with contractual security and privacy requirements. A list of our third-party sub-processors is available on our website.
Features
Cloud Infrastructure
Data Hosting
Neon’s infrastructure runs on AWS and Azure, certified for SOC 2, ISO 27001, FedRAMP, PCI-DSS, HIPAA, and other global security standards.
Data Segregation
Customer data is isolated with unique IDs to prevent unauthorized access. The API enforces this through authentication in access tokens.
Physical & Environmental Security
Neon personnel have no physical access to AWS or Azure data centers, which have 24/7 surveillance, biometric controls, redundancy, and audits.
Access Control
Production access is restricted by default, granted only when needed with least-privilege, time-limited permissions via Teleport and approval.
Monitoring
Neon uses Grafana to monitor cloud operations. System failures trigger alerts, notifying key personnel for immediate response and resolution.
Vendor Risk Management
All vendors are assessed for security, privacy, and compliance. Those handling sensitive data must meet SOC 2.
Cloud Security
Network Vulnerability Scanning
Neon performs continuous vulnerability scans on all infrastructure components. Identified vulnerabilities are triaged and remediated based on severity.
Intrusion Detection & Prevention
Neon monitors for unauthorized access using traffic monitoring, anomaly detection, and threat intelligence.
Logical Access Controls
Access to production systems is role-based (RBAC), requiring SSO and continuous monitoring. Access modifications require documented approval.
Security Incident Response
Neon has a 24/7 incident response team following well-defined playbooks, including continuous training and annual tabletop exercises.
Encryption
Data in Transit
Neon enforces TLS 1.2+ encryption for all data transmitted over public and private networks.
Data at Rest
All stored data is encrypted using AES-256 and follows key rotation policies to maintain security.
Key Management
Neon uses AWS KMS and Azure Key Vault for key management, with logging and access controls.
Availability & Continuity
Redundancy
Neon’s infrastructure is designed for high availability, leveraging multi-region failover and automated scaling.
Backup Management
Neon performs daily encrypted backups stored across multiple availability zones, with automated integrity validation.
Business Continuity and Disaster Recovery
Neon has a BCDR plan with annual disaster recovery tests and predefined restoration protocols to ensure resilience.
Application & Platform Security
Bug Bounty Program
Neon runs a program via HackerOne, where verified researchers can securely report vulnerabilities and earn rewards for eligible findings.
Learn more
Secure Development Lifecycle (SDLC)
Neon follows a secure development lifecycle with security testing, code reviews, dependency monitoring, and developer security training.
Vulnerability Management
Neon scans for vulnerabilities with Orca and Oligo, patching per SLA: critical 7 days, high 30, medium 60, low 90.
Penetration Testing
Annual third-party penetration tests are conducted on our infrastructure, applications, and APIs to identify and mitigate risks.
CI/CD Security
Neon uses Step Security’s Harden Runner to secure CI/CD by restricting traffic, monitoring dependencies, and enforcing security policies.
Github Secret Scanning Partner Program
Neon joined the GitHub Secret Scanning Partnership in to improve secret detection and remediation across repositories.
Human Resources & Endpoint Security
Background Checks
Neon conducts reference checks for all employees before onboarding.
Confidentiality Agreements
All employees and contractors sign non-disclosure agreements (NDA) upon hire.
Policies
Neon maintains a security policy framework, reviewed annually and enforced company-wide. Employees are required to acknowledge and comply with these policies each year.
Training and Awareness
Neon conducts annual security awareness training, covering HIPAA compliance, anti-harassment policies, and phishing simulations to strengthen employee resilience.
Endpoints
Neon centrally manages employee devices via JumpCloud MDM, enforcing full-disk encryption, automatic OS updates, enforced screen locks, anti-malware protection, and continuous monitoring.