• Solutions
        • Solutions
          • Netigate CXUnderstand your customers
          • Netigate EXUnderstand your team
          • Netigate ConsultingExpert feedback insights
        • Products
          • ASK AIGet real-time answers to drive actions that your customers and employees will love
          • EngageTrack employee engagement and get improvement recommendations
          • LumoaVisit the website of Lumoa, now part of Netigate, to see how you can use the voice of your customers to make better business decisions
          • FeedbackConduct your surveys with our easy-to-use tool
        • Use cases
        • Ellevio

          "Netigate’s capacity to analyse text is magic."

          All use cases
  • Customers
        • Read more
          • BlogExplore articles and insights
          • Case studiesSee how other companies are benefiting from Netigate
          • Brochures 
        • Customer Case
        • ELLEVIO

          "Netigate’s capacity to analyse text is magic."

          All use cases
  • Pricing
  • Resources
        • Learn
          • Free online courses 
          • Events 
          • EBooks 
          • Reports 
        • Support
          • Help center 
          • Video tutorials 
          • Onboarding 
        • Company
          • About us 
          • Careers 
          • Press 
          • Contact 
  • Login
    • Netigate
      Feedback
    • Netigate
      Engage
  • English
    • Deutsch
Book a demo
Try for free

Trust Center

Information security at Netigate Product security Recurring security testing and penetration tests Security by design Privacy & data protection Accreditations and certifications Security policies Infrastructure Security Data encryption Data storage Disaster Recovery and Backups Respondent information - how do we protect your data? Responsible use of AI

Trust is paramount. At Netigate we’re committed to not only providing valuable insights but also ensuring that you’re well-informed about the processes behind these insights. We use your data and AI responsibly, ensuring that every recommendation is rooted in data, vetted for accuracy, and crafted for maximum value for you as a Netigate Customer. As we continue this journey together, we’re excited to see how our AI-driven insights will propel your business forward.

Information security at Netigate

Keeping Customer data safe is and has always been central to everything we do at Netigate. The following is an overview on how we protect our Customers’ (Customer) data from unauthorised access, use, modification, or destruction. It also summarises how we continuously work to improve our products, processes, architecture and infrastructure to meet industry standards, legal regulations (incl. GDPR) and security best practices.

If you are conducting a data security and privacy assessment of Netigate or a privacy audit, the information here has been written with you specifically in mind. The content below includes answers to the most common security, privacy and technical queries – and it is intended to be your trusted primary source for answers.

Currently, this content is only available in English. If you require more information or have questions concerning it or anything else, please contact your nearest Netigate Account Executive.

Please note, the content below has been provided by Netigate’s Trust Team – a group consisting of our Chief Technology Officer, Group DPO, Head of Legal, Netigate Architects and Managers. Due to privacy best practices, legislation and data security constantly evolving, our Trust Team will continuously update this content – so be sure to bookmark this page and check it often for the very latest info.

Product security

Netigate utilises a clear Secure Software Development Lifecycle (SSDLC) in order to prevent unintended vulnerabilities.

Netigate’s SSDLC follows security industry best practices to implement a series of checks across every service and software library, component or program used at Netigate. These include but are not limited to:

  • Minimum of 2-person reviews of production changes
  • Automated and manual Open Worldwide Application Security Project (OWASP) 10 vulnerability scan
  • 3rd-party dependency vulnerability scanning
  • Automated and manual testing

Recurring security testing and penetration tests

To complement the above and to further limit our risk of exposure, we also employ 3rd-party cyber security experts to perform annual penetration tests of our systems. Following their recommendations, we continually improve our security systems, ensuring Customer data is safe and secure.

Security by design

Netigate is designed from the ground up to be secure and scalable – from our infrastructure to the user interface.

 

Infrastructure

To reduce the impact of human error and to ensure security across our environments, all our infrastructure is defined using version-controlled code and is provisioned through automation. All environments are designed and tested according to current best practices and recommendations, utilising firewalls, multi-layered networks, Access Control Lists (ACLs), certificates and encryption at every step, from network to disc.

 

PII encryption

Personal Identifiable Information (PII) at rest is encrypted on disc, with keys controlled by Netigate or by a EU/EAA-based subprocessor.

In addition, on the Netigate EX Engage platform, PII is logically encrypted (for crypto shredding) on a per-person basis, thus minimising and mitigating the risk of a data breach as well as guaranteeing irrevocable de-identification of deleted users and respondents.

 

Authorisation of users and services

Every request – internal or external – is authenticated and validated for authorisation. Our Identity solution ensures all data requests come from authenticated and approved users, with OAuth, JWT and Session Authentication.

For the Netigate EX Engage platform, we employ a Google Zanzibar-style privilege system for every internal and external data request and write, validating privileges and checking rights at every step. This ensures that access to specified datasets is strictly limited to authorised individuals and systems, and that modifications are only permissible through approved systems. Each internal and external API endpoint is mapped and secured to a specific privilege level, ensuring that every user type, irrespective of origin, is granted explicit authorisation.

 

Account creation and tenant separation

All Customer data is processed and stored separately by Netigate using a multi-tenancy architecture, creating a logical separation between each Customer. A unique identifier (such as Customer number or “Company ID”) is used to assign and identify the data for each Customer. This logical Customer separation is applied through all layers of storage, both data at-rest, in-transit, in memory and caches.

 

Role-based access and permissions

All Netigate data and service functionality, such as APIs, are gated behind an authentication and authorisation system.

In addition, for the Netigate EX Engage platform, our Identity Provider provides coverage both for clients and backend systems by providing a Multi-Factor Authentication (MFA) system, followed session authentication and per-call authentication, validation, and authorisation checks. We use a Zanzibar-style authorisation system, meaning access to every data and functionality needs to be assigned before use and validated in real-time. This covers both user operations and internal system workloads. All passwords and tokens are stored encrypted using bBCypt, xchacha20-poly1305 or AES, depending on type.

Privacy & data protection

Netigate is aware of the special responsibility involved in processing personal data, thus, treats all of its Customers’ data with the utmost care. In order to meet these expectations, Netigate obtained IEC/ISO 27001:2013 certification for all its operating entities in 2022.

In order to adhere to current GDPR legislation, Netigate has implemented the following:

  • Establishment of a data protection and IT security concept, building technical and organisational measures (TOMs). The full text of our TOMs appears in an annex to our standard data processing agreement (DPA).
  • Continuous development and improvement of processes, taking into account state-of-the-art technology, costs of implementation and the nature, scope, circumstances and purposes of the processing. We also consider the likelihood and severity of the risk to the rights and freedoms of the individual.
  • Data protection from design to execution, e.g. access control based on the principle of least privilege (PoLP).
  • As a data processor, Netigate supports our Customers in the timely processing of requests, such as their rights of access, right to deletion, data portability, secure deletion, etc).
  • As a data controller, Netigate complies with current GDPR legislation, ensuring we only hold data for relevant and legal purposes.
  • Ensuring written data processing agreements (DPAs) are in place for every Customer and supplier that processes data.
  • Diligent assessment, selection and review of all sub-processors; selecting only sub-processors that provide data processing either in the EU/EEA, in a country with an adequacy decision, or otherwise using GDPR-approved contractual safeguards.

Accreditations and certifications

All Netigate operating entities are certified under ISO/IEC 27001:2013 – the world’s best-known standard for information security management and privacy systems. We excluded no areas – or “controls” – in our certification process. We are proud that we have continuously passed all external ISO audits conducted since we received our ISO certificate in 2022. A copy of the ISO certificates can be provided upon request – send an email to dpo@netigate.net.

Security policies

To ensure compliance with our ISO and GDPR requirements, Netigate adheres to a set of agreed upon data security and privacy policies. These policies are continually updated by our Security and Privacy team and reviewed by stakeholders in IT, Legal, and Engineering departments, thereby ensuring security policy alignment across the the entire Organisation. Furthermore, we have implemented a process of continual learning for all Netigate employees, ensuring said policies are known and complied with.

Policy  Information 
Information Security User Policy  All staff (employees and consultants) are trained on our policies during on-boarding. This policy includes several components which help staff know how to safely handle and process data, PII and sensitive PII. Netigate guides its staff on how to safely and securely use our systems, networks, and devices. This is enforced by continuous training of all staff.  
Remote Work Policy   We have specific guidelines on how to securely work at home or while traveling. This enables our colleagues to, securely, do their best work – either Onsite or Offsite – without sacrificing any of our security or privacy controls. 
Incident Response Plan  Netigate has a well-established processes for responding to production and data security incidents using industry best practices for escalation, communication and ensuring that regulatory obligations are met. 

In case of a data breach, Netigate will immediately notify and support the data controller in accordance with our GDPR obligations and as further set forth in the DPA we have with every Customer and supplier who processes data.  

Additional Confidentiality Obligation  All our employees and consultants are bound to secrecy by a separate agreement. This is to ensure that all our Customer information is processed with appropriate discretion. 

Infrastructure Security

Netigate runs all applications in the cloud. We do not store any Customer data at our premises or at our Customers’ premises. Being fully cloud-based enables Netigate to utilise state-of-the-art security measures, scalability and availability. Netigate also uses extra measures to prevent unauthorised access to our Customers’ data. The Netigate infrastructure team develops and enforces Cloud Security Standards on all infrastructure such as virtual machines, cluster, storage and networks. These include – but are not limited to – the following:

Perimeter security

Netigate employs a diverse combination of Intrusion Detection Technologies, including but not limited to:

  • Ingress/ACL
  • Cloud threat detection
  • Endpoint protection
  • Monitoring and automated alerting tools deployed across all services, applications and infrastructure

Data encryption

Encryption in-transit

Netigates uses certificates and TLS protocols to encrypt data in-transit, ensuring secure communication between systems.

 

Encryption at-rest

To ensure the security and privacy of users and respondents, a centralised service stores data in a controlled and encrypted manner.

In addition, for the Netigate EX Engage platform, the following applies:

  • PII – both final and in transaction logs – is encrypted using crypto shredding after processing. Keys for encryption and decryption are stored in a separate vault database, isolated from the system database. By the principle of least access, few services are allowed access to PII.
  • The only exception is the administrator’s email address, which is needed unencrypted for single sign-on (SSO) functionality. All backups are saved for 30 days. GDPR deletions take effect immediately as PII can be shredded by removal of vault keys.
  • All managed service instances and underlying VMs use full-volume encryption with LUKS2 default mode aes-xts-plain64:sha256 with a 512-bit key. Backups are encrypted with a randomly generated key per file. The file encryption is performed with AES-256 in CTR mode with HMAC-SHA256 for integrity protection. The key lengths are 256-bit for block encryption, 512-bit for integrity protection and 3072-bits for the RSA key.

 

Data access

Netigate monitors and controls all data access through a version controller and approval gated Access Control Lists (ACLs). The ACLs are version-controlled and changes require management approval and are auditable. ACLs are enforced through automated systems that overwrite and correct any manual overrides. Approvals for data access are granted according to the principle of least privilege. Approvals are limited to specific areas of ownership or control, not all data. Data administration requires VPN connections. Access to data is limited to Netigate-approved data centers, approved IP addresses and through certificate authentication.

 

Customer and respondent access

All users of Netigate’s online platforms are passed through a central entryway – the Netigate website – and all data communicated is directed through a proxy, through https and encrypted. We support SSO per the SAML 2.0 standard, where requested by a Customer. For Netigate EX Engage, we support SSO per the OAuth standard.

Data storage

Netigate utilises market-leading sub-processors who are located in the EU, although they may have an ultimate parent company outside the EU. Netigate has contractually agreed with such sub-processors to store data within the EU. In case of third-country transfers, if an adequacy decision is not in place for the destination country, then either the latest standard contractual clauses (SCCs) published by the EU Commission are utilised or binding corporate rules. Where necessary, we work closely with our external GDPR counsel to conduct transfer impact assessments to document the likelihood and risk of such transfers.

All Netigate’s current sub-processors conduct their data processing either:

  • in the EU/EEA
  • in a country with an adequacy decision
  • to a sub-processor who is certified under the EU-US Data Privacy Framework, or
  • otherwise using GDPR-approved contractual safeguards such as SCCs.

Disaster Recovery and Backups

Netigate has documented Business Continuity Plans (BCP) and procedures in place, to ensure that Customer data is always available, even following the most severe of outages. Netigate’s BCPs are part of our ISMS (ISO) process and are reviewed annually by the certification authority.

All our systems are backed up fully at least once a week and incrementally daily. All our environments are implemented as code, and can be recreated in the same region or a new region automatically and securely. This includes re-provisioning of databases and other means of storage, together with restoration jobs. We go through disaster recovery exercises such as backup restoration, and environment rebuild exercises at least annually.

Respondent information - how do we protect your data?

Your privacy is important to us, and we want you as a survey respondent to feel secure when answering our surveys. Therefore, the following part of our Privacy Policy concerns you as a respondent and the information collected by Netigate. Any personal information provided by you in responding to questions is regarded as voluntarily submitted and will be stored according to local legislation.

The information collected can be divided in the following categories:

  • respondent information provided by the company conducting the survey (the Controller), most often your email and phone number but can also be additional information such as organisational or regional belonging
  • your survey responses – these can be single or multi-choice options but also free-text answers
  • meta-data regarding survey answers such as time and date of response

In the case that you are answering a survey distributed through a generic, non-personal link, then no information is registered automatically that can be linked to you as a respondent. The survey page does not use cookies for the respondents other than in one particular survey distribution setting of one response per person.

In order to prevent and mitigate security threats, Netigate logs IP address from where the survey was completed in web firewalls but not at the application level and can never be associated with other personal information of the respondent. The storage period of IP adresses is currently 7 days. The legal basis for the processing of this data is Art. 6 para. 1 lit. f) GDPR. Our interest is to ensure the integrity, confidentiality and availability of the data processed on the web servers.

No personal information will be shared to a third party unless specifically stated in the survey or with your specific consent. If required by law, personal information may be submitted to local authorities upon request. Read more in our Privacy Policy.

In addition to the above, the following applies to Engagment surveys, in Netigate EX Engage: Individual responses are never dispayed and statistics are hidden to prevent deduction of invidual answers with the following rules:

  • Minimum of 3 members in the team to show the content of the report.
  • Minimum of 3 answers from any employee in order to show any engagement, driver, sub-driver score or question distribution.
  • Minimum of 3 answers from any employee to show the overtime chart.

 

Privacy Policy

To learn more about how, when and under what legal grounds Netigate processes your data if you visit our website, if you are a survey respondent, or if we contact you for marketing, promotional or recruitment purposes, please read our Privacy Policy.

 

Cookie Policy

To learn more about how and when Netigate’s website uses cookies – and exactly which ones – please read our Cookie Policy.

Responsible use of AI

We think that responsible AI can empower our Customers in many ways. Managers can understand their colleagues faster and gain insights into their needs more tangibly and emphatically. AI also has the potential to enable everyone’s voice to be safely heard by elevating whistleblower data and safely using it through anonymisation, tone-changes, classification and other methods.

The safety, bias-mitigation, and privacy assurance of the data and models we employ are paramount. Hence, each model is meticulously vetted and deployed for purposes that prioritise the security and privacy of our users and their decisions.

 

Want to know more about AI in our products?

To learn more about how how we offer AI capabilities in some of our Netigate products, visit our Responsible AI subpage.

To learn more about how we protect customer data and information when using AI and generative technologies, check out our customer data usage policy.

Need more information or a copy of a document, e.g ISO Statement of Applicability, ISO certificate, Transfer Impact Assessment, etc?

If you’re already a Netigate Customer, simply reach out to your Account Executive asking for a copy. If you are not yet a Netigate Customer but may be interested in becoming one, we are happy to provide these documents after your company has signed our standard NDA. Please contact us under dpo@netigate.net for assistance.

Sign up to our monthly newsletter and get the latest insights
Solutions
  • Employee Experience
  • Customer Experience
  • Surveys
  • Consulting
  • Employee Experience
  • Customer Experience
  • Surveys
  • Consulting
Get started
  • Book a demo
  • Plans and pricing
  • Book a demo
  • Plans and pricing
Products
  • Netigate Engage
  • Netigate Feedback
  • Netigate feat. Lumoa
  • Netigate Engage
  • Netigate Feedback
  • Netigate feat. Lumoa
Resources
  • Blog
  • eBooks
  • Case studies
  • Reports
  • Events
  • Brochures
  • Blog
  • eBooks
  • Case studies
  • Reports
  • Events
  • Brochures
Learn
  • Help centre
  • Video tutorials
  • Onboarding
  • Free online courses
  • Help centre
  • Video tutorials
  • Onboarding
  • Free online courses
Company
  • About us
  • Contact
  • Careers We’re hiring!
  • Press
  • About us
  • Contact
  • Careers We’re hiring!
  • Press
Sign up to our monthly newsletter and get the latest insights

  Copyright © 2025 Netigate AB, Drottninggatan 25, 111 51, Stockholm, Sverige 

  • English
    • Deutsch
  • Trust Center
  • Cookies
  • Legal
  • Terms & Conditions
  • Trust Center
  • Cookies
  • Legal
  • Terms & Conditions
  • Trust Center
  • Cookies
  • Legal
  • Terms & Conditions
  • Trust Center
  • Cookies
  • Legal
  • Terms & Conditions
  Copyright © 2024 Netigate AB,
Drottninggatan 25, 111 51, Stockholm, Sverige

Give

every

voice

value

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}