Trust is paramount. At Netigate we’re committed to not only providing valuable insights but also ensuring that you’re well-informed about the processes behind these insights. We use your data and AI responsibly, ensuring that every recommendation is rooted in data, vetted for accuracy, and crafted for maximum value for you as a Netigate Customer. As we continue this journey together, we’re excited to see how our AI-driven insights will propel your business forward.
Keeping Customer data safe is and has always been central to everything we do at Netigate. The following is an overview on how we protect our Customers’ (Customer) data from unauthorised access, use, modification, or destruction. It also summarises how we continuously work to improve our products, processes, architecture and infrastructure to meet industry standards, legal regulations (incl. GDPR) and security best practices.
If you are conducting a data security and privacy assessment of Netigate or a privacy audit, the information here has been written with you specifically in mind. The content below includes answers to the most common security, privacy and technical queries – and it is intended to be your trusted primary source for answers.
Currently, this content is only available in English. If you require more information or have questions concerning it or anything else, please contact your nearest Netigate Account Executive.
Please note, the content below has been provided by Netigate’s Trust Team – a group consisting of our Chief Technology Officer, Group DPO, Head of Legal, Netigate Architects and Managers. Due to privacy best practices, legislation and data security constantly evolving, our Trust Team will continuously update this content – so be sure to bookmark this page and check it often for the very latest info.
Netigate utilises a clear Secure Software Development Lifecycle (SSDLC) in order to prevent unintended vulnerabilities.
Netigate’s SSDLC follows security industry best practices to implement a series of checks across every service and software library, component or program used at Netigate. These include but are not limited to:
To complement the above and to further limit our risk of exposure, we also employ 3rd-party cyber security experts to perform annual penetration tests of our systems. Following their recommendations, we continually improve our security systems, ensuring Customer data is safe and secure.
Netigate is designed from the ground up to be secure and scalable – from our infrastructure to the user interface.
Infrastructure
To reduce the impact of human error and to ensure security across our environments, all our infrastructure is defined using version-controlled code and is provisioned through automation. All environments are designed and tested according to current best practices and recommendations, utilising firewalls, multi-layered networks, Access Control Lists (ACLs), certificates and encryption at every step, from network to disc.
PII encryption
Personal Identifiable Information (PII) at rest is encrypted on disc, with keys controlled by Netigate or by a EU/EAA-based subprocessor.
In addition, on the Netigate EX Engage platform, PII is logically encrypted (for crypto shredding) on a per-person basis, thus minimising and mitigating the risk of a data breach as well as guaranteeing irrevocable de-identification of deleted users and respondents.
Authorisation of users and services
Every request – internal or external – is authenticated and validated for authorisation. Our Identity solution ensures all data requests come from authenticated and approved users, with OAuth, JWT and Session Authentication.
For the Netigate EX Engage platform, we employ a Google Zanzibar-style privilege system for every internal and external data request and write, validating privileges and checking rights at every step. This ensures that access to specified datasets is strictly limited to authorised individuals and systems, and that modifications are only permissible through approved systems. Each internal and external API endpoint is mapped and secured to a specific privilege level, ensuring that every user type, irrespective of origin, is granted explicit authorisation.
Account creation and tenant separation
All Customer data is processed and stored separately by Netigate using a multi-tenancy architecture, creating a logical separation between each Customer. A unique identifier (such as Customer number or “Company ID”) is used to assign and identify the data for each Customer. This logical Customer separation is applied through all layers of storage, both data at-rest, in-transit, in memory and caches.
Role-based access and permissions
All Netigate data and service functionality, such as APIs, are gated behind an authentication and authorisation system.
In addition, for the Netigate EX Engage platform, our Identity Provider provides coverage both for clients and backend systems by providing a Multi-Factor Authentication (MFA) system, followed session authentication and per-call authentication, validation, and authorisation checks. We use a Zanzibar-style authorisation system, meaning access to every data and functionality needs to be assigned before use and validated in real-time. This covers both user operations and internal system workloads. All passwords and tokens are stored encrypted using bBCypt, xchacha20-poly1305 or AES, depending on type.
Netigate is aware of the special responsibility involved in processing personal data, thus, treats all of its Customers’ data with the utmost care. In order to meet these expectations, Netigate obtained IEC/ISO 27001:2013 certification for all its operating entities in 2022.
In order to adhere to current GDPR legislation, Netigate has implemented the following:
All Netigate operating entities are certified under ISO/IEC 27001:2013 – the world’s best-known standard for information security management and privacy systems. We excluded no areas – or “controls” – in our certification process. We are proud that we have continuously passed all external ISO audits conducted since we received our ISO certificate in 2022. A copy of the ISO certificates can be provided upon request – send an email to dpo@netigate.net.
To ensure compliance with our ISO and GDPR requirements, Netigate adheres to a set of agreed upon data security and privacy policies. These policies are continually updated by our Security and Privacy team and reviewed by stakeholders in IT, Legal, and Engineering departments, thereby ensuring security policy alignment across the the entire Organisation. Furthermore, we have implemented a process of continual learning for all Netigate employees, ensuring said policies are known and complied with.
Policy | Information |
Information Security User Policy | All staff (employees and consultants) are trained on our policies during on-boarding. This policy includes several components which help staff know how to safely handle and process data, PII and sensitive PII. Netigate guides its staff on how to safely and securely use our systems, networks, and devices. This is enforced by continuous training of all staff. |
Remote Work Policy | We have specific guidelines on how to securely work at home or while traveling. This enables our colleagues to, securely, do their best work – either Onsite or Offsite – without sacrificing any of our security or privacy controls. |
Incident Response Plan | Netigate has a well-established processes for responding to production and data security incidents using industry best practices for escalation, communication and ensuring that regulatory obligations are met.
In case of a data breach, Netigate will immediately notify and support the data controller in accordance with our GDPR obligations and as further set forth in the DPA we have with every Customer and supplier who processes data. |
Additional Confidentiality Obligation | All our employees and consultants are bound to secrecy by a separate agreement. This is to ensure that all our Customer information is processed with appropriate discretion. |
Netigate runs all applications in the cloud. We do not store any Customer data at our premises or at our Customers’ premises. Being fully cloud-based enables Netigate to utilise state-of-the-art security measures, scalability and availability. Netigate also uses extra measures to prevent unauthorised access to our Customers’ data. The Netigate infrastructure team develops and enforces Cloud Security Standards on all infrastructure such as virtual machines, cluster, storage and networks. These include – but are not limited to – the following:
Perimeter security
Netigate employs a diverse combination of Intrusion Detection Technologies, including but not limited to:
Encryption in-transit
Netigates uses certificates and TLS protocols to encrypt data in-transit, ensuring secure communication between systems.
Encryption at-rest
To ensure the security and privacy of users and respondents, a centralised service stores data in a controlled and encrypted manner.
In addition, for the Netigate EX Engage platform, the following applies:
Data access
Netigate monitors and controls all data access through a version controller and approval gated Access Control Lists (ACLs). The ACLs are version-controlled and changes require management approval and are auditable. ACLs are enforced through automated systems that overwrite and correct any manual overrides. Approvals for data access are granted according to the principle of least privilege. Approvals are limited to specific areas of ownership or control, not all data. Data administration requires VPN connections. Access to data is limited to Netigate-approved data centers, approved IP addresses and through certificate authentication.
Customer and respondent access
All users of Netigate’s online platforms are passed through a central entryway – the Netigate website – and all data communicated is directed through a proxy, through https and encrypted. We support SSO per the SAML 2.0 standard, where requested by a Customer. For Netigate EX Engage, we support SSO per the OAuth standard.
Netigate utilises market-leading sub-processors who are located in the EU, although they may have an ultimate parent company outside the EU. Netigate has contractually agreed with such sub-processors to store data within the EU. In case of third-country transfers, if an adequacy decision is not in place for the destination country, then either the latest standard contractual clauses (SCCs) published by the EU Commission are utilised or binding corporate rules. Where necessary, we work closely with our external GDPR counsel to conduct transfer impact assessments to document the likelihood and risk of such transfers.
All Netigate’s current sub-processors conduct their data processing either:
Netigate has documented Business Continuity Plans (BCP) and procedures in place, to ensure that Customer data is always available, even following the most severe of outages. Netigate’s BCPs are part of our ISMS (ISO) process and are reviewed annually by the certification authority.
All our systems are backed up fully at least once a week and incrementally daily. All our environments are implemented as code, and can be recreated in the same region or a new region automatically and securely. This includes re-provisioning of databases and other means of storage, together with restoration jobs. We go through disaster recovery exercises such as backup restoration, and environment rebuild exercises at least annually.
Your privacy is important to us, and we want you as a survey respondent to feel secure when answering our surveys. Therefore, the following part of our Privacy Policy concerns you as a respondent and the information collected by Netigate. Any personal information provided by you in responding to questions is regarded as voluntarily submitted and will be stored according to local legislation.
The information collected can be divided in the following categories:
In the case that you are answering a survey distributed through a generic, non-personal link, then no information is registered automatically that can be linked to you as a respondent. The survey page does not use cookies for the respondents other than in one particular survey distribution setting of one response per person.
In order to prevent and mitigate security threats, Netigate logs IP address from where the survey was completed in web firewalls but not at the application level and can never be associated with other personal information of the respondent. The storage period of IP adresses is currently 7 days. The legal basis for the processing of this data is Art. 6 para. 1 lit. f) GDPR. Our interest is to ensure the integrity, confidentiality and availability of the data processed on the web servers.
No personal information will be shared to a third party unless specifically stated in the survey or with your specific consent. If required by law, personal information may be submitted to local authorities upon request. Read more in our Privacy Policy.
In addition to the above, the following applies to Engagment surveys, in Netigate EX Engage: Individual responses are never dispayed and statistics are hidden to prevent deduction of invidual answers with the following rules:
Privacy Policy
To learn more about how, when and under what legal grounds Netigate processes your data if you visit our website, if you are a survey respondent, or if we contact you for marketing, promotional or recruitment purposes, please read our Privacy Policy.
Cookie Policy
To learn more about how and when Netigate’s website uses cookies – and exactly which ones – please read our Cookie Policy.
We think that responsible AI can empower our Customers in many ways. Managers can understand their colleagues faster and gain insights into their needs more tangibly and emphatically. AI also has the potential to enable everyone’s voice to be safely heard by elevating whistleblower data and safely using it through anonymisation, tone-changes, classification and other methods.
The safety, bias-mitigation, and privacy assurance of the data and models we employ are paramount. Hence, each model is meticulously vetted and deployed for purposes that prioritise the security and privacy of our users and their decisions.
Want to know more about AI in our products?
To learn more about how how we offer AI capabilities in some of our Netigate products, visit our Responsible AI subpage.
Need more information or a copy of a document, e.g ISO Statement of Applicability, ISO certificate, Transfer Impact Assessment, etc?
If you’re already a Netigate Customer, simply reach out to your Account Executive asking for a copy. If you are not yet a Netigate Customer but may be interested in becoming one, we are happy to provide these documents after your company has signed our standard NDA. Please contact us under dpo@netigate.net for assistance.