This policy outlines Neowit’s defense-in-depth approach to safeguarding customer data across our SaaS platform, detailing our rigorous cloud infrastructure security, application protections, access controls, and commitment to privacy and compliance.
Neowit is a leading smart room, smart office and smart building platform. The Neowit products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications and application programming interfaces (APIs).
Neowit’s primary security focus is to safeguard our customers’ data. This is the reason that Neowit has invested in the appropriate resources and controls to protect and service our customers. We are focused on defining new and refining existing controls, implementing and managing the Neowit security framework as well as providing a support structure to facilitate effective risk management.
We have developed our security framework using best practices in the SaaS industry. Our key objectives include:
In order to protect the data that is entrusted to us, Neowit utilizes a defense-in-depth approach to implement layers of security controls throughout our organization. The following sections describe a subset of our most frequently asked about controls.
Neowit outsources hosting of its product infrastructure to leading cloud infrastructure provider, Google Cloud Platform (GCP). Our hosting provider guarantees between 99.5% and 99.95% service availability ensuring redundancy to all power, network, and HVAC services.
Neowit’s GCP product infrastructure resides in the EU (Amsterdam). GCP maintains an audited security program, as well as physical, environmental, and infrastructure security protections. Business continuity and disaster recovery plans have been independently validated as part of their SOC 2 Type 2 and ISO 27001 certifications.
Compliance documentation is publicly available at the GCP Cloud Compliance Page - https://cloud.google.com/compliance. Neowit also maintains a Knowledge Base (KB) article with frequently asked questions regarding our Cloud Infrastructure: https://kb.neowit.io/
The Neowit product infrastructure enforces multiple layers of filtering and inspection of all connections throughout the platform.
Changes to our network security are actively monitored and controlled by standard change control processes. Firewall rulesets are reviewed on an annual basis to help ensure that only necessary connections are configured.
Automation drives Neowit’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that expands capacity and capability as needed. Server instances are tightly controlled from provisioning through deprovisioning, ensuring that deviations from configuration baselines are detected and reverted at a predefined cadence. In the event that a production server deviates or drifts from the baseline configuration, it will be overwritten with the baseline configuration within 30 minutes.
All server type configurations are embedded in images and configuration files. Server-level configuration management is handled using these images and configuration scripts when the server is built. Changes to the configuration and standard images are managed through a controlled change management process. Each instance type includes its own hardened configuration, depending on the deployment of the instance.
Patch management is handled using automated configuration management tools or by removing server instances that are no longer compliant with the expected baseline and provisioning a replacement instance in its place. Rigorous and automated configuration management is baked into our day-to-day infrastructure processing.
Not only does Neowit fully automate its build procedures, we invest heavily in automated monitoring, alerting and response capabilities to continuously address potential issues. The Neowit product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses and alerts to the appropriate teams for response, investigation, and correction. As unexpected or malicious activities occur, automated systems bring in the right people to ensure that the issue is rapidly addressed.
Many automated triggers are also designed into the system to immediately respond to unforeseen situations. Traffic blocking, quarantine, process termination, and similar functions kick in at predefined thresholds to ensure that the Neowit platform can protect itself against a wide variety of undesirable situations.
The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP), specifically the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure customers’ web sites and other parts of the Neowit products are available continuously.
One of Neowit’s greatest advantages is a rapidly-advancing feature set, and we constantly optimize our products through a modern continuous delivery approach to software development.
New code is proposed, approved, merged and deployed daily. Code reviews, testing (where applicable), and merge approval is performed before deployment. Once approved, code is automatically submitted to Neowit’s continuous integration environment where compilation, packaging and unit testing occur.
All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks. The development team manages notifications regarding the health of their applications. If a failure occurs, roll-back is immediately engaged.
We use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch). Neowit features seamless updates, and as a SaaS application, there is no downtime associated with releases. Major feature changes are communicated through the product update posts.
Newly developed code is first deployed to dedicated and separate development and staging environments for the last stage of testing before being promoted to production. Network-level segmentation prevents unauthorized access between QA and production environments.
Neowit manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. Neowit maintains a Software Bill Of Materials (SBOM) for included software dependencies, which are automatically scanned for vulnerabilities in vulnerability databases such as CVE. Vulnerability scans are configured to scan for exploitable vulnerabilities on a daily basis.
Neowit provides a highly scalable, multi-tenant SaaS solution. The Neowit user interface and APIs restrict access to authorized content exclusively. Neowit logically segments the data using portal IDs and associates that unique ID with all data and objects specific to a customer. Information is made available via the user interface or APIs to be produced for a specific Neowit portal, without the risk of cross-portal access or data pollution.
Authorization rules are incorporated into the design architecture and validated on a continuous basis. Additionally, we log application authentication and associated changes, application availability, and user page views.
Neowit’s platform allow customers to define the type of information to be collected and stored on their behalf . Per the Neowit Terms of Service and Acceptable Use Policy, our customers are responsible for ensuring they capture only appropriate information to support their needs. The Neowit products should not be used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers employment, financial or health information.
All sensitive interactions with the Neowit products (e.g. API calls, authenticated sessions, etc.) are encrypted in transit with TLS version 1.2, or 1.3 and 2048 bit keys or better.
Neowit leverages several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices, and are encrypted at rest.
Encryption keys for both in transit and at rest encryption are securely managed by the Neowit platform. TLS private keys for in transit encryption are managed through our content delivery partner. Volume and field level encryption keys for at rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated at a frequency that’s dependent upon the sensitivity of the data they’re encrypting. In general, TLS certificates are renewed annually.
Neowit is unable to use customer supplied encryption keys at this time.
Neowit is committed to ensuring the availability of our systems by using commercially reasonable efforts to meet a Service Uptime of 99.5% for our Subscription Service in a given calendar month.
Additionally, we provide real-time updates and historical data on system status and security via Neowit’s status site.
All Neowit product services are built with full redundancy – where all web, application, and database components are deployed with a minimum of n+1 supporting server instances or containers.
Neowit maintains a disaster recovery plan that is tested annually as a part of our controls.
Systems are backed up on a regular basis with established schedules and frequencies. 14 days’ worth of backups are kept for any database in a way that ensures restoration can occur easily. Backups are monitored for successful execution, and alerts are generated in the event of any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily. All production data sets are stored on a highly available file storage facility.
Because we leverage public cloud services for hosting, backup, and recovery, Neowit does not implement physical infrastructure or physical storage media within its products. Neowit does not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
By default, all backups are protected through access control restrictions on Neowit product infrastructure networks and access control lists on the file systems storing the backup files.
For customers who would additionally like to back up their data, the Neowit platform provides many ways of making sure you have what you need. Many of the features within your Neowit portal contain export features, and the Neowit Service Account can be used to synchronize your data with other systems. For the details about backing up your data, please check out our KB article about exporting your content.
The Neowit products allow for granular authorization rules. Customers are empowered to create and manage users of their portals and assign the privileges that are appropriate for their accounts and limit access to their data features.
For more information about user roles, please see the Neowit User Roles and Permissions Guide.
The Neowit products allow users to login to their Neowit accounts using built-in Neowit login, SAML with support for Microsoft or Google login. The built-in login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower and upper case letters, special characters, whitespace, and numbers. People who use Neowit’s built-in login cannot change the default password policy.
The SAML feature is available to all Neowit customers. SAML-based SSO integrated with Microsoft Entra (Azure AD) and Google Workspace (GSuite).
Single Sign On and Google or Microsoft login users can configure a password policy in their SSO provider or with their Google or Microsoft accounts.
Application programming interface (API) access is enabled using either API keys or Basic Authentication (not recommended for production) authorization. Customers have the ability to generate API keys for their portals. The keys are intended to be used to rapidly prototype custom integrations. For more information about API use, please see: https://neowit.gitbook.io/docs
Access to Neowit’s systems is strictly controlled and follows the principle of least privilege. Neowit employees are granted access using a role based access control (RBAC) model.
Day to day access is minimized to only the individuals whose jobs require it.
Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or “jump box” before accessing QA or production environments. Server-level authentication uses user-unique SSH keys and token-based two factor authentication.
Employee access to both corporate and production resources is subject to daily automated review and at least semi-annual manual recertification.
Customer Support, Services, and other customer engagement staff may request JITA to customer portals on a time limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to a specific customer's portal for a maximum 24-hour period. All access requests, logins, queries, page views and similar information are logged.
Access to any SaaS applications in use by Neowit require SSO with MFA in order to facilitate centralized access control.
Password policies follow industry best practices for required length, complexity, and rotation frequency.
Neowit employment checks are performed. Reference verification is performed at the hiring manager's discretion.
Upon hire, all employees must read, and acknowledge Neowit's Office Rules - which help define employee's security responsibilities in protecting company assets/data (including, but not limited to protecting mobile devices, and securing corporate equipment).
To help keep all our employees on the same page with regard to protecting data, Neowit documents and maintains a number of written policies and procedures. Neowit maintains a core Written Information Security Policy - the policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics.
Policies are reviewed and approved at least annually and stored in the company wiki. Policies requiring acknowledgment by employees are incorporated into mandatory annual training.
We consider employees to be our first line of defense and we ensure Neowit employees are well trained for their roles. Security awareness training that covers general security best practices is offered to all new Neowit employees upon hire, and on an annual basis. In addition to awareness training, Neowit keeps employees aware of recent security news or initiatives with internal knowledge articles.
After initial training, more specialized content is available based on an employee's role or resulting access.
Neowit has a Risk Management program that includes a documented ERM policy, continual risk assessments, and a formal risk register. Risk mitigation and remediation activities are tracked via a ticketing system.
We leverage a number of third party service providers who augment the Neowit products’ ability to meet your needs. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support Neowit.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them.
We also maintain a list of our Sub-Processors within our Data Processing Agreement (DPA).
Neowit offices are secured in multiple ways. Door access is controlled using an access control system with video by the entrances. Video surveillance, and many other protective measures are implemented across Neowit office.
Neowit's rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created in order to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We provide periodic updates as needed to ensure appropriate resolution of the incident.
We review all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
The Neowit products should not be used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
The privacy of our customers’ data is one of Neowit’s primary considerations. As described in our Privacy Policy, we never sell your personal data to any third parties. The protections described in this document and other protections that we have implemented are designed to ensure that your data stays private and unaltered. The Neowit products are designed and built with customer needs and privacy considerations in the forefront. Our privacy program incorporates best practices, customers’ and their contacts’ needs, as well as regulatory requirements.
Customer data is retained for as long as you remain an active customer.
Former customers’ data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Neowit retains certain data like logs and related metadata in order to address security, compliance, or statutory needs.
Neowit does not currently provide customers with the ability to define custom data retention policies.
Neowit is committed to ensure an effective and consistently implemented privacy program.
You can find our breach reporting policies, process, and obligations outlined in our “Internal control” procedure.
The Neowit platform has a number of features that enable our customers to easily achieve and maintain their GDPR compliance requirements.
Neowit values transparency in the ways we provide solutions to our customers. This document is designed with that transparency in mind. We are continuously improving the protections that have been implemented and, along those lines, the information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between Neowit and any parties, or to amend, alter or revise any existing agreements between the parties.