--- title: "Neeto Security policy" description: "Read Neeto Security policy." canonical_url: "https://www.neeto.com/legal/security-policy" markdown_url: "https://www.neeto.com/legal/security-policy.md" --- # Neeto Security policy Read Neeto Security policy. Neeto uses commercially reasonable efforts to implement and maintain the security measures listed below. Capitalized terms used below that are not otherwise defined have the meanings given to them in the [Agreement](/legal/terms-of-service). This Security Policy summarizes Our security practices. It should be read together with Our [Privacy Policy](/legal/privacy-policy), [Data Processing Agreement](/legal/data-processing-agreement), and [Subprocessors](/legal/subprocessors) page. ## 1. Security program Neeto maintains a security program designed to protect Customer Data and support the reliable operation of the Services. Our approach includes technical, organizational, and administrative measures that are reviewed and updated as Our Services and security practices evolve. ## 2. Hosting and data location Neeto runs its applications on NeetoDeploy, a platform built on Amazon Web Services (AWS). Our production application instances are hosted in the AWS `us-east-1` region. For some attachments, We use Amazon S3 in the AWS `us-east-1` region. AWS is responsible for the physical security and infrastructure controls of its data centers. Neeto is responsible for application-level security, access management, configuration, and operational controls for the Services. Amazon's data center operations have been accredited under: - SOC 1/ISAE 3402, SOC 2, SOC 3 - FISMA, DIACAP, and FedRAMP - PCI DSS Level 1 - ISO 9001, ISO 27001, ISO 27017, ISO 27018 You can refer to [AWS security policy](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html) for more details. ## 3. Encryption Data in transit between end users and Neeto applications is encrypted using HTTPS/TLS. ## 4. Billing information Credit card transactions for the Services are processed by payment processors that use secure transmission and operate PCI-compliant payment environments. Neeto does not store full credit card numbers on Our systems. ## 5. Access control and monitoring Access to Neeto's production systems is limited to authorized personnel with a business need to support, maintain, secure, or operate the Services. Production access is granted based on role and responsibility and follows the principle of least privilege. Only a limited number of engineers, whose job function is to support and maintain the Neeto environment, are permitted access to Neeto's production environment. Neeto logs and monitors production access and removes access when it is no longer needed. Neeto performs background checks for personnel who are granted access to production systems. ## 6. Employee onboarding and offboarding Neeto maintains onboarding and offboarding procedures for employees, contractors, consultants, interns, vendors, external collaborators, and other workforce members who may access Neeto code, systems, infrastructure, customer data, internal tools, credentials, secrets, or other restricted resources. As part of onboarding, workforce members must complete required documentation before receiving restricted access. This includes, where applicable, signed confidentiality and nondisclosure obligations, intellectual property assignment obligations, acceptable-use requirements, and acknowledgment of Neeto's security policies and procedures. Neeto requires a completed and cleared background check before any workforce member is allowed to access, deploy to, administer, or otherwise work with Neeto production infrastructure or production systems. Access provisioning follows role-based need, least privilege, and approval requirements. Neeto grants access only after required onboarding steps are completed and removes or adjusts access when a workforce member changes roles or no longer needs access. As part of offboarding, Neeto follows procedures designed to revoke access to Neeto systems, repositories, infrastructure, internal tools, credentials, secrets, communication systems, and other restricted resources. Where applicable, Neeto also requires return of Neeto devices, hardware keys, badges, and other Neeto property, and may remotely wipe Neeto-managed devices. ## 7. Secure development Neeto maintains development practices designed to reduce security risk before changes reach production. Code changes are reviewed before deployment to production, and development and testing environments are kept separate from production environments. Deployment access is limited to authorized engineers. Changes are tested and deployed through controlled processes intended to reduce the risk of unauthorized or unintended changes. ## 8. Vulnerability management Neeto checks gems, packages, libraries, and other software dependencies for known vulnerabilities and malicious dependency indicators as part of Our CI build process for pull requests. Neeto also runs dependency vulnerability checks on a daily basis. If a build uses an affected dependency version, CI is configured to fail so the issue can be fixed before the change is merged. Reported vulnerabilities are evaluated based on severity, exploitability, affected systems, and potential impact to the Services or Customer Data. Security patches and dependency updates are prioritized and applied based on risk. ## 9. Backup and recovery Neeto backs up production systems and data daily. Backups are protected using access controls and encryption where available. ## 10. Incident response Neeto investigates suspected security incidents that are reported to Us or identified through Our internal processes. We maintain procedures designed to detect, assess, contain, and remediate security incidents affecting the Services. If a security incident affects Customer Data, Neeto will notify affected customers without undue delay where required by applicable law or Our contractual obligations. Neeto will provide information that is reasonably available to help customers meet their own legal obligations. ## 11. Subprocessors and vendor security Neeto uses vendors and subprocessors to provide parts of the Services. Vendors and subprocessors that process Customer Personal Data are listed on Our [Subprocessors](/legal/subprocessors) page. Where applicable, Neeto requires subprocessors that process Customer Personal Data to maintain confidentiality, security, and data protection obligations appropriate to the services they provide. Subprocessor use is governed by Our [Data Processing Agreement](/legal/data-processing-agreement) where applicable. ## 12. Customer responsibilities Customers are responsible for managing their own users, roles, permissions, passwords, single sign-on settings, multi-factor authentication settings, API tokens, integrations, and Customer Data submitted to the Services. Customers should configure the Services in a manner appropriate for their own security and compliance needs and should promptly notify Neeto if they suspect unauthorized access to their account or Customer Data. ## 13. Security reports and contact If You discover a potential security issue involving Neeto or the Services, please email security@neeto.com. Please include enough detail for Us to understand and investigate the report, such as affected URLs, account details, steps to reproduce, screenshots, logs, and the potential impact. Neeto reviews good-faith security reports and works to investigate and remediate validated issues as appropriate. ## 14. SOC 2 or ISO 27001 Certifications We do not currently hold SOC 2 or ISO 27001 certifications. We continue to evaluate these certifications as part of Our ongoing commitment to security. ## 15. Modification Neeto may update this policy by posting the updates to the Neeto Website. Your continued use of the Services after We post any modifications to this policy will constitute Your acknowledgment of the modifications and Your consent to abide and be bound by the modified policy. ## Links - [Human page](https://www.neeto.com/legal/security-policy)