Security & Compliance

Last updated: May 11, 2026

Pre-launch notice: npass.io is preparing for general availability. The statements on this page describe our planned security and compliance posture. Specific controls, certifications, and disclosures may be updated, including in material respects, before the service is offered for sale.

Enterprise-Grade Security: npass.io implements industry-leading security practices to protect your network access control infrastructure and sensitive data.

Infrastructure Overview

npass.io is hosted on Amazon Web Services (AWS) in the Frankfurt region (eu-central-1), ensuring data residency within the European Union. Our infrastructure is designed for high availability, scalability, and security.

Region: Frankfurt, Germany (eu-central-1)
Availability: Multi-zone deployment with automatic failover
Uptime Target: 99.9% monthly availability

Encryption

Encryption at Rest

All data stored in npass.io is encrypted at rest using industry-standard encryption:

Algorithm: AES-256 (Advanced Encryption Standard with 256-bit keys)
Database Encryption: AWS RDS encryption with customer-managed keys
File Storage: AWS S3 with server-side encryption
Backup Encryption: All backups encrypted with AES-256

Encryption in Transit

All data transmitted to and from npass.io is encrypted in transit:

Protocol: TLS 1.3 (minimum)
Certificate: SHA-256 signed by trusted Certificate Authority
API Communications: All API calls use TLS 1.3
HSTS: HTTP Strict Transport Security enabled

Network Security

Firewall and DDoS Protection

AWS WAF (Web Application Firewall) for detecting and blocking malicious traffic
AWS Shield DDoS protection (Standard and Advanced)
Network ACLs and security groups limiting traffic to necessary ports
VPC isolation for application and database layers

Intrusion Detection

Continuous monitoring for suspicious network activity
Automated alerts for anomalous traffic patterns
Rate limiting and brute-force protection
Geographic IP blocking for high-risk regions (configurable)

Access Control and Authentication

User Authentication

Password Requirements: Minimum 12 characters with complexity rules
Password Hashing: bcrypt with salt
Session Management: Secure, HTTPOnly session cookies with short expiration
Multi-Factor Authentication (MFA): TOTP and hardware security keys supported

Authorization

Role-Based Access Control (RBAC): Administrators, Operators, and Viewers
Least Privilege: Users assigned minimum required permissions
API Keys: Personal and Organization API keys with granular scopes
Token Rotation: Automatic API token rotation available

Administrative Access

SSH access to infrastructure restricted to authorized personnel only
All administrative actions logged and audited
Password-protected access to management consoles
Principle of least privilege applied to all administrator accounts

Data Isolation

Each customer's data is logically isolated using a per-tenant architecture:

Database Isolation: Row-level security policies enforce tenant isolation
Application-Level Isolation: Middleware enforces tenant context throughout request lifecycle
Storage Isolation: Separate S3 prefixes for each tenant
API Isolation: All API calls validated for proper tenant context

Incident Response

Incident Detection

24/7 automated monitoring and alerting
Log analysis and pattern detection
User behavior analytics for anomaly detection
Security vulnerability scanning

Incident Response Process

Detection: Automated systems or personnel identify security incident
Containment: Immediate isolation of affected systems
Investigation: Forensic analysis to determine scope and impact
Notification: Affected customers notified within 72 hours (per GDPR)
Remediation: Technical fixes and preventive measures implemented
Post-Incident Review: Analysis to prevent future incidents

Data Breach Notification

In the event of a confirmed data breach affecting personal data, we will notify affected data subjects and relevant supervisory authorities without undue delay and no later than 72 hours after becoming aware. Notifications will include:

Nature of the breach
Categories and approximate number of affected records
Likely consequences
Measures taken to mitigate risk
Contact point for more information

Business Continuity and Disaster Recovery

Backup and Recovery

Backup Frequency: Continuous replication plus daily snapshots
Retention: 90-day backup retention
Geographic Redundancy: Backups stored in multiple AWS regions
Recovery Time Objective (RTO): < 1 hour
Recovery Point Objective (RPO): < 15 minutes

Disaster Recovery

Multi-region failover capability
Automated health checks and failover triggering
Regular disaster recovery drills (quarterly)
Documented runbooks for manual recovery

Employee Security Practices

Background Checks: Conducted for all employees with system access
Data Protection Training: Annual mandatory training on data handling and security
NDAs and Confidentiality: All employees sign confidentiality agreements
Code Reviews: Security-focused peer reviews on all code changes
Access Management: Just-in-time access provisioning with automatic revocation

Compliance & Certification Status

npass.io is currently in an early-access phase. We are transparent about what is legally in place today and what independent certifications are on our roadmap. We will never imply a certification we do not hold.

Legal compliance — in place today

Framework	Status	Basis
GDPR (EU 2016/679)	Compliant	Privacy-by-design, Art. 13/14 notices, Art. 28 DPA available, Art. 30 processing records, TOMs documented. EU data residency.
NIS2 Directive (EU 2022/2555)	Aligned	Technical and organizational measures aligned with Art. 21 risk management requirements. Incident response procedures documented.
TDDDG / DDG §5 (Germany)	Compliant	Impressum, cookie consent, and telemedia/digital services requirements met in full.

Independent certifications — roadmap

Certification / Attestation	Status	Target
ISO/IEC 27001	In progress — ISMS implementation under way; scope includes Berlin operations and Seoul R&D under a single ISMS.	Stage 2 audit: Q2 2027
BSI C5 Type 2 (ISAE 3000)	Planned — prioritized based on public-sector and regulated customer demand.	2027 – 2028
SOC 2 Type II (AICPA)	Planned — targeted for customers with North American or global procurement requirements.	2027 – 2028

Early-access commitment. Customers onboarded during the early-access phase receive our current TOMs documentation, DPA, and a binding written commitment to the above certification timeline. We will notify customers promptly of any change to the roadmap.

Sub-Processors

npass.io uses the following third-party service providers (sub-processors) to deliver and operate the service:

Sub-processor	Purpose	Location	Agreement Type
Amazon Web Services (AWS)	Infrastructure hosting, compute, storage, databases, networking	Frankfurt, Germany (eu-central-1)	Data Processing Addendum (DPA)
Merchant of Record Partner (TBD)	Merchant of Record — payment processing, billing, tax, subscription management	To be confirmed upon provider selection	Standard Contractual Clauses (SCC)
Google Cloud (optional)	Identity Provider federation relay (enabled only if configured by customer)	European Union	Standard Contractual Clauses (SCC)

Sub-Processor Data Handling

AWS: Processes all application data, encrypted at rest and in transit
Merchant of Record Partner: Processes payment and billing data only; does not access npass.io user data
Google Cloud: Relays authentication tokens only; does not store data

Sub-Processor Change Notifications

Netcube, Inc. commits to notifying customers of any changes to sub-processors at least 30 days in advance. Customers have the right to object to new sub-processors on data protection grounds. To subscribe to sub-processor change notifications:

Email security@netcube.com with the subject "Sub-Processor Notification Subscription"

Security Updates and Patches

Vulnerability Scanning: Continuous scanning using industry tools
Patching: Critical patches applied within 24 hours; others within 7 days
Dependency Management: Regular updates to third-party libraries and dependencies
Zero-Day Response: Dedicated team for responding to zero-day vulnerabilities

Penetration Testing

npass.io undergoes regular security testing:

Annual third-party penetration testing
Quarterly vulnerability assessments
Continuous automated security scanning
Bug bounty program for responsible disclosure

Security Contact

For security concerns, vulnerabilities, or incident reporting:

Email: security@netcube.com
PGP Key: Available upon request
Response Time: Critical vulnerabilities: 4 hours; High: 24 hours; Others: 5 business days

Responsible Disclosure: We appreciate security researchers who responsibly disclose vulnerabilities. Please do not publicly disclose security issues before we have had reasonable time to address them. We are committed to working with researchers to understand and fix any issues.

Additional Resources

Data Processing Agreement - Detailed data handling obligations
Privacy Policy - How we collect and use personal data
Terms of Service - General service terms