Security & Compliance

Last updated: April 9, 2026

Enterprise-Grade Security: npass.io implements industry-leading security practices to protect your network access control infrastructure and sensitive data.

Infrastructure Overview

npass.io is hosted on Amazon Web Services (AWS) in the Frankfurt region (eu-central-1), ensuring data residency within the European Union. Our infrastructure is designed for high availability, scalability, and security.

Region: Frankfurt, Germany (eu-central-1)
Availability: Multi-zone deployment with automatic failover
Uptime Target: 99.9% monthly availability

Encryption

Encryption at Rest

All data stored in npass.io is encrypted at rest using industry-standard encryption:

Algorithm: AES-256 (Advanced Encryption Standard with 256-bit keys)
Database Encryption: AWS RDS encryption with customer-managed keys
File Storage: AWS S3 with server-side encryption
Backup Encryption: All backups encrypted with AES-256

Encryption in Transit

All data transmitted to and from npass.io is encrypted in transit:

Protocol: TLS 1.3 (minimum)
Certificate: SHA-256 signed by trusted Certificate Authority
API Communications: All API calls use TLS 1.3
HSTS: HTTP Strict Transport Security enabled

Network Security

Firewall and DDoS Protection

AWS WAF (Web Application Firewall) for detecting and blocking malicious traffic
AWS Shield DDoS protection (Standard and Advanced)
Network ACLs and security groups limiting traffic to necessary ports
VPC isolation for application and database layers

Intrusion Detection

Continuous monitoring for suspicious network activity
Automated alerts for anomalous traffic patterns
Rate limiting and brute-force protection
Geographic IP blocking for high-risk regions (configurable)

Access Control and Authentication

User Authentication

Password Requirements: Minimum 12 characters with complexity rules
Password Hashing: bcrypt with salt
Session Management: Secure, HTTPOnly session cookies with short expiration
Multi-Factor Authentication (MFA): TOTP and hardware security keys supported

Authorization

Role-Based Access Control (RBAC): Administrators, Operators, and Viewers
Least Privilege: Users assigned minimum required permissions
API Keys: Personal and Organization API keys with granular scopes
Token Rotation: Automatic API token rotation available

Administrative Access

SSH access to infrastructure restricted to authorized personnel only
All administrative actions logged and audited
Password-protected access to management consoles
Principle of least privilege applied to all administrator accounts

Data Isolation

Each customer's data is logically isolated using a per-tenant architecture:

Database Isolation: Row-level security policies enforce tenant isolation
Application-Level Isolation: Middleware enforces tenant context throughout request lifecycle
Storage Isolation: Separate S3 prefixes for each tenant
API Isolation: All API calls validated for proper tenant context

Incident Response

Incident Detection

24/7 automated monitoring and alerting
Log analysis and pattern detection
User behavior analytics for anomaly detection
Security vulnerability scanning

Incident Response Process

Detection: Automated systems or personnel identify security incident
Containment: Immediate isolation of affected systems
Investigation: Forensic analysis to determine scope and impact
Notification: Affected customers notified within 72 hours (per GDPR)
Remediation: Technical fixes and preventive measures implemented
Post-Incident Review: Analysis to prevent future incidents

Data Breach Notification

In the event of a confirmed data breach affecting personal data, we will notify affected data subjects and relevant supervisory authorities without undue delay and no later than 72 hours after becoming aware. Notifications will include:

Nature of the breach
Categories and approximate number of affected records
Likely consequences
Measures taken to mitigate risk
Contact point for more information

Business Continuity and Disaster Recovery

Backup and Recovery

Backup Frequency: Continuous replication plus daily snapshots
Retention: 90-day backup retention
Geographic Redundancy: Backups stored in multiple AWS regions
Recovery Time Objective (RTO): < 1 hour
Recovery Point Objective (RPO): < 15 minutes

Disaster Recovery

Multi-region failover capability
Automated health checks and failover triggering
Regular disaster recovery drills (quarterly)
Documented runbooks for manual recovery

Employee Security Practices

Background Checks: Conducted for all employees with system access
Data Protection Training: Annual mandatory training on data handling and security
NDAs and Confidentiality: All employees sign confidentiality agreements
Code Reviews: Security-focused peer reviews on all code changes
Access Management: Just-in-time access provisioning with automatic revocation

Compliance Certifications

npass.io is committed to meeting and exceeding industry compliance standards:

Certification	Status	Scope
ISO 27001	Ready / In Progress	Information Security Management System
SOC 2 Type II	In Progress	Security, Availability, Processing Integrity, Confidentiality
NIS2 (Network and Information Security)	Aligned	Implements requirements of EU NIS2 Directive
BSI C5 (Cloud Computing Compliance)	Aligned	German Federal Office for Information Security catalog
GDPR Compliance	Compliant	Data Protection and Privacy

Sub-Processors

npass.io uses the following third-party service providers (sub-processors) to deliver and operate the service:

Sub-processor	Purpose	Location	Agreement Type
Amazon Web Services (AWS)	Infrastructure hosting, compute, storage, databases, networking	Frankfurt, Germany (eu-central-1)	Data Processing Addendum (DPA)
Paddle	Payment processing, billing, subscription management, Merchant of Record	London, UK / Amsterdam, Netherlands	Standard Contractual Clauses (SCC)
Google Cloud (optional)	Identity Provider federation relay (enabled only if configured by customer)	European Union	Standard Contractual Clauses (SCC)

Sub-Processor Data Handling

AWS: Processes all application data, encrypted at rest and in transit
Paddle: Processes payment and billing data only; does not access npass.io user data
Google Cloud: Relays authentication tokens only; does not store data

Sub-Processor Change Notifications

NETCUBE Inc. commits to notifying customers of any changes to sub-processors at least 30 days in advance. Customers have the right to object to new sub-processors on data protection grounds. To subscribe to sub-processor change notifications:

Email security@netcube.com with the subject "Sub-Processor Notification Subscription"

Security Updates and Patches

Vulnerability Scanning: Continuous scanning using industry tools
Patching: Critical patches applied within 24 hours; others within 7 days
Dependency Management: Regular updates to third-party libraries and dependencies
Zero-Day Response: Dedicated team for responding to zero-day vulnerabilities

Penetration Testing

npass.io undergoes regular security testing:

Annual third-party penetration testing
Quarterly vulnerability assessments
Continuous automated security scanning
Bug bounty program for responsible disclosure

Security Contact

For security concerns, vulnerabilities, or incident reporting:

Email: security@netcube.com
PGP Key: Available upon request
Response Time: Critical vulnerabilities: 4 hours; High: 24 hours; Others: 5 business days

Responsible Disclosure: We appreciate security researchers who responsibly disclose vulnerabilities. Please do not publicly disclose security issues before we have had reasonable time to address them. We are committed to working with researchers to understand and fix any issues.

Additional Resources

Data Processing Agreement - Detailed data handling obligations
Privacy Policy - How we collect and use personal data
Terms of Service - General service terms