Encryption & Data Protection
NetConverter AI employs enterprise-grade security controls to protect your network configuration data. This document outlines the encryption, access control, and data protection measures built into our platform.
Security Overview
Our security architecture is built on defense-in-depth principles, with multiple layers of protection:
| Layer | Protection | Standard |
|---|---|---|
| Data at Rest | AES-256-GCM encryption | NIST approved |
| Data in Transit | TLS 1.2+ encryption | Industry standard |
| Authentication | JWT-based tokens | OAuth 2.0 compatible |
| Authorization | Role-based access control | Least privilege |
| Tenant Isolation | Logical separation | Complete isolation |
Data Encryption at Rest
All configuration files stored in NetConverter AI are encrypted using industry-standard encryption:
AES-256-GCM Encryption
Files are encrypted using AES-256-GCM (Galois/Counter Mode), a NIST-approved authenticated encryption algorithm that provides both confidentiality and integrity protection.
- 256-bit keys - Maximum strength symmetric encryption
- Authenticated encryption - Ensures data integrity alongside confidentiality
- Unique nonces - Each encryption operation uses a unique initialization vector
Envelope Encryption
We use envelope encryption to manage encryption keys securely:
- Unique keys per organization - Each tenant has dedicated encryption keys
- Key separation - Encryption keys are managed separately from encrypted data
- Key rotation support - Keys can be rotated without re-encrypting all data
Transport Security
All data transmitted to and from NetConverter AI is protected in transit:
- TLS 1.2+ - All connections use modern TLS protocols
- HSTS enabled - HTTP Strict Transport Security is enforced
- Modern cipher suites - Only strong, modern cryptographic algorithms are accepted
- Certificate validation - All connections verify server certificates
Tenant Isolation
Organizations using NetConverter AI are completely isolated from each other:
Database Isolation
All data is tagged with organization identifiers and filtered at the database level. Row-Level Security (RLS) policies ensure queries only return data belonging to your organization.
Storage Isolation
Configuration files are stored in organization-specific directories with separate encryption keys. No cross-tenant file access is possible.
Complete Separation
When an account is closed, all associated data is permanently deleted using cascade deletion, ensuring no residual data remains.
Access Control
NetConverter AI implements comprehensive access controls:
| Control | Description |
|---|---|
| JWT Authentication | Secure token-based authentication with automatic expiration |
| Role-Based Access | Users are assigned roles that determine their permissions |
| Session Management | Sessions expire automatically after periods of inactivity |
| Rate Limiting | API rate limits protect against abuse and ensure fair usage |
| Password Security | Passwords are hashed using bcrypt with appropriate work factors |
Database Security
Our database infrastructure includes multiple security layers:
- Row-Level Security (RLS) - Database-level enforcement of tenant isolation
- Encryption at rest - Database storage is encrypted
- Automated backups - Point-in-time recovery is available
- SOC 2 Type II infrastructure - Hosted on compliant cloud infrastructure
Secure File Handling
Configuration files undergo secure processing throughout their lifecycle:
Upload Validation
All uploaded files are validated and sanitized. File paths are sanitized to prevent directory traversal attacks. File types and sizes are verified before processing.
Integrity Verification
SHA-256 checksums are calculated for all files, ensuring integrity can be verified at any time. Any modification to stored files is detectable.
Secure Deletion
When files are deleted, they are securely removed from storage. Soft delete mechanisms allow for recovery within a grace period, after which data is permanently removed.
Security Headers
NetConverter AI implements comprehensive HTTP security headers:
| Header | Protection |
|---|---|
| Content-Security-Policy | Prevents XSS attacks by controlling resource loading |
| X-Frame-Options | Prevents clickjacking by blocking iframe embedding |
| X-Content-Type-Options | Prevents MIME-sniffing attacks |
| Strict-Transport-Security | Enforces HTTPS connections |
| X-XSS-Protection | Enables browser XSS filtering |
Compliance & Standards
Our security practices align with industry standards and compliance frameworks:
- NIST guidelines - Encryption algorithms follow NIST recommendations
- OWASP best practices - Application security follows OWASP guidelines
- SOC 2 infrastructure - Hosted on SOC 2 Type II compliant infrastructure
- GDPR considerations - Data handling supports GDPR compliance requirements
Security Best Practices
We recommend the following practices when using NetConverter AI:
- Use strong passwords - Choose unique, complex passwords for your account
- Enable session timeout - Log out when not actively using the platform
- Review access regularly - Periodically review who has access to your organization
- Keep API keys secure - Never share API keys or commit them to version control
- Monitor usage - Review activity logs for unexpected access patterns
Questions?
If you have questions about our security practices or need additional information for your security review, please contact us. We're happy to provide additional documentation or discuss specific security requirements.
Need a Security Assessment?
For enterprise customers requiring detailed security documentation, penetration test results, or compliance certifications, please contact our security team.
Request Security Documentation