Neo4j Security Addendum

Last Updated: March 18, 2025

This Neo4j Security Addendum (“Security Addendum” or “Addendum“) is incorporated into and supplements the agreement between Customer and Neo4j that references this document (the “Agreement”). Capitalized terms used but not defined have the meanings set forth in the Agreement. In the event of any conflict between the Agreement and this Security Addendum, this Addendum shall govern.

Neo4j uses infrastructure-as-a-service cloud providers (“Infrastructure Provider”) for its Cloud Offering as further described in the Agreement and the Documentation.

  1. GENERAL. Neo4j implements and maintains an information security program designed to protect the confidentiality, integrity, and availability of the Cloud Offering and Customer Data (the “Security Program”). The Security Program provides security controls outlined and evidenced by third-party reports and certifications with specific defined scopes and boundaries, including: (i) Neo4j’s current System Organization Controls 2, Type 2 report (“SOC 2 Report”); and (ii) Neo4j’s current ISO 27001 certification (the “ISO Certification”), or, in each case, such successor industry standards of comparable scope and rigor as determined by Neo4j. These certifications are verified by an independent auditor who reviews Neo4j’s security controls and business continuity plan.
  2. REPORTS AND CERTIFICATIONS. Neo4j makes available copies of reports and certifications at no charge on its Trust Center, including its SOC 2 Report, ISO Certification, and HIPAA documentation, all of which are Neo4j’s Confidential Information.
  3. ORGANIZATIONAL & ADMINISTRATIVE SECURITY.
    1. Personnel Screening. Neo4j screens all employees at time of hire which, to the extent permitted by applicable law, may include the following: (a) social security verification; (b) prior employment verification; and (c) criminal history.
    2. Personnel Training and Awareness. Neo4j conducts staff security awareness training and education. Training is conducted at the time of hire and annually during employment.
    3. Internal Access Management. Neo4j personnel use Neo4j-issued laptops. Neo4j maintains an inventory of any Neo4j-issued assets. Such assets are managed through a centrally administered mobile device management system and utilize security controls that include, but are not limited to, (a) disk encryption, (b) a centrally managed and updated anti-malware protection program, and (c) centrally performed remote wipes of hard drives. Neo4j personnel are assigned a unique, individual user account. User authentication is required to gain access to production and non-production Neo4j systems. In addition to appropriate user authentication controls, Neo4j also requires the use of secure remote access connections, complex passwords, enablement of account lock-out, and two-factor authentication. Access to Neo4j systems and Customer Data are protected by authentication and authorization mechanisms based on job requirements and the principles of least privilege and need-to-know. These access entitlements and privileges are regularly reviewed by management, at least annually.
    4. Vendor and Third-Party Management. Neo4j assesses and manages the security risks posed by third-party vendors and subprocessors (“Third Parties”) who may access or process Customer Data through policies and a vendor risk management program. Neo4j will evaluate all Third Parties to ensure that they maintain adequate physical, technical, organizational, and administrative controls, based on the risk tier appropriate to the services they provide. Neo4j will remain responsible for the acts and omissions of Third Parties as they relate to their compliance with the requirements of this Addendum and applicable laws.
    5. Security Contact. If you have security concerns or questions, you may contact Neo4j via normal Support channels or by emailing [email protected].
  4. PHYSICAL & ENVIRONMENTAL SECURITY.
    1. Infrastructure Providers. Neo4j requires all Infrastructure Providers to maintain physical and environmental controls applicable to their services and data centers at least in line with a SOC 2, Type II or ISO 27001 certification. Neo4j reviews these reports annually.
    2. Customer Data Environment. The hosting location of Customer Data is selected by Customer on an Order Form and/or configured by the Customer via the Cloud Offering. Neo4j provisions Customer’s account in their chosen location and this account is logically separated from other customer accounts. Customer accounts are located in the cloud environment that is both logically and physically separate from Neo4j’s corporate offices and networks.
    3. Neo4j Offices. Although Customer Data is not hosted at Neo4j’s corporate offices, Neo4j’s controls for its corporate offices include, but are not limited to, (a) physical access at office ingress points; (b) keycard or badge access requirements for personnel; (c) regular review of issued privileges; (d) required sign-in for external visitors; and (e) use of security doors, alarm devices, and/or security services outside of business hours including implementation of measures for on-premise security (e.g. intruder alert/notification).
  5. NETWORK, SYSTEM, & APPLICATION SECURITY.
    1. Network Architecture. The Cloud Offering uses network segmentation, detection systems, and secure configurations to secure its infrastructure and enforce secure, hardened configurations.
    2. Secure Development Lifecycle (“SDLC”). Neo4j implements an SDLC that is aligned with OWASP Top 10 and is actively managed by a dedicated application security team. The SDLC is designed to cover all stages of software development, including but not limited to, (a) threat modeling of new features or changes; (b) security review to cover functional and non-functional security requirements; (c) code scanning to identify known vulnerabilities; and (d) secure coding guidelines.
    3. Penetration Tests. Neo4j conducts internal and external penetration tests on a regular basis. External scans and penetration tests against production and development environments will be conducted by external, qualified, credentialed, and industry recognized third-party companies engaged by Neo4j.
    4. Anti-virus and Malicious Code. Neo4j leverages threat detection tools with regular scans to monitor and uncover malware, viruses, vulnerabilities, or other harmful, malicious computer code. Upon becoming aware of such vulnerabilities, Neo4j will address or have a plan to remediate these vulnerabilities in accordance with its security policies and the National Vulnerability Database’s Common Vulnerability Scoring System in which critical vulnerabilities are addressed within seven (7) days.
    5. Configuration and Change Management. Changes to the infrastructure as code, and to the service source code, all go through the same change management process that include review and approval before being merged with the code base.
  6. TECHNICAL SECURITY.
    1. Encryption. To protect data at rest, Neo4j encrypts Customer Data using AES-256 encryption. Customer Data is also encrypted during transmission (e.g., TLS 1.2 or higher).
    2. Key Management. Encryption keys used for encryption at rest are created, managed, and stored by the Customer’s chosen CSP key management service. Customers may also leverage customer managed encryption keys (CMEK), which offer complete control of the key life cycle.
    3. Data Retention and Disposal. Neo4j provides Customer with functionality for the deletion of Customer Data, as further described in the Documentation. Following the termination or expiration of the Agreement and subject to the applicable provisions, including the Retrieval Right, Neo4j shall promptly delete any remaining Customer Data.
  7. MONITORING, LOGGING, & INCIDENT MANAGEMENT.
    1. Security Monitoring. A dedicated Security Operations Center team reviews system security monitoring and alerting using integrated Security Information and Event Management (SIEM) tooling.
    2. Logging. Neo4j collects and maintains logs for systems hosting, processing, and/or storing Customer Data for 12 months. Neo4j’s logs are only accessible to authorized personnel and secured to prevent tampering. Customer may access logs in accordance with the Documentation.
  8. BUSINESS CONTINUITY AND RECOVERY. Neo4j maintains a business continuity policy and a disaster recovery plan to ensure the availability and resiliency of the Aura production environment. Neo4j will test the policy and plan on at least an annual basis.
    1. Data Backup and Recovery. Neo4j may automatically create backups of each database at regular intervals, depending on the product and tier selected by Customer as further described in the Documentation. Customers may configure different intervals with built-in functionality.
    2. Recovery Objectives. Neo4j offers the following target recovery objectives: (a) restoration of the Cloud Offering without undue delay and completion of the restoration using commercially reasonable efforts following Neo4j’s declaration of a disaster; and (b) maximum Customer Data loss as described in the Documentation. Except as otherwise provided in the applicable policy, Neo4j will use commercially reasonable efforts to promptly notify Customer’s account administrator of any failure of critical services or a material business disruption.
  9. SHARED RESPONSIBILITY.
    1. Customer is responsible for its election of the Infrastructure Provider. By executing an Order Form or configuring its chosen hosting location, Customer agrees that it has done its own assessment about the technical and organizational security measures of the respective Infrastructure Provider and that Neo4j is not responsible for such measures.
    2. Customer is responsible for the security and confidentiality of User credentials and must notify Neo4j of any unauthorized use of, distribution, or access to its User credentials. Further, Customer must actively manage and protect any customer managed key to ensure the confidentiality and integrity of the key and the Customer Data encrypted with such key. Customer is further responsible for implementing any customer-configurable access controls and functionality to ensure a level of security appropriate for the Customer Data.