Neo4j Cloud Security

Run Your Graph-Based Applications in the Cloud Securely

We take security seriously. Our experienced team of security practitioners work across disciplines, such as security engineering, security assurance, risk, and compliance to ensure you experience world-class security features and your data is protected against all threats – today and in future.

Information Security Program

Neo4j maintains an information security program with a comprehensive set of organizational and technical measures based on industry accepted security and compliance frameworks that ensures the safety of customer data stored in Neo4j Aura.

Certification and Compliance

As an ISO 27001 certified organization, Neo4j is committed to security and compliance with industry and internationally accepted frameworks. Neo4j is currently in the process of SOC-2 Type 1 compliance.

Data Privacy

Neo4j takes the privacy of users personal data seriously and complies with data protection laws and regulations, such as the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) throughout our services.

Our privacy policy can be found at https://neo4j.com/privacy-policy/ and our Data Protection Officer (DPO) can be reached at dponeo4j@neo4j.com.

Shared Responsibility

Cloud security requires all parties to participate in the security process. Neo4j leverages reputable third party cloud service providers to provide trusted commodity infrastructure and services. From there, Neo4 develops and implements the Aura Service on this trusted infrastructure using secure practices for development and deployment. The customer is then responsible for the security of accounts, data and access management of their Aura instance.

Trusted Infrastructure

Neo4j Aura runs on Google Cloud Platform (GCP) and Amazon Web Services (AWS). GCP and AWS’ global-scale infrastructure and defense-in-depth security model of physical, logical and technical controls provide a trusted platform for Neo4j Aura and your critical data. GCP and AWS further maintain a variety of certifications including SOC-2, and ISO2 27001 to name a few.

For a comprehensive list of all GCP’s compliance offerings please go to: https://cloud.google.com/security/compliance

For a comprehensive list of all AWS’ compliance offerings please go to: https://aws.amazon.com/compliance/programs/

VPC Isolation1

Your Neo4j Aura database clusters and service components are deployed in a separate Virtual Private Cloud (VPC) with dedicated cloud infrastructure. Access can be restricted to an IP access list.

Encryption Everywhere

Your data is encrypted in flight and at rest. All network traffic, even within the service infrastructure, is encrypted using the latest Transport Layer Security (TLS) and associated cipher suites.

Data stored in the Aura service, including backup snapshots, is encrypted at rest using the Advanced Encryption Standard (AES) and key management that is provided by GCP or AWS as appropriate.

Role and Schema Based Granular Access Control1

Neo4j Aura supports multiple users and granular access controls with a role-based access control framework.

Additionally, within the graph itself, Neo4j enforces a schema-based security model that allows data managers to fine tune least privileged access for users to specific parts of the graph to prevent data spills and other unauthorized access.

Vulnerability Management

Neo4j supports responsible disclosure when it comes to security vulnerabilities and encourages Neo4j users and independent security researchers to contact us privately to report in security vulnerabilities and issues related to our products and hosted services.

To get in contact with our security team or to report an issue please go to: https://neo4j.com/security/

Vendor Management

Neo4j has implemented a vendor management program where our security team regularly reviews the security and compliance posture of our vendors and processors for the protection of customer data and or personal information.

Manageability and Traceability

Neo4j captures and analyzes the audit and security logs from all components of its Aura Service. These logs are monitored in real-time for security vulnerabilities on an ongoing basis and are archived for later review and analysis as needed.

Resilient and Reliable

Aura is built on self-monitoring and self-healing architecture. With its fault-tolerant design, Aura guarantees high service availability guarantees2 serice availability of 99.95%, and automatically and instantly heals from component or infrastructure failures. Additionally, Neo4j Aura leverages a multi-availability zone (AZ) infrastructure, automated encrypted backups, zero-downtime system upgrades and durable storage with multi-level data protection to ensure that your information is protected and available when you need it.

To check the current status of the Neo4j Aura Service please go to: https://neo4jaura.statuspage.io/

1Applies to Aura Enterprise Tier of Service
299.95% Availability Guarantee applies to the Aura Enterprise Tier of Service