Neo4j Security Measures Addendum

Last Updated: [DATE]

This Neo4j Security Measures Addendum (“Security Addendum” or “Addendum“) is incorporated into and supplements the agreement between Customer and Neo4j that references this document (the “Agreement”). Capitalized terms used but not defined have the meanings set forth in the Agreement. In the event of any conflict between the Agreement and this Security Addendum, this Addendum shall govern.

Neo4j uses infrastructure-as-a-service cloud providers (“Infrastructure Provider”) for its Cloud Offering as further described in the Agreement and the Documentation.

  1. GENERAL. Neo4j implements and maintains an information security program designed to protect the confidentiality, integrity, and availability of the Cloud Offering and Customer Data (the “Security Program”). The Security Program provides security controls outlined and evidenced by: (i) Neo4j’s current System Organization Controls 2, Type 2 report for security verified by an independent auditor (“SOC 2 Report”) of the security controls and business continuity plan for the Cloud Offering and (ii) its current ISO 27001 certification (the “ISO 27001 Certification”), or, in each case, such successor industry standards of comparable scope and rigor as determined by Neo4j.
  2. REPORTS AND CERTIFICATIONS. Neo4j makes available copies of reports and certifications at no charge on its Trust Center, including its SOC 2 Report, ISO 27001 Certification, and HIPAA documentation, all of which are Neo4j’s Confidential Information. Any exceptions identified in any SOC 2 Report (or its successor or alternatives) that are subject to remediation are acceptable.
  3. ORGANIZATIONAL & ADMINISTRATIVE.
    1. Personnel Screening. Neo4j performs background screening on employees at time of hire which may include the following, to the extent permitted by applicable law: (a) social security verification; (b) prior employment verification; and (c) criminal history.
    2. Personnel Training and Awareness. Neo4j conducts security awareness training, and ongoing education for personnel. Training is conducted at the time of hire and annually during employment.
    3. Internal Access Management. Neo4j maintains an inventory of Neo4j-issued assets. Neo4j personnel use Neo4j-issued laptops which are managed through a centrally administered mobile device management system and utilize security controls that include, but are not limited to, (a) disk encryption, (b) anti-malware protection installation and updates, and (c) remote wipe of hard drives that can be performed from a central point. Neo4j personnel are assigned a unique user account which will not be shared. User authentication is required to gain access to production and non-production Neo4j systems. In addition to appropriate user authentication controls, Neo4j also requires the use of secure remote access connections, complex passwords, enabling the use of account lock-out, and two-factor authenticated connections. Access to Neo4j systems and Customer Data are protected by authentication and authorization mechanisms based on job requirements and the principle of least privilege and need-to-know. These access entitlements and privileges are reviewed by management regularly, and at least annually.
    4. Vendor and Third-Party Management. Neo4j assesses and manages the security risks posed by third-party vendors and subprocessors who may access or process Customer Data through policies and a vendor risk management program that assesses their privacy and security controls.
  4. PHYSICAL & ENVIRONMENTAL.
    1. Infrastructure Providers. Neo4j requires its Infrastructure Providers to maintain physical and environmental controls applicable to their services and its data centers at least in line with SOC 2 Type II or ISO 27001 certification. Neo4j reviews these reports annually to confirm their controls.
    2. Subprocessor Obligations. When engaging a Subprocessor under this Addendum, Neo4j shall (a) enter into a contract that imposes data protection obligations no less protective as Neo4j’s obligations under this DPA, and (b) remain liable for the performance and compliance of each Subprocessor’s obligations in accordance with this DPA.
    3. Customer Data Environment. The hosting location of Customer Data is selected by Customer on an Order Form and/or configured by the Customer via the Cloud Offering. Neo4j provisions Customer’s account in their chosen location and this account is logically separated from other customer accounts. Customer accounts are located in the cloud environment that is both logically and physically separate from Neo4j’s corporate offices and networks.
    4. Neo4j Offices. Although Customer Data is not hosted at Neo4j’s corporate offices, Neo4j’s controls for its corporate offices include, but are not limited to, (a) physical access is controlled at office ingress points; (b) keycard or badge access issued and required for personnel; and issuance and privileges reviewed regularly; (c) external individuals and visitors required to sign in; (d) use of security doors, alarm devices, and/or security services outside of business hours including implementation of measures for on-premise security (e.g. intruder alert/notification).
  5. NETWORK, SYSTEM, & APPLICATION.
    1. Network Architecture. The Cloud Offering uses network segmentation, detection systems, and secure configurations.
    2. Secure Development Lifecycle (SDLC). Neo4j implements an SDLC that is aligned with OWASP Top 10 and is actively managed by a dedicated application security team. The SDLC is designed to cover all stages of software development, including but not limited to, (a) threat modeling of new features or changes; (b) security review to cover functional and non-functional security requirements, (c) code scanning to identify known vulnerabilities, and (d) secure coding guidelines.
    3. Penetration Tests. Neo4j Aura is subjected to regular penetration tests both internal and external. Neo4j conducts penetration tests and engages external third-party security experts annually.
    4. Anti-virus and Malicious Code. Neo4j leverages threat detection tools with regular scans to monitor and uncover malware, viruses, vulnerabilities, or other harmful, malicious computer code. Upon becoming aware of such vulnerabilities, Neo4j will address these vulnerabilities or have a plan to remediate in accordance with its business policies and the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS) in which critical vulnerabilities are addressed within seven (7) days.
    5. Configuration and Change Management. Changes to the infrastructure as code, and to the service source code, all go through the same process that include review and approval before being merged with the code base.
  6. TECHNICAL.
    1. Encryption at Rest. To protect data at rest, Neo4j encrypts Customer Data using AES-256 encryption. Customer Data is also encrypted during transmission (e.g., TLS 1.2 or higher).
    2. Key Management. Encryption keys used for encryption at rest are created, managed, and stored by the customer’s chosen CSP key management service. Customers may also leverage customer managed encryption keys (CMEK), which offer complete control of the key life cycle for the customer.
    3. Data Retention and Disposal. Neo4j provides Customer with functionality for the deletion of Customer Data, as further described in the Documentation. Following the termination or expiration of the Agreement and subject to the applicable provisions, including the Retrieval Right, Neo4j shall promptly delete any remaining Customer Data.
  7. MONITORING, LOGGING, & INCIDENT MANAGEMENT.
    1. Security Monitoring. A dedicated Security Operations Center (“SOC”) team reviews the security monitoring and alerting performed using integrated Security Information and Event Management (SIEM) tooling.
    2. Logging. Neo4j collects and maintains logs for systems hosting, processing, and/or storing Customer Data for 12 months. Neo4j’s logs are kept in a secure area to prevent tampering. Customer may access logs in accordance with the Documentation.
  8. BUSINESS CONTINUITY AND RECOVERY. Neo4j maintains a business continuity policy and plan to ensure the availability and resiliency of the Aura production environment.
    1. Data Backup and Recovery. Neo4j automatically creates backups of each database at regular intervals, dependent on the product and tier in accordance with its Documentation. Customers may configure different intervals with built-in functionality.
    2. Recovery Objectives. Neo4j offers the following target recovery objectives: (a) restoration of the Cloud Offering without undue delay and completion of the restoration using commercially reasonable efforts following Neo4j’s declaration of a disaster; and (b) maximum Customer Data loss as described in the Documentation.
  9. SHARED RESPONSIBILITY.
    1. Customer is responsible for its election of the Infrastructure Provider. By executing an Order Form or configuring its chosen hosting location, Customer agrees that it has done its own assessment about the technical and organizational security measures (“Infrastructure Security Measures”) of the respective Infrastructure Provider and that Neo4j is not responsible for those Infrastructure Security Measures.
    2. Customer is responsible for the security and confidentiality of User credentials and must notify Neo4j of any unauthorized use of, distribution, or access to its User credentials. Further, Customer must actively manage and protect any customer-managed keys to ensure the confidentiality and integrity of the key and the Customer Data encrypted with such keys. Customer is also responsible for implementing any customer-configurable access controls and functionality to ensure the level of security appropriate for its Customer Data.