NetInsightPro is a security product. We hold ourselves to the same bar we expect you to hold us to.
Cybersecurity framework alignment
NIST CSF 2.0
Identify, Protect, Detect, Respond, Recover — mapped across our infrastructure. See mapping table below.
OWASP ASVS Level 2
Web + API security controls: HMAC request signing, MFA, strict CSP/HSTS, rate-limited auth.
UK GDPR / EU GDPR
Data minimization: client never ships traffic data to us. Accountability: DPA available on request.
ISO 27001 (roadmap)
Controls implemented; certification audit planned Q4 2026.
SOC 2 Type II (roadmap)
Security + Availability TSCs targeting mid-2027.
PCI DSS
Out of scope — all payment data handled by Stripe (PCI DSS Level 1 certified).
NIST CSF 2.0 mapping
| Function | Our implementation |
|---|---|
| Identify | Asset inventory via cloud-native tooling; privileged access reviews quarterly; data-flow diagram maintained. |
| Protect | Customer-managed encryption keys on all data stores and secrets vault; MFA enforced (advanced security mode); WAF (4 managed rule sets); HMAC-SHA256 request signing; least-privilege access control. |
| Detect | Threat detection (severity ≥4 paged); multi-region audit trail; API access logs; breach-credential detection; alarms on compute errors, database throttles, and WAF blocks. |
| Respond | Documented runbook (rollback, license revocation, data erasure); on-call pager integration; admin audit trail on every write. |
| Recover | Point-in-time recovery on all 32 database tables; object storage versioning + 30-day lifecycle; quarterly DR drill. |
Encryption
- In transit: TLS 1.2+ enforced (TLS 1.3 preferred); HSTS max-age 1 year
- At rest: Customer-managed encryption keys (auto-rotation enabled) for all data stores, secrets vault, and object storage
- JWT signing: RS256 with rotated keypairs held in our secrets vault
- Request integrity: HMAC-SHA256 per-request signature + monotonic counter + nonce for replay protection
Infrastructure
- Single US region — SOC 2 / ISO 27001 / HIPAA-certified data centre
- Global CDN + WAF (managed rulesets: common exploits, known-bad inputs, IP reputation, rate-limit 2000/IP)
- Managed identity platform (advanced security enforced, MFA optional for end-users)
- Serverless compute + managed API edge (500 rps throttle, detailed metrics)
- Zero-trust architecture: every request to private resources requires JWT + HMAC
Client security
- Release signing: Android APKs are v2-signed with a dedicated release keystore. Windows installer is currently unsigned (EV certificate pending — SmartScreen "unknown publisher" warning on first launch, see Download page). macOS notarisation pending Apple Developer ID.
- Update manifest served over HTTPS + signed SHA-256 verification before any installer runs
- On-device data never leaves your machine — our servers have no visibility into your network traffic
Responsible disclosure
If you find a vulnerability, email security@netinsightpro.com (PGP key on request). We aim to:
- Acknowledge within 2 business days
- Provide triage + severity within 5 business days
- Patch critical issues within 14 days
- Credit researchers (opt-in) on a public Hall of Fame
Out-of-scope: DoS/DDoS, social engineering, physical attacks.
Documents on request
- Data Processing Agreement (DPA)
- Sub-processor list
- Penetration-test summary (next test: TBD)
- Insurance certificate (cyber liability)
Email legal@netinsightpro.com.