Legal · Security
Security at Netdentity.
How we protect the information, systems and code entrusted to us by our clients — across discovery, build, hosting and support.
Last updated: May 2026
1. Our approach
Security is treated as a delivery discipline, not a separate workstream. Every engagement assumes that the information shared with us — personal data, financial data, intellectual property, production credentials — is sensitive by default. We design, build and operate accordingly.
2. People
- All staff sign comprehensive confidentiality and intellectual-property assignment agreements.
- Background checks are performed for staff who will access client production environments.
- Security and privacy training is delivered on onboarding and refreshed annually.
- Access is granted on a least-privilege, need-to-know basis and reviewed regularly.
3. Data protection
- In transit: All client data is transmitted over TLS 1.2 or higher.
- At rest: Data is stored on infrastructure with full-disk or platform-level encryption (typically AES-256).
- Secrets: Passwords, API keys and tokens are stored in managed secret stores (e.g. Azure Key Vault). Secrets are never stored in source control.
- Backups: Where we manage backups for clients, backups are encrypted, tested for restore, and retained per the agreed retention policy.
4. Infrastructure and code
- We host primarily on Microsoft Azure with regionally-appropriate data residency.
- Production environments are segregated from development and test environments. No production data is used in non-production environments without explicit consent and de-identification.
- Source code is held in private repositories with branch protection, mandatory peer review, and signed commits where supported.
- Automated dependency scanning, static analysis and secret-detection run in CI on every commit.
5. Access controls
- Multi-factor authentication is mandatory for all internal accounts.
- Access to client production environments is logged, time-bound where possible, and approved per engagement.
- Workstations are encrypted, managed and required to be on a current operating-system version.
6. Incident response
We maintain an incident-response procedure that covers detection, containment, eradication, recovery and post-incident review. In the event of an incident affecting client data, we will notify affected clients without undue delay and in line with the relevant Master Services Agreement and applicable law (including POPIA's 72-hour requirement for material breaches).
7. Third-party security
Where we rely on third-party services to deliver client work (cloud platforms, monitoring, communications) we select providers with credible security postures, formal certifications (e.g. ISO/IEC 27001, SOC 2) and clear data-processing terms. Use of new third parties on client engagements is approved in advance.
8. Compliance
We operate to align with:
- The Protection of Personal Information Act, 4 of 2013 (POPIA) of South Africa.
- The EU General Data Protection Regulation (GDPR) where personal data of EU residents is processed.
- Industry best practice such as OWASP for application security and the CIS Controls for general operational security.
9. Reporting a vulnerability
If you believe you have discovered a security vulnerability affecting Netdentity or a system we operate on behalf of a client, please email [email protected] with the subject line "Security report".
We commit to:
- Acknowledging your report within one business day.
- Investigating and keeping you updated on progress.
- Not taking legal action against good-faith researchers who follow responsible disclosure.
10. Contact
For any questions about our security posture, or to request additional detail (under NDA where appropriate) for an active procurement, please contact:
Netdentity (Pty) Ltd
Email: [email protected]
Phone: +27 72 060 2514