Due to the nature of some of NEOGOV products, we process and protect a wide range of sensitive data including:

• Personal identification and contact information (name, email, address, phone number)

• Employment, HR, payroll, and benefits data

• Performance evaluations, training, certifications, and wellness records

• Sensitive identifiers such as background checks, biometric data (where applicable), and protected health information (PHI)
  This data is collected via our platforms, APIs, and secure file exchanges, and is always encrypted in transit and at rest.

Customer data is stored across a combination of secure cloud and colocation infrastructure within the continental United States:

• Amazon Web Services (AWS) 

• Equinix Data Centers

• Microsoft Azure

• These providers offer high availability and strong physical and environmental protections. 

All customer data is encrypted using industry best practices:

• In Transit: Enforced TLS 1.2 or higher

• At Rest: AES-256 encryption, using FIPS-compliant, NIST-certified modules
  NeoGov uses encryption for emails, API connections, file transfers (SFTP), and database storage. Encryption keys are securely managed and rotated per policy.

NeoGov performs:

• Weekly authenticated vulnerability scans across internal and external environments

• Annual third-party penetration tests using industry-standard methods

• External Security Posture monitoring from outside in to identify and reduce the attack surface

• Cloud Security to monitor cloud infrastructure to keep our infrastructure secure

• Static and Dynamic code scans on all code including third-party libraries during development and before release to customers

• Monthly patching aligned to strict FedRAMP guidelines
  All findings are triaged, tracked, and remediated based on severity. Fixes are validated and reviewed via our change control process.

• Bug Bounty Program for researchers to ethically disclosure vulnerabilities 
  
  • NEOGOV Bug Bounty Home

NEOGOV maintains a documented Incident Response Plan (IRP), which includes:

• 24/7 monitoring through centralized SIEM and alerting tools

• Defined escalation paths and response timelines

• Root cause analysis and formal corrective actions

• Customer notification procedures aligned with privacy laws

• Incident logs are retained to FedRAMP standards, and drills are conducted annually.

Customer data is backed up:

• Near real-time data replication

• Daily incremental and weekly full backups

• Stored across multiple geographic regions

• Encrypted at rest and immutable backups

• Backups are tested quarterly

• Restore procedures are documented and validated regularly. 

Yes. NeoGov performs annual vendor risk assessments, including:

• Review of SOC 2 reports or compliance attestations

• Evaluation of data handling and privacy commitments

• Signed confidentiality and breach notification clauses

• Third-party risks are rated, tracked, and mitigated under a defined risk framework.

All employees undergo:

• Mandatory security and privacy training upon hire and annually

• Phishing simulations and awareness campaigns

• Role-specific training for developers, system admins, and support staff

• Training completion is monitored and reviewed as part of performance evaluations.

NEOGOV has a robust Change Management Policy in place. Key practices include:

• Changes require multiple levels of approvals

• All changes are tracked via ticketing and source control (PRs)

• Static code scans, regression testing, and peer review are required

• Only authorized individuals have access to make changes to production environments.

Yes. NEOGOV supports Single Sign-On from third-party identity providers and protocols including SAML (Okta, AzureAD, PingFederate, Shibboleth and other SAML 2.0 compliant IdPs)

Only a modern web browser (e.g. Microsoft Edge with Chromium or Chrome) is required to use the platform.

We do offer optional mobile applications in the Google Play and Apple App Stores for on-the-go functionality. Additionally, our Policy Management software has an optional Windows/Mac client for advanced policy management features.