Security Overview¶
NTWIST runs a security program built around three principles: customer-owned data, least-privilege access, and continuous evidence.
Customer-owned data¶
Customer process data, operating models, and recipes belong to the customer. By default, no data leaves the customer environment. NTWIST products are deployed on customer infrastructure for this reason. Optional outbound integrations exist (benchmarking, managed analytics) and require explicit customer opt-in.
Least-privilege access¶
Access to customer environments by NTWIST personnel is gated through a zero-trust access channel that requires multi-factor authentication and produces a full audit trail. Internal NTWIST systems are segregated by function and access is granted on a need-to-know basis.
Continuous evidence¶
NTWIST's security posture is maintained as live evidence, not as a one-time attestation. Controls, tests, and policies are tracked in our compliance platform (Vanta), and significant changes are reviewed quarterly. Compliance posture, current frameworks, and active audits are summarized below.
Compliance posture¶
| Framework | Status |
|---|---|
| SOC 2 Type I | Active audit (2026) |
| SOC 2 Type II | Roadmapped after Type I issuance |
| ISO 27001 | Roadmapped, target date communicated to customers under NDA |
For the current compliance status and audit timeline, contact your customer success lead.
Policies¶
NTWIST maintains the following written policies, available to customers under NDA:
- Information Security Policy
- Acceptable Use Policy
- Access Control Policy
- Change Management Policy
- Incident Response Policy
- Disaster Recovery and Business Continuity Policy
- Vendor Management Policy
- Risk Management Policy
- Data Classification Policy
- Removable Media Policy
- Internal Communications Policy
- Vulnerability Management Policy
Each policy is reviewed at least annually and is version-controlled.
Personnel security¶
- All NTWIST employees and contractors undergo background verification before access to customer systems is provisioned.
- Annual security awareness training is mandatory; new employees complete it within 30 days of joining.
- Departing personnel are deprovisioned across customer-facing systems on the same business day as separation.
Third-party assessments¶
NTWIST engages independent third parties for periodic penetration testing, vulnerability scanning, and audit assessment. Test scope and results are available to customers under NDA.
Reporting a vulnerability¶
If you believe you have identified a vulnerability in an NTWIST product, please reach out via the Contact page. We acknowledge security reports within one business day and provide a triage update within five business days.