Skip to main content
Security professionals handle sensitive information every day: vulnerability details, source code, infrastructure configurations, and proprietary business logic. Neo is built for this reality. Privacy, data protection, and secure execution are foundational to everything we build — and we hold ourselves to the same standards we help our customers achieve.

Data Privacy

Neo never trains on your data. Your prompts, source code, vulnerability findings, and all outputs remain exclusively yours.
These commitments are non-negotiable:
  • No model training. Your data is never used to train, fine-tune, or improve any model. What you share with Neo stays within your workspace and is never fed back into any learning pipeline.
  • Zero data retention at model level. We partner with LLM providers under zero data retention and zero data training agreements. No data is stored or used for training at the model provider level.
  • Data isolation. Each organization’s data is logically isolated with strict tenant boundaries. There is no cross-tenant access or data leakage between customers.
  • Encryption everywhere. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Credentials and secrets stored as environment variables are encrypted with per-organization keys and only decrypted at runtime inside isolated sandboxes.
  • Data residency. By default, data is processed and stored in the United States. For organizations with specific residency requirements, we support custom data residency configurations including EU hosting. Contact our team for details.
  • Retention controls. You can configure custom data retention and auto-deletion policies. Generated artifacts, assessment evidence, and conversation history follow your organization’s data lifecycle requirements.
  • Data processing agreements. DPAs are available for organizations subject to GDPR and other data protection regulations. Our subprocessor list is available on request.

Secure Execution Architecture

Neo’s architecture is designed with defense-in-depth principles at every layer. Every component operates within controlled boundaries, ensuring Neo delivers powerful offensive testing capabilities without introducing risk to your environment.

Isolated Sandbox Execution

All testing and execution happens within isolated sandbox environments:
  • Ephemeral containers. Each assessment runs in a fresh, dedicated container with no access to host systems. Containers are destroyed when the assessment completes.
  • Resource controls. System calls, CPU, memory, and disk usage are constrained per container. No assessment can consume resources beyond its allocation.
  • Target boundaries. Application testing and reconnaissance operate within the targets you define. Neo respects scope constraints and does not test systems outside your designated perimeter.
  • Safe binary analysis. Decompilation and binary analysis run in fully isolated environments with no network access, ensuring potentially malicious code cannot exfiltrate data.

Access Control

Neo implements strict access control following the principle of least privilege:
  • Explicit grants only. Neo only accesses secrets, endpoints, and repositories that are explicitly granted. There are no implicit permissions or default access to any resource.
  • Role-based access control. Team members are assigned roles with scoped permissions. Administrators manage integrations and configurations. Members run assessments and view findings. Custom roles are available for enterprise deployments.
  • Scoped credentials. Environment variables and API keys are injected at runtime and scoped to specific assessments. Credentials are never written to disk, never included in logs, and never exposed in finding evidence or reports.
  • Workflow isolation. Each assessment runs in its own execution context. One workflow cannot access data from another unless explicitly shared through Neo’s memory system.
  • Credential lifecycle. Credentials can be rotated or revoked at any time through the dashboard. Changes take effect immediately for all future assessments.

Compliance

SOC 2 Type II

Independently audited and certified. Report available to customers and prospects under NDA.

Data Privacy Framework

EU-US Data Privacy Framework (DPF) and UK Extension to EU-US DPF compliant.

GDPR

Data processing agreements, subprocessor transparency, data residency options, and retention controls for organizations subject to EU data protection requirements.

Trust Center

Full security documentation, compliance certifications, and policy details available at our Trust Center.

Questions

If you have security or privacy questions, we welcome the conversation. We’re built by security professionals for security professionals, and we’re happy to provide detailed architecture documentation, share our SOC 2 report, or schedule a technical deep-dive with your security and compliance teams. Contact our security team