Login
 
 
 
 
 

N2ONE® Solutions — Security Practice Overview

As daily users of our own platform, we know the security and privacy of your data are non-negotiable. N2ONE® operates as a multi-tenant SaaS designed for eCommerce and execution at scale. Our security model combines industry frameworks, cloud-native controls, and disciplined operations to protect customer data while enabling rapid delivery.

Our Information Security Management approach aligns to ISO/IEC 27001 and privacy principles from ISO/IEC 27018. We also design our payment integrations to support PCI DSS-appropriate patterns (e.g., hosted fields / redirect / third-party PSP), minimizing cardholder data exposure in your environment.

  • Continuous monitoring and threat detection across cloud resources.
  • Periodic internal security reviews and risk assessments.
  • Documented risk treatment with owners, due dates, and evidence.
  • Regular updates to policies, controls, and runbooks as risks evolve.
  • Executive oversight of the ISMS and measurable security objectives.
 

Cloud Hosting & Shared Responsibility

Primary hosting is on Microsoft Azure with regional deployment options. Azure provides physical, environmental, and many platform-level security controls; N2ONE manages application, configuration, data protection, and identity. Azure Government can be evaluated on request (may require a separate tenant and agreement).

Learn more at the Microsoft Trust Center: Azure Security Overview.

 

Protecting Customer Data

  • Data scope: Customer data is held only in production data stores; lower environments use masked datasets.
  • Access model: Least-privilege, role-based access with MFA. Break-glass access requires change record and is fully audited.
  • Support access: Engineers access tenant data only to resolve incidents or support requests, and only with explicit authorization and ticket linkage.
  • Data export: You may request a time-bound export/backup of your data via Support (see “Backups & Recovery”).
 

Authorizing Access

Administrative access is limited to approved personnel with background checks (where permitted by law), MFA, and just-in-time elevation. All console/SSH access is logged, retained, and reviewed. Attachments and object storage are encrypted and served only when the requester’s access is verified.

 

Secure Software Development

  • Threat modeling and privacy review for new features and data flows.
  • Git-based workflow with mandatory peer review and protected branches.
  • Automated dependency and secret scanning; SAST/DAST on critical services.
  • CI/CD with staged rollouts, change approvals, and rollback plans.
  • OWASP Top-10 awareness; periodic third-party penetration testing.
 

Infrastructure & Network Security

  • Segmented VNETs/VPCs, network security groups, and least-open firewall rules.
  • Managed WAF and DDoS protection on public endpoints.
  • Secrets in a dedicated key vault; rotation policies for credentials and keys.
  • Endpoint protection and vulnerability management with defined SLAs based on severity.
  • Time-synced logging (app, infra, auth) to a tamper-resistant store with alerting.
 

Encryption in Transit and at Rest

  • In transit: TLS 1.2+ for all customer-facing endpoints.
  • At rest: Industry-standard encryption for databases, files, and backups (e.g., AES-256).
  • Passwords: Salted, slow-hash algorithms (e.g., bcrypt/Argon2id) with adaptive cost.
  • Key management: Cloud KMS/Key Vault backed keys; restricted operator access and rotation.
 

Backups & Recovery

  • Automated snapshots and point-in-time recovery for primary data stores.
  • Encrypted backups replicated to separate storage; typical retention is 30 days.
  • Documented RPO/RTO targets; restoration tests performed on a regular cadence.
  • Customer exports: Request a backup/export via Support with scope and format options.
 

Identity & SSO (Enterprise)

Enterprise plans support Single Sign-On via SAML 2.0 / OpenID Connect with group/role mapping and optional just-in-time provisioning. Administrative safeguards enforce MFA and session controls for privileged roles.

 

PCI DSS for Payments

N2ONE® Commerce integrates with payment providers using PCI-appropriate methods (e.g., hosted fields or redirect), keeping cardholder data within the PSP environment whenever possible. For deployments that handle card data, we provide a responsibility matrix and required controls; we do not store raw PANs in the N2ONE® platform.

 

SAP ISA-M Integration Maturity

Our data and integration practices follow SAP ISA-M to reduce point-to-point risk and standardize contracts between ERP, commerce, and analytics. BITS (the suite’s data backbone) automates integrations, enforces data contracts and lineage, and orchestrates private AI agents over governed data to build a traceable knowledge base for your business.

 

Monitoring, Logging & Alerting

  • Centralized log aggregation for application, infrastructure, and authentication events.
  • Alerting on suspicious patterns (privilege changes, failed auth spikes, anomalous egress).
  • Access to audit logs upon request, subject to confidentiality obligations.
 

Incident Response

  • Documented incident classification, containment, eradication, and recovery procedures.
  • On-call rotation with escalation to an incident commander and executive stakeholders.
  • Customer notification consistent with contractual and legal obligations.
  • Post-incident reviews with corrective actions and timelines.
 

Personnel Security & Awareness

  • Background checks where permitted; confidentiality and acceptable-use agreements for all staff.
  • Role-based training (engineering, support, operations) with annual refreshers and spot drills.
  • Joiner-Mover-Leaver process with immediate access revocation upon role change or separation.
 

Compliance & Privacy

  • ISO/IEC 27001: ISMS aligned; control coverage and current status are maintained in our Trust Center.
  • ISO/IEC 27018: Privacy principles for processing personal data in public clouds.
  • PCI DSS: Payment flows architected to minimize scope; responsibility matrices provided per deployment.
  • Data protection: We support customer obligations under regulations such as GDPR/CCPA where applicable. A Data Processing Addendum (DPA) is available.

For scope statements, attestations, or questionnaires, visit our Trust Center or contact security@n2one.ai.

 

External Testing & Reviews

We engage independent security firms for application and infrastructure penetration testing at least annually and after material changes. Findings are triaged with target SLAs, tracked to remediation, and reviewed by leadership.

 

Change Log & Contact

This Security Practice summarizes current controls and may evolve as our platform and risks change. For questions, disclosures, or to report a vulnerability, please email security@n2one.ai or open a ticket via Support.

Last updated: September 2025