Data security
Your network data is sensitive. GridNMS encrypts it in transit and at rest, keeps each customer's data isolated, and gates every request behind authentication and role-based access control.
Encryption in transit
Everything on the wire is encrypted, end to end.
- TLS everywhere. The web app, APIs, and customer portal are served over HTTPS with modern TLS; self-hosted installs can drop in their own certificate.
- Outbound-only collectors. Collectors open an authenticated WebSocket tunnel out to the control plane, so there are no inbound ports to expose on your network.
- Mutual TLS for log ingest. Log shipping uses mTLS — each collector presents a client certificate the platform verifies against its own certificate authority.
- Encrypted database links. Internal connections to the graph database run over TLS; the control plane talks to its data stores on a private network.
Encryption at rest
Stored data is encrypted at the disk layer, and secrets get a second layer on top.
- Volume encryption. Database, log, and graph storage live on encrypted volumes backed by a managed key service.
- Application-layer credential encryption. Device credentials (SNMP communities, SSH and webhook secrets) are encrypted with per-tenant keys before they're written, so they're protected beyond the disk.
- Secrets are never echoed. Credential and token fields are masked on read and never returned in API responses.
Access control & isolation
The backend is the only trust boundary. Every request is authenticated, authorized, and scoped to your tenant.
- Hard tenant isolation. Each customer's data lives in its own database schema; queries are bound to the tenant at request time.
- Role-based access control. Permissions are enforced server-side per resource and action, down to the site level.
- Modern authentication. Session-based login with passkey (WebAuthn) support; one-time codes use a cryptographically secure generator.
- Audit trail. Administrative and account actions are recorded for review.
Secure by construction
Security is part of how the product is built, not a bolt-on.
- Parameterized queries only. Static analysis (SAST) blocks string-built SQL and other injection patterns in CI.
- Dependency & secret scanning. A software bill of materials is generated and scanned for known vulnerabilities; secret-scanning runs on every change.
- Least-exposure architecture. Collection runs on your collector inside your network; the platform stores and analyzes, with data stores firewalled to internal access.
- Self-hosted option. Prefer your data never leaves your walls? Run the same platform on your own infrastructure with Docker.
Questions about security?
Reach us at security@gridnms.io.