Data security

Your network data is sensitive. GridNMS encrypts it in transit and at rest, keeps each customer's data isolated, and gates every request behind authentication and role-based access control.

Encryption in transit

Everything on the wire is encrypted, end to end.

  • TLS everywhere. The web app, APIs, and customer portal are served over HTTPS with modern TLS; self-hosted installs can drop in their own certificate.
  • Outbound-only collectors. Collectors open an authenticated WebSocket tunnel out to the control plane, so there are no inbound ports to expose on your network.
  • Mutual TLS for log ingest. Log shipping uses mTLS — each collector presents a client certificate the platform verifies against its own certificate authority.
  • Encrypted database links. Internal connections to the graph database run over TLS; the control plane talks to its data stores on a private network.

Encryption at rest

Stored data is encrypted at the disk layer, and secrets get a second layer on top.

  • Volume encryption. Database, log, and graph storage live on encrypted volumes backed by a managed key service.
  • Application-layer credential encryption. Device credentials (SNMP communities, SSH and webhook secrets) are encrypted with per-tenant keys before they're written, so they're protected beyond the disk.
  • Secrets are never echoed. Credential and token fields are masked on read and never returned in API responses.

Access control & isolation

The backend is the only trust boundary. Every request is authenticated, authorized, and scoped to your tenant.

  • Hard tenant isolation. Each customer's data lives in its own database schema; queries are bound to the tenant at request time.
  • Role-based access control. Permissions are enforced server-side per resource and action, down to the site level.
  • Modern authentication. Session-based login with passkey (WebAuthn) support; one-time codes use a cryptographically secure generator.
  • Audit trail. Administrative and account actions are recorded for review.

Secure by construction

Security is part of how the product is built, not a bolt-on.

  • Parameterized queries only. Static analysis (SAST) blocks string-built SQL and other injection patterns in CI.
  • Dependency & secret scanning. A software bill of materials is generated and scanned for known vulnerabilities; secret-scanning runs on every change.
  • Least-exposure architecture. Collection runs on your collector inside your network; the platform stores and analyzes, with data stores firewalled to internal access.
  • Self-hosted option. Prefer your data never leaves your walls? Run the same platform on your own infrastructure with Docker.

Questions about security?

Reach us at security@gridnms.io.

Get started