View Categories

Netgraph Data Processing & Privacy Annex

Version: 1.3
Applies to: Netgraph Connectivity Platform (All modules)

Effective Date: 2026-03-23

INTRODUCTION #

This Data Processing & Privacy Annex (“Annex”) forms an integral part of the Data Processing Agreement (“DPA”) entered into between Netgraph Sverige AB (“Netgraph”) and the contracting party (“Customer”).

This Annex describes:

  • the nature and purpose of processing of personal data
  • the categories of personal data and data subjects
  • the technical and organizational measures implemented by Netgraph
  • the use of sub-processors

For the purpose of this Annex:

  • The Customer acts as Data Controller, or as Data Processor on behalf of its end customers.
  • Netgraph acts as:
    • a Data Processor where Netgraph provides services directly to the Customer, or
    • a Sub-processor where the Customer acts as a Data Processor towards its end customers.

Processing is carried out in connection with the Netgraph Connectivity Platform, including but not limited to Sign In, EntryPoint, EasyPSK, and Endpoint Manager.

For ease of reference, certain Annexes are also internally referred to as Appendices.

  #

1. ANNEX I – DESCRIPTION OF PROCESSING #

A. List of Parties #

Data Exporter (Controller)

The Customer (as defined in the Agreement), acting as Data Controller.

Data Importer (Processor)

Netgraph Sverige AB
Org. No: 5569514622
Biblioteksgatan 6A
831 30 Östersund
Sweden

Email: dpo@netgraph.se

Role: Data Processor

B. Description of Processing #

1. Categories of Data Subjects #

  • Customer administrators
  • End users (guests, employees, residents, visitors)
  • Device users
  • Self-service portal users

2. Categories of Personal Data #

Administrator Data #
  • Name
  • Email address
  • Username
  • Authentication credentials (password or SSO identity)
End User Data #
  • Name (optional)
  • Email address (optional)
  • Phone number (optional)
  • Company / organization (optional)
Device & Network Data #
  • MAC address
  • IP address
  • Device identifiers
  • Authentication method
  • VLAN / network assignment
  • Session metadata (timestamps, activity logs)
Security & Access Data #
  • Authentication logs
  • Audit logs
  • Policy assignments
  • Access control attributes

3. Special Categories of Data #

The service is not intended to process special categories of personal data under Article 9 GDPR.
Any such processing remains the sole responsibility of the Customer.

4. Nature of Processing #

  • Collection
  • Registration
  • Organization
  • Storage
  • Retrieval
  • Use
  • Disclosure (to authorized systems only)
  • Erasure

5. Purpose of Processing #

  • Provide secure network access (WiFi / NAC)
  • Authenticate users and devices
  • Enforce access control policies
  • Enable onboarding (guest, BYOD, IoT)
  • Maintain audit logs and traceability
  • Provide support and troubleshooting

6. Duration of Processing #

Processing takes place:

  • During the duration of the Agreement
  • With retention periods configurable by the Customer

Default values:

  • End-user/device data: approx. 1 month
  • Administrator data: contract duration + 6 months

7. Processing Context (Services) #

Processing is performed within:

  • Sign In (Captive Portal & onboarding)
  • EntryPoint (RADIUSaaS)
  • EasyPSK (Private WiFi segmentation)
  • Endpoint Manager (Cisco ISE integration)

C. Competent Supervisory Authority #

The competent supervisory authority shall be:

  • The authority where the Data Exporter is established

For Sweden:
Integritetsskyddsmyndigheten (IMY)

2. ANNEX II – TECHNICAL & ORGANIZATIONAL MEASURES #

2.1 Access Control #

  • Role-Based Access Control (RBAC)
  • Tenant-level logical isolation
  • Least privilege principles
  • Secure authentication (password or SSO)
  • Administrative access restricted and logged

2.2 Encryption #

  • Data at rest: AES-256
  • Data in transit: TLS 1.2 or higher

Applies to all personal data processed within the platform.

2.3 Data Separation (Multi-Tenancy) #

  • Logical isolation between tenants
  • No cross-tenant access possible
  • Policy-based segmentation and enforcement

2.4 Logging & Monitoring #

  • Centralized audit logging of:
    • Administrative actions
    • Authentication events
    • Policy changes
  • Full traceability across all modules

2.5 Availability & Resilience #

  • Deployment across multiple Availability Zones
  • Load balancing and automatic failover
  • Microservices-based architecture
  • Horizontal scalability

2.6 Incident Management #

  • Dedicated Data Protection & Privacy function
  • Documented incident response procedures
  • Incident Commander role
  • Notification to customers in accordance with DPA and GDPR

2.7 Data Minimization & Purpose Limitation #

  • Only data necessary for service delivery is processed
  • Optional data fields configurable by the Customer
  • No processing for marketing or unrelated analytics

2.8 Security Governance & Integrations #

  • Secure API integrations (Cisco, Auth0, Microsoft, etc.)
  • Controlled access to integrations
  • Continuous monitoring and system hardening

3. ANNEX IV – DETAILED PROCESSING (Appendix A) #

A.1 Module Overview #

ModuleData CategoriesPurpose
Sign InEnd-user identifiers, device dataAuthentication, onboarding
EntryPointDevice identifiers, RADIUS attributesNetwork access control
EasyPSKUser + device dataPrivate WiFi segmentation
Endpoint ManagerDevice + policy dataIoT & Cisco ISE integration

A.2 Sign In – Authentication Methods & Data #

MethodPersonal Data CollectedOptional FieldsPurpose
Meeting HostHost email, end user name, company, MAC, IP, statsIdentify host, authenticate guest
ConferenceEmail, phone, name, MAC, IPEmail, Phone, NameGuest authentication
Self-provision (email)Email, MAC, IPEmail validation
Self-provision (SMS)Phone, MAC, IPSMS validation
SAML FederationUsername, MAC, IPFederation login
PasswordMAC, IPLocal authentication
Click-to-connectMAC, IPOpen access tracking
Event AccessMAC, IPTemporary access
WhitelistingMAC, IPAllow-list
Username & PasswordUsername, MAC, IPCredential-based authentication

A.3 EntryPoint (RADIUSaaS) #

ScenarioPersonal DataPurpose 
802.1X (EAP-TLS / PEAP)MAC, username, IPSecure authentication 
MABMAC, IPIoT onboarding 
Static credentialsUsername, MAC, IPManual authentication 
SAML FederationUsername, IPFederation login 

A.4 EasyPSK #

ActionPersonal DataPurpose
PSK AssignmentEmail, MAC, PSK name, WPA2 keyPersonal network provisioning
Device onboardingMAC, IPDevice mapping
Key rotationWPA2 keySecurity maintenance
Static credentialsUsernameManual authentication
SAML FederationUsernameFederation login

A.5 Endpoint Manager (for Cisco ISE) #

FunctionPersonal DataPurpose
Device registrationMAC, emailIoT onboarding
Policy assignmentDevice profile, attributesAccess control
Static credentialsUsernameManual authentication
SAML FederationUsernameFederation login

4. ANNEX III – SUB-PROCESSORS (Appendix B) #

B.1 Sub-Processor Overview #

Sub-ProcessorLegal EntityRegistration No.AddressPurposeData TypeLocation
Amazon Web Services EMEA SARLAWSB18628438 Avenue John F. Kennedy, L-1855 LuxembourgCloud hosting & infrastructurePlatform dataSweden / Germany
Amazon Web Services EMEA SARL (SES)AWS SESB186284Luxembourg (EU infrastructure)Email delivery servicesEmail addressesIreland
ELASTX ABElastx556906-5617Kungsgatan 12, 111 35 Stockholm, SwedenCloud hosting (Swedish option)Platform dataSweden

B.2 Safeguards #

  • Data Processing Agreements are in place with all sub-processors
  • Standard Contractual Clauses (SCCs) are implemented where applicable
  • Data is hosted within the EU by default
  • Sub-processors are contractually bound to equivalent security standards
  • Regular vendor assessments and security reviews are performed

B.3 Sub-Processor Transparency #

A current list of sub-processors is maintained and made available to Customers upon request or via Netgraph documentation.

5. DATA SUBJECT RIGHTS #

  • Data subjects exercise their rights via the Customer (Controller)
  • Netgraph provides assistance upon documented request

Supported rights include:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability

6. CUSTOMER RESPONSIBILITIES #

The Customer is responsible for:

  • Establishing lawful basis for processing
  • Informing end users of applicable privacy policies
  • Configuring retention policies
  • Managing optional personal data fields
  • Handling data subject requests
Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.