// Trust & Security Report

    Neon, Inc. (a Databricks company) logo

    Neon, Inc. (a Databricks company)

    Serverless Postgres database platform (autoscaling compute, instant database branching, read replicas, connection pooling) plus built-in Authentication, a REST Data API, and early-access Compute/Storage/AI Gateway primitives. Acquired by Databricks in 2025; Neon Platform Services now operate under the Databricks Master Cloud Services Agreement.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    We have successfully attained SOC 2 Type 1 and Type 2 compliance.

    Verify on neon.com
    SOC 2 Type II
    HELD

    Neon undergoes annual SOC 2 Type II audits performed by accredited independent third party auditors. ... The SOC 3 report, a public summary of our SOC 2 compliance, is available without an NDA in the Trust Center.

    Verify on neon.com
    SOC 3
    HELD

    The SOC 3 report, a public summary of our SOC 2 compliance, is available without an NDA in the Trust Center.

    Verify on neon.com
    ISO/IEC 27001:2022
    HELD

    Neon undergoes annual ISO/IEC 27001:2022 and ISO/IEC 27701:2019 audits for its security and privacy management systems.

    Verify on neon.com
    ISO/IEC 27701:2019
    HELD

    ISO 27701 extends ISO 27001 to include data privacy requirements.

    Verify on neon.com
    HIPAA
    HELD

    Neon has achieved HIPAA compliance to support customers handling protected health information (PHI). Note: 'Neon offers HIPAA compliance as part of our Scale plan' (tier-gated, not available on all plans).

    Verify on neon.com
    GDPR posture
    HELD

    Neon adheres to GDPR requirements, ensuring the rights and data privacy of our users across the EU. ... To the extent that Neon Inc. receives European Data in the United States, Neon Inc. will comply with [the Data Privacy Framework] ...

    Verify on neon.com
    CCPA/CPRA
    HELD

    Neon complies with CCPA and CPRA, ensuring data privacy and transparency.

    Verify on trust.neon.com
    > Show 4 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence of a Neon-held PCI DSS certification. The Neon Platform Services Product Specific Schedule instead prohibits storing cardholder data: 'Customer acknowledges and agrees it shall not include in Customer Content any cardholder data as defined under PCI-DSS.' Underlying cloud hosts (AWS/Azure) hold PCI DSS at the infrastructure level, which is the host's certification, not Neon's.

    source: neon.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or another dedicated AI-governance certification on Neon's Security page, Trust Center, or compliance docs as of this review.

    source: trust.neon.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration/certification on Neon's Security page or Trust Center as of this review.

    source: trust.neon.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization for Neon. Search results note only that Neon's underlying cloud hosts (AWS, Azure) hold FedRAMP at the infrastructure level; that is the host's authorization, not Neon's.

    source: neon.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Hosted on AWS or Azure depending on project configuration; Neon's security overview does not enumerate specific selectable regions, and cross-border transfers from Europe rely on the EU-U.S./Swiss-U.S./UK Data Privacy Framework per the Neon DPA.

    The Databricks Privacy Notice (neon.com/privacy-policy now redirects to Databricks' privacy notice, reflecting the 2025 acquisition) explicitly excludes customer-uploaded content from its scope: it 'does not apply to (i) the data that our Customers and their Authorized Users upload, submit or otherwise make available to the Platform Services.' Neon's own security/compliance docs and DPA make no statement affirming that customer database content is used to train AI/ML models, and the Neon Platform Services Product Specific Schedule describes Customer Content as stored in multi-tenant systems 'accessible to Customers via only application user interfaces.' No explicit opt-out toggle for AI training was found because no AI-training-on-customer-data claim was found to opt out of. Treat as 'no evidence of training on customer data' rather than a vendor guarantee, and note that Neon's AI Gateway (early access) is a pass-through API to third-party/Databricks models, not a claim about training on Neon-hosted Postgres data.

    // Security controls

    Encryption in transit

    All connections require SSL/TLS; supports Postgres' strictest verify-full SSL mode (validates certificate authority and hostname to prevent MITM).

    neon.com

    Encryption at rest

    Customer data encrypted with AES-256 on NVMe storage volumes; keys managed via AWS KMS and Azure Key Vault with key rotation policies.

    neon.com

    Access control

    Least-privilege access via AWS IAM and Microsoft Entra ID; production access requires manager approval and is performed via Teleport with session recording; infrastructure changes managed through Terraform for auditability.

    neon.com

    Monitoring & vulnerability management

    AWS GuardDuty and Logz.io for anomaly detection and centralized logging (CloudTrail/Azure Monitor); continuous vulnerability scanning via Orca and Oligo with SLA-based remediation.

    neon.com

    Backups

    Stored in S3/Azure Blob Storage with versioning enabled, retained for 30 days.

    neon.com

    Data Processing Agreement

    Standard DPA published and downloadable, referencing SCC/Data Privacy Framework transfer mechanisms; contracting entity is Neon, Inc.

    neon.com

    Subprocessor list

    Published subprocessor list with change-notification subscription available.

    neon.com

    // Products & data scope

    Neon Postgres (core database)Managed database (DBaaS)

    data: Customer application data stored in Postgres instances, multi-tenant storage architecture with autoscaling compute and instant branching.

    Primary product; covered by SOC 2 Type I/II, ISO 27001, ISO 27701, GDPR posture, and CCPA/CPRA per the Trust Center.

    Neon AuthenticationBuilt-in auth (users/sessions stored in Postgres)

    data: End-user identity data (credentials, session tokens) stored directly in the customer's Neon Postgres instance.

    Marketed as 'Managed auth with users and sessions stored in Postgres'; inherits core database security posture.

    HIPAA-eligible tier (Scale plan)Compliance add-on

    data: Protected Health Information (PHI) for customers on the Scale plan and above.

    HIPAA compliance is explicitly plan-gated: 'Neon offers HIPAA compliance as part of our Scale plan,' not available by default on lower tiers. A Business Associate Agreement is required for PHI use cases; verify BAA availability directly with Neon sales before listing a tool as HIPAA-ready if it relies on a lower Neon tier.

    Compute / Storage / AI Gateway (early access)Emerging platform primitives

    data: Function execution near the database (Compute); S3-compatible branchable object storage (Storage); unified routing API to frontier/open-source LLMs (AI Gateway, powered by Databricks).

    Explicitly labeled 'EARLY ACCESS' on the marketing site as of this review; compliance scope for these newer primitives was not separately documented on the Trust Center and should be re-verified before general-availability launch.

    // What to watch

    • Identity-conflation risk: a completely unrelated company, 'Neon Mobile' (a call-recording app), was reported by Malwarebytes as selling recorded call data for AI training. This is NOT Neon, Inc. / Neon Postgres (the Databricks-owned database company assessed here). Do not let this surface in listing copy about Neon Postgres.
    • HIPAA compliance is tier-gated ('as part of our Scale plan') rather than available to all customers by default; listing copy should not imply blanket HIPAA support without noting the plan requirement and BAA process.
    • Since the 2025 Databricks acquisition, Neon's privacy policy URL now redirects to Databricks' corporate privacy notice (databricks.com/legal/privacynotice) and Neon's terms reference the Databricks Master Cloud Services Agreement; Neon, Inc. remains the contracting/DPA entity but overall governance now sits under Databricks. Re-verify this framing if Databricks further consolidates Neon's legal/compliance docs.
    • Could not directly verify PCI DSS, ISO 42001, CSA STAR, or FedRAMP status from a live Trust Center certificate list; graded held=false based on absence of any vendor-domain claim, but recommend a follow-up manual check of trust.neon.com's live certifications tab before high-stakes procurement use.

    // At a glance

    Pricing model

    Usage-based tiers (Free, Launch, Scale, Business/Enterprise) with compliance features (e.g., HIPAA, IP allowlisting) gated to Scale plan and above.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Neon, Inc. (a Databricks company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.neon.com

    > Browse all vendor trust reports