We maintain clear internal policies to ensure the ethical and responsible use of AI within our organization:

• Employee Guidance: We communicate our „AI in the Workspace“ policy to all internal employees.
• Clarity and Compliance: This policy explicitly outlines which AI tools can and cannot be used, along with best practices to ensure our ethical guidelines are understood and followed across all internal operations.

To ensure our use of AI technology meets stringent security requirements, we have established a formal process:

• Vendor Assessment Program: We conduct annual assessments of our AI technology vendors, including a comprehensive AI-specific security questionnaire to evaluate their practices and adherence to our standards.

We utilize AI and ML to dramatically improve the speed and accuracy of software asset management. These technologies are applied primarily for:

• Data Cleansing and Normalization: Transforming historically cumbersome and inaccurate data harvested from enterprise endpoints into useful information.
• Software Asset Management: More accurately determining software versions, tracking, and attribution for software deployed across the enterprise.

These AI/ML-driven capabilities are currently being rolled out and are available in various stages, with some features present in version 10 today.

NinjaOne’s commitment to providing accurate and reliable software data is paramount. We leverage Artificial Intelligence (AI) and Machine Learning (ML) specifically to enhance the foundational quality of the data we process, though AI is not a core feature for our end-users.

NinjaOne integrates with a variety of popular applications such as:

• OKTA
• Azure AD
• Accelo
• Connectwise

See our integrations page for more details.

The NinjaOne’s Endpoint Security product has a robust permissions model, allowing the administrators to grant and assign appropriate access as needed using Ninja’s user permissions and role-based system.

See our endpoint security product for more details.

NinjaOne requires Single Sign On (SSO) with 2FA/MFA internally for all technical, development, and security services and resources via third-party providers like OKTA, Azure AD.

MFA (Multi-Factor Authentication) is required for NinjaOne corporate network and customer environments. NinjaOne uses Okta.

See our SOC 2 page 13 for more information.

NinjaOne’s (Remote Monitoring and Management) RMM maintains logs and customers have the ability to export portal account activity for various services including :

• User logs
• Event logs
• Drive encryption status (BitLocker and FileVault)
• Device serial number
• Running processes

NinjaOne has a formally documented data classification policy that identifies the information required to support the functioning of internal controls, achievement of objectives, and associated protection, access rights, and retention requirements.

See our SOC 2 page 21, for more information.

Data is stored within AWS in the region you choose. NinjaOne processes the Customer Data on behalf of the Customer and acts as processor and the Customer acts as controller.

See our DPA for more information or our SOC 2 page 10.

A systems inventory is maintained that includes physical devices and systems, virtual devices, and software.

See our SOC 2 page 19 for more information.

Each customer has unique encryption keys created and stored by the NinjaOne Platform using Amazon KMS. All controls to such keys are documented in our SOC 2 and attested to annually by our 3rd party auditor.

See our SOC 2 page 10 for more information.

NinjaOne’s systems are backed up on a regular basis using established schedules and frequencies. Backups are monitored and alerts generated in the event of an exception. Failures are documented, triaged and resolved accordingly. All backups are encrypted.

Backup Frequency: Nightly Backup Type: Full

See our SOC 2 page 14 for more information.

Access to Ninjaone’s systems is stringently controlled and permissions for internal systems and applications are reviewed and approved on a periodic basis to ensure that the principle of least privilege is maintained.

NinjaOne has access policies and procedures in place that are reviewed and approved on an annual basis.

See our SOC 2 page 13 for more information.

NinjaOne uses password protection, encryption, and other security measures to help prevent unauthorized access to confidential data. Passwords follow NIST requirements.

Passwords are encrypted using industry-standard cryptographic algorithms and key lengths. All data is stored on secure, non-publicly-accessible servers and media.

See our SOC 2 page 41 for more information.

NinjaOne encrypts sensitive data in transit with TLS 1.2 or TLS 1.3.

NinjaOne utilizes several technologies to ensure stored data is encrypted at rest using AES-256 encryption.

You can contact the NinjaOne Data Protection Officer by emailing the Privacy Team.

NinjaRemote boasts a distinct set of security capabilities compared to our other NinjaOne products.

• Data Transmission (encryption and integrity checks) with OpenSSL 3 library.
• Hashes: SHA256, SHA512
• Ciphers: AES-256-GCM, GMAC
• Key Exchange: x25519
• Password Key Derivation: PBKDF2

The Ninja Remote backend, utilizing rendezvous points, facilitates network communication between the Streamer and the Player. All interactions between the Streamer and Player are encrypted peer-to-peer, ensuring the NinjaOne backend is isolated from session content, including video, audio, keystrokes, and file transfers.

NinjaOne’s production environment is hosted by AWS. AWS is responsible for restricting physical access to data center facilities, backup media, and other system components including firewalls, routers, and servers.

See our SOC 2 page 10 for more information.

NinjaOne maintains a change management process within its cybersecurity framework, systematically evaluating and controlling modifications to its IT environment to ensure that updates, configurations, and alterations are implemented securely, minimizing potential risks and maintaining a strong security posture.

See our SOC 2 page 13 for more information.

A systems inventory is maintained that includes physical devices and systems, virtual devices, and software.

See our SOC 2 page 19 for more information.

NinjaOne has implemented tools in place to provide visibility into key assets within our infrastructure.

See our SOC 2 page 92 for more information.

NinjaOne has a new employee screening and hiring procedures to ensure they effectively guide the hiring process, confirming that candidates meet the necessary qualifications outlined in the job description.

See our SOC 2 page 91 for more information.

NinjaOne requires that all employees complete security awareness training as part of the new employee onboarding process and on a annual basis for all employees. The training includes quizzes that require a passing score to ensure employee comprehension.

See our SOC 2 page 18 for more information.

NinjaOne employees in the United States must undergo a background check prior to formal employment offers. Upon hire, all employees must read and acknowledge NinjaOne’s:

• Code of Conduct
• Acceptable Use Policy
• Employee Handbook

See our SOC 2 page 17 for more information.

NinjaOne has established a comprehensive Data Processing Agreement (DPA) that outlines the terms and conditions governing the processing of personal data. ninjaone.com/data-processing-agreement

NinjaOne complies with applicable data breach notifciation laws.

NinjaOne maintains a formal Incident Response Plan (IRP) that outlines the response procedures for security events. This plan includes lessons learned to evaluate the effectiveness of the procedures.

See our SOC 2 page 14 for more information.

On pages 14 and 56 of our SOC 2 documentation, we provide details about our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).

RTO = For interruptions 6 hours, In case of total loss of primary data center- 12 hours for basic services, and an additional of 3 business days for full-service restoration.

RPO = Latest available backup – Daily

NinjaOne has a documented business continuity plan and disaster recovery plan controlled and enforced by a disaster recovery team. This is tested annually.

See our SOC 2 page 14 for more information.

NinjaOne has a documented business continuity plan and disaster recovery plan controlled and enforced by a disaster recovery team. This is tested annually.

See our SOC 2 page 14 for more information.

NinjaOne uses the AWS Cloud Platform infrastructure which provides the tools, scalability, security, reliability, and flexibility, allowing our customers to benefit from this reliable and secure infrastructure.

The AWS Cloud Platform infrastructure is divided into multiple geographical regions with data centers designed for maximum security and availability.

See SOC 2 page 10 for more information.

SOC3 is a public report of AWS’s internal controls for the AWS Cloud Platform over security, availability, confidentiality, and privacy.

An MNDA is needed for this resource.

AWS Cloud Platform is assessed annually for SOC2 Type 2 criteria relevant to Security, Availability, Confidentiality and Privacy.

An MNDA is needed for this resource.

NinjaOne has a comprehensive antivirus and malware protection program in place for both employee workstations and servers. NinjaOne utilizes reputable endpoint protection solutions as part of a defense-in-depth strategy, ensuring systems are regularly updated to defend against the latest threats.

NinjaOne has implemented a comprehensive risk management process, systematically identifying, analyzing, and mitigating potential cybersecurity risks to ensure the confidentiality, integrity, and availability of its information systems and assets.

An annual risk assessment is conducted to systematically evaluate potential cybersecurity risks, ensuring that NinjaOne’s information systems and assets are comprehensively analyzed for vulnerabilities and that appropriate mitigation strategies are implemented.

See our SOC 2 page 18 for more information.

NinjaOne undergoes an annual vulnerability scan and penetration test conducted by a third-party vendor. NinjaOne pen test attestation letter is available for its existing, new and prospective customers once an MNDA is signed.

See SOC 2 page 14 for more information.

If you’re a NinjaOne Customer or Potential Customer and believe you have found a security vulnerability pertaining to NinjaOne, please contact [email protected] or submit your security vulnerability here.

NinjaOne maintains a robust vulnerability management system, systematically identifying, assessing, and mitigating potential security vulnerabilities within its IT infrastructure to ensure a resilient and secure operational environment. NinjaOne undergoes an annual vulnerability scan and penetration test conducted by a third-party vendor.

See SOC 2 page 14 for more information.

NinjaOne has implemented a robust Third-Party Risk Management (TPRM) framework to systematically identify, assess, and mitigate potential risks associated with its external partnerships, ensuring the security and integrity of its operations.

See our SOC 2 page 14 for more information.

NinjaOne may engage and use (i) certain third-party data processors and/or (ii) one of NinjaOne’s affiliates (collectively, “Sub-Processors”) to provide services to our customers. These Sub-Processors may access personal data provided directly by our customer in order to perform the contracted services and support.

See our subprocessors page for more information