Database encryption: Investigate the encryption in the database.

[hansjhaland]

NeonDB
Neon encrypts all data at rest using strong, industry-standard encryption. Inactive data stored on NVMe SSD volumes is encrypted with AES-256. Key management is handled via AWS KMS or Azure Key Vault, with policies for key rotation and limited IAM role access. Backups and snapshots are also encrypted by default. All of this means that if someone got physical access to the storage media (disks, SSDs), they would not be able to read the raw data without having the decryption keys, which are tightly controlled and audited.

NeonDB to Azure
For data in transit, Neon enforces encryption using TLS (version 1.2 or 1.3) for all client-to-server (Azure-to-NeonDB for this case) communications. With flags like sslmode=verify-full and channel binding enabled, the client ensures not only that the data is encrypted, but also that the server’s certificate is valid, correctly signed by a trusted CA, and matches the expected host name. When using Neon in Azure (or connecting services running in Azure to a Neon database), Azure’s infrastructure (key vaults, managed networking) can be used to store credentials and secrets securely, while the traffic itself is carried over encrypted TLS channels. Thus data traveling between your application on Azure and the Neon DB remains protected from interception or tampering.

Azure to internet
Any HTTPS connections to Azure is encrypted, and the endpoints are protected with bearer tokens. This makes the endpoints accessible only by authorized users.