Skip to main content
Skip to main content

Data Governance and Compliance

Overview

IronWiFi processes authentication data, session logs, and user credentials as part of delivering cloud RADIUS and captive portal services. This guide explains how IronWiFi handles data governance, what compliance frameworks apply, and how administrators can configure retention policies, audit trails, and privacy controls to meet their regulatory requirements.

Data Classification

Data Types Processed by IronWiFi

Data TypeClassificationExamplesRetention
Authentication CredentialsConfidentialUsernames, password hashes, certificatesActive while user exists
Session LogsInternalAuth timestamps, IP addresses, MAC addresses, session durationConfigurable
Accounting DataInternalBandwidth usage, data transferred, session countsConfigurable
Portal InteractionsInternalCaptive portal logins, social login tokensConfigurable
Configuration DataInternalNetwork settings, policies, group definitionsActive while configured
Audit LogsComplianceAdmin actions, configuration changes, access eventsPer policy

Data Flow

Data Retention Policies

Configuring Retention Periods

Adjust how long IronWiFi retains different data types:

  1. Log in to the IronWiFi Console
  2. Navigate to Account > Settings > Data Retention
  3. Configure retention periods for each data type:
Data TypeDefault RetentionConfigurable Range
Authentication Logs90 days30--365 days
Accounting Records90 days30--365 days
Session Data90 days30--365 days
Audit Logs1 year90 days--2 years
User RecordsUntil deletedN/A (manual deletion)
tip

Set retention periods to the minimum required by your compliance framework. Shorter retention reduces your data exposure in the event of a breach.

Automatic Data Purging

When data exceeds the configured retention period:

  1. Records are marked for deletion in the next purge cycle
  2. Purge runs automatically on a daily schedule
  3. Deleted records are permanently removed and cannot be recovered
  4. A purge event is recorded in the audit log
warning

Data purging is irreversible. Export any data you need for long-term compliance before it reaches the retention limit.

Manual Data Export Before Purge

To export data before automatic deletion:

  1. Navigate to Logs > Authentication Logs or Accounting
  2. Set the date range for the data you want to preserve
  3. Click Export and choose CSV or JSON format
  4. Store the exported data in your organization's archival system

GDPR Compliance

IronWiFi as a Data Processor

Under the GDPR framework:

  • You (the customer) are the Data Controller -- you determine the purpose and means of data processing
  • IronWiFi is the Data Processor -- IronWiFi processes data on your behalf according to your instructions

A Data Processing Agreement (DPA) is available. Contact IronWiFi support to request a signed copy.

Data Subject Rights

IronWiFi provides tools to fulfill data subject requests:

Right to Access (Article 15)

Export all data associated with a specific user:

  1. Navigate to Users and search for the user
  2. Open the user profile
  3. Click Export User Data
  4. The export includes:
    • User profile information
    • Group memberships
    • Authentication history
    • Session records
    • Accounting data

Right to Erasure (Article 17)

Delete a user and all associated data:

  1. Navigate to Users and search for the user
  2. Open the user profile
  3. Click Delete User
  4. Confirm the deletion
note

Deleting a user removes their profile, credentials, and group memberships. Authentication and accounting logs associated with the user are anonymized according to your retention settings.

Right to Rectification (Article 16)

Update incorrect user data:

  1. Navigate to Users and search for the user
  2. Open the user profile
  3. Edit the relevant fields (name, email, etc.)
  4. Click Save

Right to Data Portability (Article 20)

Export user data in a machine-readable format:

  1. Use the Export User Data function (JSON format)
  2. Or use the IronWiFi API to programmatically retrieve user data:

For captive portals that collect personal data:

  1. Navigate to Captive Portals > select your portal
  2. Enable Terms of Service with a checkbox for explicit consent
  3. Configure the consent text to describe what data is collected and why
  4. Optionally add a link to your full privacy policy
  5. Authentication is blocked until the user provides consent

Data Processing Records

Maintain records of processing activities as required by Article 30:

  1. Navigate to Account > Audit Log
  2. Export the audit log for the relevant time period
  3. The log documents:
    • What data was accessed or modified
    • Who performed the action (admin user)
    • When the action occurred
    • What changes were made

PCI DSS Considerations

If your WiFi network processes or provides access to cardholder data environments:

Network Segmentation

Use VLAN assignment to isolate PCI-scoped networks:

Assign PCI-scoped users to a dedicated VLAN that meets PCI DSS requirements for network segmentation. See Attributes for configuration details.

Access Control

Implement PCI DSS access control requirements:

  • Unique user IDs -- Each user must have a unique username (never shared accounts)
  • Strong passwords -- Enforce minimum password complexity through group policies
  • Session timeouts -- Configure 
    Session-Timeout
    to disconnect users after a defined period
  • Access logging -- Enable RADIUS accounting to track all access to the cardholder data environment

Audit Trail Requirements

PCI DSS requires audit trails for all access to cardholder data:

  1. Enable RADIUS accounting on all networks in the PCI scope
  2. Set the accounting interim interval to capture session updates:
Reply Attribute: Acct-Interim-Interval := 300
  1. Configure retention for audit logs to at least 1 year (with 3 months immediately available)
  2. Export and archive logs according to your PCI DSS requirements

Encryption

Data in Transit

ConnectionProtocolEncryption
RADIUS AuthenticationRADIUS over UDPShared secret encryption for passwords; EAP methods use TLS tunnels
RADIUS AccountingRADIUS over UDPMessage authenticator with shared secret
RadSecRADIUS over TLSTLS 1.2+ with mutual certificate authentication
Console AccessHTTPSTLS 1.2+ with certificate pinning
API CallsHTTPSTLS 1.2+
Captive PortalHTTPSTLS 1.2+
note

For environments requiring full transport encryption, use RadSec instead of standard RADIUS. RadSec wraps all RADIUS traffic in TLS, providing confidentiality for the entire packet. See RadSec Configuration.

Data at Rest

DataEncryption
User PasswordsHashed with bcrypt (salted, not reversible)
Shared SecretsEncrypted with AES-256
CertificatesEncrypted storage with access controls
DatabaseAES-256 encryption at the storage layer
BackupsEncrypted with AES-256 before transfer

Certificate-Based Authentication

For the highest security, use EAP-TLS with client certificates instead of passwords:

  • Certificates cannot be phished or brute-forced
  • Mutual authentication verifies both client and server
  • Revocation provides instant access removal

See Certificate Revocation and Certificate Lifecycle Management for implementation details.

HIPAA Considerations

For healthcare organizations subject to HIPAA:

Technical Safeguards

RequirementIronWiFi Implementation
Access ControlUnique user authentication with RADIUS
Audit ControlsAuthentication and accounting logs
Integrity ControlsMessage authenticator on RADIUS packets
Transmission SecurityEAP-TLS, RadSec, HTTPS

Administrative Safeguards

  • Business Associate Agreement (BAA) -- Contact IronWiFi to execute a BAA if IronWiFi will process ePHI-adjacent data
  • Access Management -- Use role-based access control for console administrators
  • Incident Response -- IronWiFi provides breach notification within the timeframes specified in the BAA

See Healthcare WiFi Solutions for architecture guidance specific to medical environments.

SOC 2 Alignment

IronWiFi's security practices align with SOC 2 trust service criteria:

CriteriaImplementation
SecurityEncryption in transit and at rest, access controls, vulnerability management
AvailabilityRedundant RADIUS servers, multi-region deployment, 99.9% SLA
Processing IntegrityRADIUS protocol standards compliance, accounting accuracy
ConfidentialityTenant isolation, encrypted storage, access logging
PrivacyGDPR compliance tools, data retention controls, consent management

Compliance Reporting

Generating Compliance Reports

Create reports for auditors and compliance reviews:

  1. Navigate to Account > Audit Log
  2. Set the date range for the audit period
  3. Filter by action type if needed (user changes, configuration changes, admin access)
  4. Click Export to download the report
ActivityFrequency
Review admin access and rolesQuarterly
Verify data retention settingsQuarterly
Export and archive compliance logsMonthly
Test data export for GDPR readinessAnnually
Review network segmentation (PCI)Annually
Update Data Processing AgreementAs needed

Best Practices

Data Minimization

  1. Collect only what you need -- Disable captive portal fields you do not require
  2. Shorten retention -- Set the shortest retention period your compliance allows
  3. Anonymize where possible -- Use MAC authentication without collecting personal data when appropriate
  4. Regular cleanup -- Periodically review and delete inactive user accounts

Access Controls

  1. Least privilege -- Grant the minimum role necessary for each administrator
  2. Individual accounts -- Never share admin credentials
  3. Two-factor authentication -- Enable 2FA for all console administrators
  4. Regular review -- Audit admin access quarterly and remove unused accounts

Incident Preparedness

  1. Know your data -- Understand exactly what data IronWiFi stores for your organization
  2. Test exports -- Regularly test data export procedures so you are ready for data subject requests
  3. Document procedures -- Maintain runbooks for breach response, data subject requests, and audit responses
  4. Contact information -- Keep IronWiFi support contact details accessible for incident coordination

Was this page helpful?