Security & Compliance

Security Overview

Solatis is built with security at its core, employing enterprise-grade practices to protect your data and ensure compliance with industry standards.

Data Encryption

Encryption in Transit

TLS 1.3:

• All data encrypted during transmission
• Perfect forward secrecy
• Strong cipher suites only
• Certificate pinning (mobile apps)
• HTTPS enforced (no HTTP)

WebSocket Security:

• WSS (WebSocket Secure) protocol
• Same encryption as HTTPS
• Real-time data protected

Encryption at Rest

Database:

• AES-256 encryption
• Encrypted backups
• Encrypted point-in-time recovery
• Key rotation policies

File Storage:

• Server-side encryption (SSE)
• AES-256 encryption
• Encrypted at AWS S3
• Secure key management (AWS KMS)

Credentials:

• Encrypted API keys
• Hashed passwords (bcrypt)
• Encrypted OAuth tokens
• Secure secret storage

Access Control

Authentication

Multi-Factor Authentication:

• TOTP-based (Time-based One-Time Password)
• Authenticator app support
• SMS backup (optional)
• Backup recovery codes
• Required for Enterprise

Password Requirements:

Minimum: 8 characters
Required:
- Uppercase letter (A-Z)
- Lowercase letter (a-z)
- Number (0-9)
- Special character (!@#$%^&*)

Strength: Enforced with zxcvbn
Expiration: Optional (Enterprise)
History: Last 5 passwords remembered

Session Management:

• Short-lived access tokens (1 hour)
• Secure refresh tokens (30 days)
• Automatic token rotation
• Session revocation capability
• Device tracking

Authorization

Row Level Security (RLS):

• Database-enforced permissions
• No application-level bypass possible
• Policies for every table
• Automatic data filtering
• Audit-logged queries

Permission Hierarchy:

Organization Level
├─ Owner: Full control
├─ Admin: Manage users, settings
└─ Member: Access assigned workspaces

Workspace Level
├─ Admin: Manage workspace
├─ Editor: Create/edit content
├─ Commenter: View and comment
└─ Viewer: Read-only

Document Level
├─ Owner: Full control
├─ Editor: Edit access
└─ Viewer: Read-only

API Access:

• Scoped API keys
• Rate limiting per key
• IP allowlisting (Enterprise)
• Usage monitoring
• Automatic key rotation options

Data Protection

Privacy by Design

Data Minimization:

• Collect only necessary data
• Purpose-specific collection
• Limited retention periods
• Regular data cleanup
• User-controlled deletion

Purpose Limitation:

• Data used only for stated purposes
• No secondary use without consent
• Clear privacy policy
• Transparent practices

User Rights

GDPR Compliance:

• Right to access (data export)
• Right to erasure (account deletion)
• Right to rectification (profile editing)
• Right to portability (export in standard formats)
• Right to restriction
• Right to object

Data Export:

Export Includes:
- Profile information
- All uploaded documents
- Chat history
- Meeting transcripts
- Activity logs
- Metadata

Format: JSON, CSV, or ZIP
Delivery: Email link (valid 7 days)
Time: Usually < 24 hours

Account Deletion:

Process:
1. Request deletion
2. Verify via email
3. 30-day grace period (recovery possible)
4. Permanent deletion after 30 days
5. Legal hold exceptions (compliance)

What's Deleted:
- Personal information
- Documents and files
- Chat history
- Recordings
- Metadata

What's Retained:
- Anonymized usage statistics (90 days)
- Financial records (7 years, regulatory requirement)
- Audit logs (anonymized, 1 year)

Compliance Certifications

SOC 2 Type II

Coverage:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Controls:

• Access controls
• Change management
• Data backup and recovery
• Incident response
• Monitoring and logging
• Vendor management

Audit:

• Annual third-party audit
• Continuous monitoring
• Regular control testing
• Report available to customers (NDA required)

GDPR Compliance

Compliance Measures:

• Data Processing Agreements (DPA)
• Privacy by design and default
• Data breach notification (<72 hours)
• Data Protection Impact Assessment (DPIA)
• EU data residency options
• Right to be forgotten
• Consent management

Data Location:

• Primary: US (AWS us-east-1)
• EU option: EU (AWS eu-west-1) - Enterprise
• Asia option: Asia (AWS ap-southeast-1) - Enterprise
• Data residency enforcement
• Cross-border transfer safeguards

HIPAA Compliance (Healthcare)

Available For: Enterprise plan with BAA

Requirements:

• Business Associate Agreement (BAA)
• Encryption (in transit and at rest)
• Access controls and audit logs
• Automatic logout
• Minimum necessary access
• Breach notification
• Employee training
• Physical safeguards

PHI Handling:

• Encrypted storage
• Limited access (need-to-know)
• Audit logging
• Secure destruction
• No AI training on PHI

ISO 27001 (In Progress)

Target: Q2 2025 Scope: Information security management Benefits: International recognition, standardized controls

Infrastructure Security

Cloud Infrastructure

AWS Security:

• DDoS protection (AWS Shield)
• Web Application Firewall (AWS WAF)
• Virtual Private Cloud (VPC)
• Security groups and NACLs
• Regular security assessments
• Automated patching

Supabase Security:

• Database isolation
• Connection pooling
• SSL/TLS required
• IP allowlisting available
• Automated backups
• Point-in-time recovery

Network Security

Protection Layers:

• DDoS mitigation
• Rate limiting
• IP reputation filtering
• Geo-blocking (optional)
• CDN security (Vercel/Cloudflare)

Monitoring:

• Real-time threat detection
• Intrusion detection system (IDS)
• Security information and event management (SIEM)
• 24/7 security operations center (SOC)

Application Security

Secure Development

Practices:

• Security code reviews
• Dependency scanning
• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• Penetration testing (annual)
• Bug bounty program

CI/CD Security:

• Automated security scans
• Dependency vulnerability checks
• Container scanning
• Secret detection
• Code quality gates

Vulnerability Management

Process:

1. Detection
   - Automated scanning
   - Bug bounty reports
   - Security research
   
2. Assessment
   - Severity rating (CVSS)
   - Impact analysis
   - Exploitability assessment
   
3. Remediation
   - Critical: < 24 hours
   - High: < 7 days
   - Medium: < 30 days
   - Low: < 90 days
   
4. Disclosure
   - Responsible disclosure
   - Customer notification (if applicable)
   - Public disclosure (after fix)

Incident Response

Security Incident Process

Detection:

• Automated alerts
• User reports
• Security monitoring
• Threat intelligence

Response:

1. Identify (< 30 minutes)
2. Contain (< 2 hours)
3. Investigate (< 24 hours)
4. Remediate (varies by severity)
5. Recover (varies)
6. Document (ongoing)
7. Improve (post-incident review)

Communication:

• Internal stakeholders: Immediate
• Affected customers: < 72 hours (GDPR requirement)
• Regulatory bodies: As required
• Public disclosure: After resolution (if applicable)

Data Breach Response

Immediate Actions:

1. Contain the breach
2. Assess scope and impact
3. Notify security team
4. Begin forensic investigation
5. Implement additional controls

Customer Notification:

• Email to affected users
• In-app notification
• Status page update
• Detailed incident report
• Remediation steps
• Support resources

Audit & Logging

Activity Logging

Logged Events:

• User authentication (login, logout, failed attempts)
• Data access (view, edit, delete)
• Permission changes
• Integration access
• API calls
• Admin actions
• Security events

Log Retention:

• Security logs: 1 year
• Audit logs: 1 year
• Access logs: 90 days
• Error logs: 90 days
• Legal hold: Extended retention as required

Log Analysis:

• Automated anomaly detection
• Regular review
• Compliance reporting
• Forensic capability

Audit Trail

Queryable Logs:

-- Example: View document access history
SELECT
  timestamp,
  user_email,
  action,
  document_title,
  ip_address
FROM audit_logs
WHERE document_id = 'uuid'
ORDER BY timestamp DESC;

Export Options:

• CSV for analysis
• JSON for integration
• PDF for reporting
• Real-time streaming (Enterprise)

Compliance for Specific Industries

Healthcare (HIPAA)

Requirements:

• BAA required
• PHI encryption
• Access controls
• Audit logging
• Breach notification
• Employee training

Setup: Contact sales@solatis.team

Financial Services

Requirements:

• SOC 2 compliance
• Data encryption
• Access controls
• Audit trails
• Incident response
• Business continuity

Additional: SOX compliance support available

Legal

Requirements:

• Attorney-client privilege protection
• Data residency options
• Audit trails
• Secure document handling
• Confidentiality agreements

Security Best Practices

For Organizations

Do:

• ✅ Enable 2FA for all users
• ✅ Use strong passwords
• ✅ Regularly review permissions
• ✅ Monitor access logs
• ✅ Train employees on security
• ✅ Implement data classification
• ✅ Regular security audits
• ✅ Incident response plan

Don't:

• ❌ Share accounts
• ❌ Use generic passwords
• ❌ Ignore security alerts
• ❌ Over-provision access
• ❌ Skip security training
• ❌ Disable security features

For Developers

API Security:

• Store keys in environment variables
• Rotate keys regularly (90 days)
• Use minimum required scopes
• Implement rate limiting
• Monitor API usage
• Never commit keys to code
• Use different keys per environment

Data Handling:

• Validate all inputs
• Sanitize outputs
• Use parameterized queries
• Implement CSRF protection
• Secure cookie settings
• Content Security Policy (CSP)

Reporting Security Issues

Responsible Disclosure

Process:

1. Email: security@solatis.team
2. Include: Detailed description, steps to reproduce, impact
3. Don't: Publicly disclose before fix
4. Expect: Acknowledgment within 24 hours

Bug Bounty:

• Rewards for valid vulnerabilities
• Scope defined at bugbounty.solatis.com
• Disclosure timeline: 90 days

Hall of Fame

Recognition for security researchers who responsibly disclose vulnerabilities.

Questions?

Security Team: security@solatis.team DPA Requests: legal@solatis.team Compliance Questions: compliance@solatis.team

---

Last Security Audit: September 2024 Next Audit: March 2025 SOC 2 Report: Available under NDA

Last Updated: October 11, 2025