Data Protection & Encryption

Your data is protected through multiple security layers: encryption, isolation, and compliance.

Encryption

Encryption at Rest (Stored Data)

Your data on our servers is encrypted using AES-256.

What's encrypted:

• Documents and files
• Meeting transcripts
• Chat messages
• User data
• Backups
• All database content

How it works:

Your data → Encrypted with AES-256 → Stored on server

If someone steals the hard drive:
- They see: [encrypted gibberish]
- They cannot: Read without decryption key

Encryption in Transit (Moving Data)

Data traveling between your device and our servers uses TLS 1.3.

In your browser:

• Look for 🔒 lock icon in address bar
• URL starts with "https://" (not "http://")
• This means connection is encrypted

What's protected:

Your Computer ←→ [TLS 1.3 Encrypted] ←→ Solatis Servers

Even if someone intercepts traffic:
- They see: [encrypted gibberish]
- They cannot: Decode without keys

Data Isolation

Multi-Tenancy

Solatis is multi-tenant - many organizations use the same servers safely.

Data is logically separated:

Organization A | Organization B | Organization C
     ↓         |      ↓         |       ↓
  Same Servers (but strictly isolated)

Database-level isolation:

-- When fetching documents:
SELECT * FROM documents 
WHERE organization_id = YOUR_ORG_ID

-- Your data CANNOT be retrieved without your org ID
-- Even if someone tries, the database refuses

Backup Security

Backups are:

• ✅ Encrypted with same AES-256
• ✅ Stored in separate secure location
• ✅ Isolated by organization
• ✅ Tested regularly for recovery
• ✅ Kept for 90 days minimum

Disaster recovery:

• Tested monthly
• Automated backups every hour
• Manual backups on demand
• RPO: 1 hour (max data loss)

Compliance

SOC 2 Type II

Third-party auditors certify our security:

What's verified:

• Access controls (who can access what)
• Encryption and data protection
• Backup and recovery procedures
• Incident response process
• Employee access policies
• Audit logging

Frequency: Annual audit

GDPR Compliance

For EU users, we comply with GDPR:

Your rights:

• Right to Access: Download all your data anytime
• Right to Delete: Erase your account completely
• Right to Portability: Export data in standard format
• Right to Correction: Fix inaccurate data
• Right to Object: Opt-out of certain processing

How to exercise rights:

Settings → Privacy
1. Choose action (download, delete, export)
2. Click "Request"
3. Get confirmation email within 24 hours
4. Data processed within 7 days

HIPAA Ready

For healthcare organizations handling protected health information:

Available with HIPAA agreement:

• Business Associate Agreement (BAA)
• Enhanced audit logging
• Encryption requirements
• Access controls
• Incident breach notification

Contact: compliance@solatis.team

Data Ownership

Important: You own your data.

Solatis:

• ✅ Stores your data safely
• ✅ Protects your data
• ✅ Never sells your data
• ✅ Never trains AI on your data
• ✅ Never shares with third parties

Your data deletion:

1. Delete account in Settings
2. Data marked for deletion
3. Retained for 30 days (recovery window)
4. Permanently deleted after 30 days
5. Backups deleted after 90 days

Shared Data

Share with Teammates

When you share a document:

Viewer can:

• Read document
• Copy content
• Download file

Viewer cannot:

• Edit document
• Delete document
• Share with others

Editor can:

• Do everything Viewer can
• Edit document content
• Delete document
• Share with others

Sensitive Data Handling

PII Redaction

Personal Identifying Information (PII) can be automatically redacted:

Sensitive data types:

• Social Security Numbers (SSN)
• Credit card numbers
• Email addresses
• Phone numbers
• Names and addresses

Enable redaction:

Settings → Data Privacy
Turn on "Automatically redact PII"

Compliance Data

If you handle compliance-sensitive data:

Do:

• ✅ Enable data redaction
• ✅ Restrict document access
• ✅ Monitor who accesses documents
• ✅ Review audit logs
• ✅ Use 2FA

Don't:

• ❌ Share passwords
• ❌ Store data insecurely
• ❌ Grant unnecessary access

Data Breach Response

If a security incident occurs:

Timeline:

1. Detect: Automated systems detect anomalies
2. Contain: Isolate affected systems (15 min)
3. Investigate: Determine scope (4 hours)
4. Notify: Inform affected users (24 hours)
5. Remediate: Fix the issue (24-72 hours)

What we do:

• Notify affected users within 24 hours
• Provide guidance on actions to take
• Issue public incident report
• Implement fixes
• Verify incident cannot recur

Security Certifications

Certification	Status	Details
SOC 2 Type II	✅ Current	Annual audit by Big 4 firm
GDPR	✅ Compliant	EU data privacy law
HIPAA Ready	✅ Available	With BAA agreement
ISO 27001	🔄 In Progress	Security management

View certifications: compliance@solatis.team

Next Steps

• Enable Two-Factor Authentication
• Set Up Data Privacy
• Review Audit Logs
• Contact Security Team