Security Getting Started
Learn how Solatis protects your data, manages access, and maintains compliance with industry standards.
Security at Solatis: The Big Picture
Solatis protects your data at three levels:
Level 1: Access Control
Who can access your data?
- Authentication: Verify who you are (login)
- Authorization: Verify what you can do (permissions)
- Multi-factor authentication: Extra security with 2FA
Level 2: Data Protection
How is your data protected in storage and transit?
- Encryption at rest: Your data encrypted on our servers (AES-256)
- Encryption in transit: Encrypted when moving to/from our servers (TLS 1.3)
- Data isolation: Your data separated from other organizations
Level 3: Compliance & Monitoring
How do we ensure nothing bad happens?
- SOC 2 Type II certification: Regular audits by third-party security firm
- GDPR compliance: EU data privacy laws
- HIPAA ready: For healthcare organizations
- Audit logs: Complete record of who did what and when
- Penetration testing: Annual security assessments
Part 1: How Authentication Works
What is Authentication?
Authentication = "Prove you are who you say you are"
When you log in to Solatis, you're proving your identity. Here's how it works:
You type in email and password
↓
Solatis checks: Is this password correct?
↓
You prove your identity ✓
↓
You get a session token (like a temporary ID card)
↓
You can now use Solatis until you log outAuthentication Methods
Solatis supports multiple ways to log in:
1. Email & Password
How it works:
- You create an account with email + password
- Solatis hashes your password (one-way encryption)
- When you log in, we compare your password to the hash
- If they match, you're in
Security:
- ✅ Your actual password is never stored
- ✅ Only the hash is stored
- ✅ We can't see your password (even admins can't)
- ✅ If our database is stolen, hackers can't use the passwords
Best practices:
- Use a strong password: 12+ characters, mix of letters/numbers/symbols
- Don't reuse passwords across services
- Use a password manager (1Password, Bitwarden, LastPass)
2. OAuth 2.0 (Social Login)
Log in with your existing account:
- Google Sign-In
- Microsoft 365
- GitHub
- Slack
How it works:
- You click "Login with Google"
- You're redirected to Google's login page
- You enter your Google email and password (Google, not Solatis)
- Google confirms you're you ✓
- Google tells Solatis: "Yes, this is alice@company.com"
- You're logged into Solatis
Security:
- ✅ Solatis never sees your Google password
- ✅ You trust Google's security (established, audited)
- ✅ Your password doesn't travel to Solatis servers
- ✅ If your Google account is compromised, you can change it in one place
Best practices:
- Use OAuth if your company uses Google Workspace or Microsoft 365
- Enables single sign-on (SSO) - easier login
- Recommended for organizations
3. SAML 2.0 (Enterprise)
For companies with 50+ users, SAML provides directory synchronization:
How it works:
- Your IT department configures SAML in Solatis
- Your IT department updates SAML settings in your identity provider (Okta, Azure AD, etc.)
- Users are automatically synced: alice@company.com, bob@company.com, etc.
- Users log in with their company credentials
- Permissions are automatically applied
Who uses SAML:
- ✅ Companies with Okta, Azure AD, Google Workspace
- ✅ Organizations with 50+ users
- ✅ Enterprises with strict security requirements
Benefits:
- Single sign-on (SSO)
- Automatic user provisioning
- Automatic role assignment
- Instant offboarding (when user is removed from directory)
Part 2: Multi-Factor Authentication (2FA)
What is 2FA?
2FA = "Prove who you are with TWO methods, not just password"
Think of it like ATM withdrawal:
- Password alone = 1 factor (something you know)
- Password + physical card = 2 factors (something you have + something you know)
Solatis supports:
- TOTP (Time-based One-Time Password) - 6-digit code from an app
- SMS - Code texted to your phone (less secure, not recommended)
- Hardware keys - Physical USB key (most secure, for paranoid admins)
Setting Up 2FA
Step 1: Enable 2FA on Your Account
- Go to Settings ⚙️
- Click Security
- Find Two-Factor Authentication
- Click Enable 2FA
Step 2: Scan the QR Code
You'll see a QR code. Scan it with an authenticator app:
Recommended apps:
- Google Authenticator (free, all platforms)
- Microsoft Authenticator (free, all platforms)
- Authy (free, syncs across devices)
- 1Password (paid, manages passwords + 2FA)
Don't use:
- ❌ SMS (codes can be intercepted)
- ❌ Email codes (email can be hacked)
Step 3: Verify with a Code
- Open your authenticator app
- Find the code for Solatis (6 digits, changes every 30 seconds)
- Enter the code in Solatis
- Click Verify
Step 4: Save Your Backup Codes
Solatis gives you 10 backup codes. Save them somewhere safe!
aBcDeFgH1234
aBcDeFgH5678
aBcDeFgH9012
... (7 more)If you lose your phone:
- You can use a backup code instead of your 2FA code
- Each code works once
- Then you need to set up 2FA again
Where to save backup codes:
- ✅ Password manager (1Password, Bitwarden)
- ✅ Secure document (encrypted file)
- ❌ Sticky note on your monitor
- ❌ Unencrypted text file on your desktop
2FA in Practice
When you log in:
1. Enter email: alice@company.com
2. Enter password: ••••••••
3. Solatis checks - password correct ✓
4. "Enter your 2FA code"
5. You open authenticator app → see "847362"
6. You type 847362
7. Solatis checks - code correct ✓
8. You're logged in ✓The entire process takes ~30 seconds.
Part 3: Authorization - What You Can Do
Authorization = "You are who you say you are. Here's what you're allowed to do."
Solatis uses Role-Based Access Control (RBAC) with Row-Level Security (RLS).
Role-Based Access Control
Your role determines what you can do in a workspace:
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| Read documents | ✅ | ✅ | ✅ | ✅ |
| Create documents | ✅ | ✅ | ✅ | ❌ |
| Edit documents | ✅ | ✅ | ✅ | ❌ |
| Delete documents | ✅ | ✅ | ✅ | ❌ |
| Manage users | ✅ | ✅ | ❌ | ❌ |
| Create AI agents | ✅ | ✅ | ✅ | ❌ |
| Change workspace settings | ✅ | ✅ | ❌ | ❌ |
| Change organization settings | ✅ | ❌ | ❌ | ❌ |
| View billing | ✅ | ❌ | ❌ | ❌ |
Row-Level Security (RLS)
Even within the same workspace, you might not be able to see all documents.
Example:
You're in the "Main Workspace". There are 100 documents:
- 80 public documents (everyone can see)
- 15 legal documents (only legal team)
- 5 executive briefings (only executives)
As an Editor, you can see 80 public documents. The legal and executive documents are restricted - you don't see them in search, and you can't access them directly.
RLS is enforced at the database level. Even if you somehow get the document ID, the database says "no, you don't have permission" and won't return the data.
How RLS Works in Practice
Scenario 1: Public Document
You: "Can I see 'Q1 Strategy'?"
Database: "Is it marked as restricted?"
No
"Do you have workspace access?"
Yes (you're an Editor)
"Permission granted ✓"Scenario 2: Restricted Document
Carol: "Can I see 'Executive Compensation'?"
Database: "Is it marked as restricted?"
Yes - restricted to [executives]
"Are you in the restricted list?"
No (Carol is Editor, not executive)
"Permission denied ✗"Carol's search results don't even show this document.
Part 4: Data Encryption
Encryption at Rest
At Rest = "Your data sitting on our servers"
How it works:
- You upload a document "secret.pdf"
- Solatis reads the raw file
- Before storing, Solatis encrypts it with AES-256 encryption
- The encrypted file is stored on our servers
- If someone steals our hard drive, they can't read the data (encrypted)
AES-256 explained:
- AES = Advanced Encryption Standard (industry standard since 2001)
- 256 = 2^256 possible encryption keys (essentially impossible to break)
- "Unbreakable" with current technology (would take thousands of years to crack)
Your data is encrypted:
- ✅ In our databases
- ✅ In our backups
- ✅ On disk
- ✅ In system memory (encrypted until needed)
Encryption in Transit
In Transit = "Your data traveling from your computer to our servers"
How it works:
Your computer ←→ Internet ←→ Solatis servers
(TLS 1.3 encryption)- You upload a document
- Your computer and our server negotiate a secure connection (TLS handshake)
- Data travels encrypted over the internet
- Even if someone intercepts the traffic, they see gibberish, not your data
TLS 1.3 explained:
- TLS = Transport Layer Security (HTTPS protocol)
- 1.3 = Latest version (released 2018)
- Every HTTPS website uses this
Verifying HTTPS:
- Look at your browser address bar
- You see a 🔒 lock icon and "https://" (not "http://")
- This means your connection is encrypted
End-to-End Encryption (Not Currently Offered)
Some services offer end-to-end encryption (E2E):
- You encrypt data on your computer
- Solatis never sees unencrypted data
- Only you can decrypt it
Solatis doesn't currently offer E2E because:
- ✗ Would disable semantic search (AI can't analyze encrypted data)
- ✗ Would disable collaborative features (others can't see your data)
- ✗ Would disable AI agents (agents can't process encrypted documents)
If you absolutely need E2E, you can:
- Encrypt documents locally before uploading
- Upload the encrypted file
- Solatis stores it as-is
But then you lose AI features for that document.
Part 5: Data Isolation & Multi-Tenancy
How Multi-Tenancy Works
Solatis is a multi-tenant system. Multiple organizations use the same servers:
Company A's data ──┐
Company B's data ──┼─→ Solatis Servers
Company C's data ──┘This is safe because:
- Data is logically separated at the database level
- Every query includes "WHERE organization_id = Company_A"
- Your data can't be accidentally retrieved by Company B
- Backups are isolated per organization
- Encryption keys are different per organization
Verification:
- Solatis is SOC 2 Type II certified (audited by third party)
- Auditors verify data isolation
- Annual penetration testing confirms no data leakage
Your Data Belongs to You
Important terms:
- ✅ You own your data
- ✅ You can export your data anytime
- ✅ You can delete your data (30-day retention after deletion)
- ✅ Solatis can't use your data to improve our product
- ✅ Solatis can't sell your data
- ✅ Solatis doesn't train AI models on your data
In our terms of service:
"Customer Data is the exclusive property of Customer. Solatis has no rights to Customer Data except as necessary to provide the Service."
Part 6: Compliance Standards
SOC 2 Type II
What is SOC 2?
SOC 2 (Service Organization Control) is an audit performed by third-party firms. It certifies that:
| Control Area | What It Covers |
|---|---|
| Security | Unauthorized access is prevented |
| Availability | The service is available when needed |
| Processing Integrity | Transactions are complete and accurate |
| Confidentiality | Confidential information is protected |
| Privacy | Personal data is handled correctly |
Type I vs Type II:
- Type I: Audit at a single point in time
- Type II: Audit over 6+ months (more comprehensive, shows real operations)
Solatis is SOC 2 Type II certified. This means:
- ✅ An external auditor verified our security controls
- ✅ They confirmed these controls worked for 6+ months
- ✅ They reviewed our incident response procedures
- ✅ They verified our employee access controls
- ✅ They checked our backup and disaster recovery
You can request our SOC 2 report (under NDA): Contact support@solatis.team with "SOC 2 Report Request"
GDPR Compliance
GDPR = General Data Protection Regulation (EU data privacy law)
For EU users, you have rights:
- Right to Access: Download all your data
- Right to Deletion: Delete your account and all data
- Right to Portability: Export data in standard format
- Right to Rectification: Correct inaccurate data
- Right to Object: Opt out of certain processing
Solatis supports all GDPR rights:
- ✅ Data export (get your data anytime)
- ✅ Account deletion (complete data removal in 30 days)
- ✅ Data portability (export in standard formats)
- ✅ Correction (update your profile)
- ✅ Objection (contact privacy@solatis.team)
How to exercise your GDPR rights:
- Go to Settings → Privacy
- Click the right you want to exercise:
- "Download my data"
- "Delete my account"
- "Export to CSV"
- Click Request
- You'll get a confirmation email within 24 hours
- The data is prepared within 7 days
HIPAA Readiness
HIPAA = Health Insurance Portability and Accountability Act (US healthcare law)
If you're a healthcare provider and handle Protected Health Information (PHI), Solatis can be configured for HIPAA compliance:
HIPAA features available:
- ✅ Business Associate Agreement (BAA)
- ✅ Audit logs with PHI tracking
- ✅ Encryption at rest and in transit
- ✅ Access controls by role
- ✅ Data integrity controls
- ✅ Backup and disaster recovery
To enable HIPAA mode:
- Contact support@solatis.team
- Request "HIPAA Business Associate Agreement"
- Sign the BAA
- We enable HIPAA features on your organization
- Additional compliance features are enabled
Cost: Additional $200/month + legal review
Part 7: Audit Logs
What are Audit Logs?
Audit logs = Complete record of everything that happens in your organization
Every action is logged:
2:45 PM - alice@company.com - created document "Q1 Strategy"
2:40 PM - bob@company.com - uploaded file "competitor_analysis.pdf"
2:35 PM - carol@company.com - shared document with marketing_team
2:30 PM - system - ran "Meeting Analysis Agent" on meeting #456
2:25 PM - alice@company.com - changed bob's role from Editor to Viewer
2:20 PM - failed_login - Failed login attempt from 185.220.101.24What Gets Logged
| Action | Logged |
|---|---|
| Login/Logout | ✅ |
| Create document | ✅ |
| Edit document | ✅ |
| Delete document | ✅ |
| Share document | ✅ |
| Run AI agent | ✅ |
| Download file | ✅ |
| View restricted document | ✅ |
| Change user permissions | ✅ |
| Modify workspace settings | ✅ |
| API calls | ✅ |
| Failed login attempts | ✅ |
| 2FA bypassed | ✅ |
Why Audit Logs Matter
Compliance: Prove to auditors what happened Security: Detect unauthorized access or suspicious activity Troubleshooting: Understand what went wrong Accountability: Know who did what
Accessing Audit Logs
- Go to Settings → Audit Logs
- You'll see entries like:
Date & Time | User | Action | Details
────────────────────────────────────────────
2:45 PM | alice | document.create | "Q1 Strategy" | workspace_id=ws_123
2:40 PM | bob | file.upload | "competitor_analysis.pdf" | size=2.3MB
2:35 PM | carol | document.share | "Q1 Strategy" with group "marketing"- Click any entry to see details:
- IP address - Where they logged in from
- Device - Browser, operating system
- User agent - Exact browser version
- Response - Success or failure
Exporting Audit Logs
For compliance reports:
- In Audit Logs, click Export
- Choose date range:
- Last 30 days (SOC 2)
- Last 90 days (quarterly review)
- Last 365 days (annual audit)
- Choose format:
- CSV (easy to analyze in Excel)
- JSON (for systems integration)
- Click Download
The file includes all audit events with:
- Timestamp (exact date and time)
- User ID
- Action type
- Resource affected
- IP address
- Result (success/failure)
Part 8: Security Best Practices
For Individual Users
- ✅ Use a strong, unique password (12+ characters)
- ✅ Enable 2FA on your account
- ✅ Don't share your password with colleagues
- ✅ Use a password manager
- ✅ Log out when done using Solatis
- ✅ Don't access Solatis on public WiFi (or use a VPN)
- ✅ Lock your computer when leaving
- ❌ Don't write passwords on sticky notes
- ❌ Don't use "password123" or similar
- ❌ Don't reuse passwords across services
For Administrators
- ✅ Require 2FA for all team members
- ✅ Use strong authentication (OAuth/SAML over email/password)
- ✅ Audit your audit logs weekly
- ✅ Review login activity monthly
- ✅ Restrict sensitive document access
- ✅ Set cost limits for AI agent spending
- ✅ Enable data redaction for sensitive information
- ✅ Review and revoke unused API tokens
- ✅ Document your access control policies
- ❌ Don't share admin credentials
- ❌ Don't disable 2FA
- ❌ Don't give everyone Owner role
- ❌ Don't store passwords in email or Slack
For Your Organization
- ✅ Establish a password policy
- ✅ Require regular password changes (60-90 days)
- ✅ Implement SSO (Single Sign-On) with your identity provider
- ✅ Set up SAML for organizations with 50+ users
- ✅ Monitor for suspicious activity
- ✅ Establish a data classification system (public/internal/confidential)
- ✅ Restrict access based on data classification
- ✅ Train employees on security
- ✅ Have an incident response plan
- ✅ Conduct regular security audits
Part 9: Incident Response
What if Something Goes Wrong?
If you suspect a security issue:
- Stop what you're doing - Don't try to "fix" it
- Email security@solatis.team - Mark as urgent
- Include details:
- What happened?
- When did you notice?
- Which documents are affected?
- What did you do?
Example:
Subject: URGENT - Unauthorized access suspected
Hi,
I believe someone unauthorized accessed my account. At 3:45 PM today,
I saw a login from a location I've never been to (Russia, 74.125.45.67).
I've changed my password and enabled 2FA.
Can you please:
1. Check if anyone else accessed my account
2. Revoke any suspicious sessions
3. Review my audit logs for the past week
Thank you,
AliceSolatis Response to Security Issues
We take security seriously. Here's our process:
Triage (15 minutes)
- Classify severity
- Assign to security team
Containment (1 hour)
- Isolate affected systems
- Prevent further damage
- Notify affected customers
Investigation (4-24 hours)
- Determine root cause
- Assess scope (how many users affected)
- Review logs
Remediation (24-72 hours)
- Fix the vulnerability
- Test the fix
- Deploy to production
Notification (within 48 hours)
- Notify affected users
- Provide guidance
- Publish incident report
Known Security Issues
We publish security advisories for discovered vulnerabilities:
- Go to Security Advisories
- You'll see all disclosed vulnerabilities
- Each advisory includes:
- Affected versions
- Workarounds (if any)
- When it was fixed
- Impact assessment
Part 10: Security FAQ
Q: Is my data safe on Solatis?
A: Yes. We use:
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- SOC 2 Type II certification
- Multi-tenant isolation
- Audit logging
- Annual penetration testing
Your data is more secure with Solatis than in most spreadsheets.
Q: Can Solatis employees see my data?
A: No. Here's why:
- Employee access is logged
- Employees have to request access for support
- Access is approved by security team
- All access is audited
- Employees are background checked
- We have a strict confidentiality policy
Q: What happens if Solatis is hacked?
A: Even if hackers get our servers:
- Data is encrypted with AES-256
- Would take thousands of years to break
- Encryption keys are separate from data
- We'd notify you within 24 hours
- You can request your data immediately
- We have cyber insurance
Q: Can you delete my data?
A: Yes, anytime:
- Go to Settings → Privacy
- Click Delete my account
- Confirm deletion
- Your data is deleted within 30 days
- Backups are deleted within 90 days
Q: What about privacy? Can you use my data?
A: No. According to our Privacy Policy:
- ✅ We never sell your data
- ✅ We never train AI models on your data
- ✅ We never share your data with third parties (except subpoena)
- ✅ You own your data
Q: Is Solatis compliant with [GDPR/HIPAA/PCI-DSS]?
| Regulation | Compliant | Notes |
|---|---|---|
| GDPR | ✅ | Yes, with data residency options |
| HIPAA | ✅ | Yes, with BAA and additional features |
| PCI-DSS | N/A | Not applicable (we don't store payment data) |
| SOC 2 | ✅ | Type II certified |
| ISO 27001 | 🔄 | In progress |
Contact compliance@solatis.team for certifications.
Q: How do I report a security vulnerability?
A: Email security@solatis.team with:
- Description of the vulnerability
- Steps to reproduce it
- Impact assessment
- Your contact info
We'll acknowledge within 24 hours and coordinate a fix. Responsible disclosure appreciated.
Next Steps
Continue learning:
- Understand Authorization & Permissions - Deep dive into RBAC and RLS
- Review Compliance Standards - Detailed compliance information
- Learn about API Security - Secure API usage
- Set up Encryption - Advanced encryption topics
Questions? Contact our security team - they're here to help.
Key Takeaway: Solatis is built on a foundation of security. Your data is encrypted, isolated, logged, and audited. We comply with SOC 2, GDPR, and HIPAA. Trust us with your data. 🔒