SECURITY. PRIVACY. TRUST.

Solo is committed to protecting your data

Our dedicated security team is continuously reviewing and improving our security and privacy controls, policies, and procedures

Our ongoing security initiatives

Solo has a dedicated security team which includes not only security specialists, but every member of our company because a security system is only as strong as its weakest link.

Cloud Infrastructure

The PHX platform is hosted on Google Cloud Platform (GCP). GCP undergoes regular independent verification of its security, privacy, and compliance controls, including ISO 27001 and SOC2 Type 2 assessments. You can find more information here.

Encryption

Solo employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between users and Solo’s infrastructure. All customer data is encrypted at rest using AES-256-bit symmetric encryption keys or better. Solo employs Google’s Cloud KMS to create and manage encryption keys.

Resilient Architecture

Solo employs GCP’s high availability configurations (e.g., multiple regions, availability zones, load balancers, replica databases) to protect against failure. Data is synchronously replicated to standby instances, allowing for GCP to automatically failover and reconnect to a standby instance. All deployments employ Kubernetes, which also allows rapid rollout and rollback of services in the event of a disruption.

Disaster Recovery

Solo stores all infrastructure-as-code, which means that we are able to deploy complete copies of production environments very quickly. In the event of a complete region-wide outage, Solo’s DevOps team is able to deploy a duplicate environment in an alternate region. Backups occur at least every day allowing for quick restoration of data in the case of data corruption or loss.

Incident Response

Solo has established an Incident Response Plan and cross-functional response team to identify and quickly respond to security incidents. Solo regularly reviews its Incident Response Plan and engages in tabletop exercises and other methods to test the effectiveness and execution of the plan.

Multi-factor Authentication

Solo enforces multi-factor authentication on key internal systems and devices to provide an additional layer of security. We also enforce multi-factor authentication and provide single sign-on options for users of the PHX platform.

Vendor Risk Management

Solo has a standard process for managing vendors and identifying and managing vendor risk. This process includes both a security review at onboarding and regular assessments of vendors’ data security and privacy practices.

Security Training

Solo conducts regular security training to help ensure our team members are up-to-date on security best practices and are prepared to face current and emerging security threats. All team members are required to complete annual security awareness training. Our development team also receives targeted secure code and OWASP Top 10 training.

Secure Coding

Solo uses the OWASP Top 10 guide for secure development practices. Systems are regularly scanned using a number of vulnerability scanning tools. Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.

Penetration Testing

Solo works with independent third parties to conduct regular penetration tests of our cloud infrastructure, web applications, and application programming interfaces (API). Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.

Vulnerability Scanning

Solo’s Security and DevOps teams conduct regular vulnerability scans and assessments of our infrastructure and systems. These assessments include identification of code defects, vulnerabilities and missing patches, and potential misconfigurations. Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.

Reporting Security Issues

Solo is continuously reviewing and improving our security controls. If you would like to report a vulnerability or security issue, please contact us at security@gosolo.io. Solo uses Bugcrowd’s Vulnerability Rating Taxonomy and rewards findings classified as P3 or greater. If you would like to report a vulnerability, please send us a proof of concept, list of tools used, and the output of the tools. Our Security team will work quickly to reproduce each reported vulnerability to verify its status before taking the steps needed to remedy and issue rewards.

Privacy

Solo’s Legal and Security teams work with other teams across the company to keep personal information private and secure. Solo’s Privacy Policy provides information on how Solo collects, stores, uses, and shares personal information. Solo does not use or disclose personal information other than as permitted in our Privacy Policy and agreements with our customers.

Compliance

Solo maintains a SOC2 Type 2 report for the Security, Confidentiality, and Availability Trust Services Criteria. Reports are issued by independent third-party auditors and demonstrate how Solo achieves key compliance controls and objectives. Solo’s SOC 2 Type 2 Report is available to Solo customers upon request.

SOC II Type II

One of the key advantages of achieving SOC 2 compliance is that it shows how seriously Solo takes information security. We test our processes to ensure we’re handling sensitive information responsibly. It’s not just about us; it’s about ensuring that our customers can trust us to keep their data safe and benefit from that peace of mind.