Our dedicated security team is continuously reviewing and improving our security and privacy controls, policies, and procedures
Solo has a dedicated security team which includes not only security specialists, but every member of our company because a security system is only as strong as its weakest link.
The PHX platform is hosted on Google Cloud Platform (GCP). GCP undergoes regular independent verification of its security, privacy, and compliance controls, including ISO 27001 and SOC2 Type 2 assessments. You can find more information here.
Solo employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between users and Solo’s infrastructure. All customer data is encrypted at rest using AES-256-bit symmetric encryption keys or better. Solo employs Google’s Cloud KMS to create and manage encryption keys.
Solo employs GCP’s high availability configurations (e.g., multiple regions, availability zones, load balancers, replica databases) to protect against failure. Data is synchronously replicated to standby instances, allowing for GCP to automatically failover and reconnect to a standby instance. All deployments employ Kubernetes, which also allows rapid rollout and rollback of services in the event of a disruption.
Solo stores all infrastructure-as-code, which means that we are able to deploy complete copies of production environments very quickly. In the event of a complete region-wide outage, Solo’s DevOps team is able to deploy a duplicate environment in an alternate region. Backups occur at least every day allowing for quick restoration of data in the case of data corruption or loss.
Solo has established an Incident Response Plan and cross-functional response team to identify and quickly respond to security incidents. Solo regularly reviews its Incident Response Plan and engages in tabletop exercises and other methods to test the effectiveness and execution of the plan.
Solo enforces multi-factor authentication on key internal systems and devices to provide an additional layer of security. We also enforce multi-factor authentication and provide single sign-on options for users of the PHX platform.
Solo has a standard process for managing vendors and identifying and managing vendor risk. This process includes both a security review at onboarding and regular assessments of vendors’ data security and privacy practices.
Solo conducts regular security training to help ensure our team members are up-to-date on security best practices and are prepared to face current and emerging security threats. All team members are required to complete annual security awareness training. Our development team also receives targeted secure code and OWASP Top 10 training.
Solo uses the OWASP Top 10 guide for secure development practices. Systems are regularly scanned using a number of vulnerability scanning tools. Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.
Solo works with independent third parties to conduct regular penetration tests of our cloud infrastructure, web applications, and application programming interfaces (API). Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.
Solo’s Security and DevOps teams conduct regular vulnerability scans and assessments of our infrastructure and systems. These assessments include identification of code defects, vulnerabilities and missing patches, and potential misconfigurations. Confirmed vulnerabilities are promptly shared with Solo’s Development team for remediation.
Solo is continuously reviewing and improving our security controls. If you would like to report a vulnerability or security issue, please contact us at email@example.com. Solo uses Bugcrowd’s Vulnerability Rating Taxonomy and rewards findings classified as P3 or greater. If you would like to report a vulnerability, please send us a proof of concept, list of tools used, and the output of the tools. Our Security team will work quickly to reproduce each reported vulnerability to verify its status before taking the steps needed to remedy and issue rewards.
Solo maintains a SOC2 Type 2 report for the Security, Confidentiality, and Availability Trust Services Criteria. Reports are issued by independent third-party auditors and demonstrate how Solo achieves key compliance controls and objectives. Solo’s SOC 2 Type 2 Report is available to Solo customers upon request.
One of the key advantages of achieving SOC 2 compliance is that it shows how seriously Solo takes information security. We test our processes to ensure we’re handling sensitive information responsibly. It’s not just about us; it’s about ensuring that our customers can trust us to keep their data safe and benefit from that peace of mind.