Solstice HealthSolstice Health

Data & Security

Enterprise-grade security and compliance for life sciences data.

Compliance & Certifications

SOC 2 TYPE II

Independently audited annually. Our SOC 2 Type II report covers security, availability, and confidentiality trust service criteria. Reports are available to customers and prospects under NDA.

Data Protection

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through a dedicated key management service with automatic rotation.

Tenant Isolation

Customer data is logically isolated at every layer of the stack. Each organization's content, models, and knowledge base are managed independently with no cross-tenant access. Client data is never shared with or accessible by other customers.

AI Data Usage

Solstice does not use customer data to train, fine-tune, or improve our AI models. Customer content is processed in real-time to fulfill your requests and is not retained beyond what is necessary to provide the service.

Access Control

Authentication

Enterprise SSO via SAML 2.0 and OpenID Connect. Multi-factor authentication (MFA) is supported and can be enforced at the organization level. Session management includes configurable timeout and concurrent session limits.

Role-Based Access Control

Granular RBAC with configurable permission sets. Administrators control user access to workspaces, content, and platform features. The principle of least privilege is enforced across all internal and customer-facing systems.

Audit Logging

Comprehensive audit logs capture all user actions including logins, content creation, edits, approvals, exports, and administrative changes. Logs are immutable, retained per your organization's policy, and available for export.

Infrastructure & Operations

Cloud Infrastructure

The Platform is hosted on AWS with infrastructure deployed across multiple availability zones for redundancy. All infrastructure is managed through infrastructure-as-code with automated provisioning and configuration management.

Vulnerability Management

Continuous automated vulnerability scanning across application and infrastructure layers. Third-party penetration testing is conducted at least annually. Critical vulnerabilities are remediated within defined SLA timelines.

Incident Response

Documented incident response plan with defined roles, escalation paths, and communication procedures. Affected customers are notified of security incidents per contractual and regulatory timelines.

Business Continuity

Automated backups with point-in-time recovery. Disaster recovery procedures are tested regularly. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined in customer service agreements.

Data Residency

Customer data is stored and processed in secure AWS regions within the United States. All data remains within the designated region throughout its lifecycle, including processing, storage, and backup. Data residency options for other regions may be available upon request for enterprise customers.

Subprocessors

We use trusted third-party service providers to operate the Platform. All subprocessors are vetted for security and compliance prior to engagement and are subject to contractual data protection obligations.

Amazon Web Services (AWS)Cloud infrastructure, compute, storage, and database services
Auth0 (Okta)Authentication and identity management
Azure OpenAI ServiceAI model hosting and inference
PineconeVector database for document search and retrieval
DatadogInfrastructure monitoring and observability

A complete list of subprocessors is available upon request. Customers are notified of material changes to our subprocessor list at least 30 days in advance.

Secure Development

We follow secure software development lifecycle (SDLC) practices across all engineering work. This includes mandatory code reviews, automated testing in CI/CD pipelines, static application security testing (SAST), dependency vulnerability scanning, and container image scanning. All production deployments go through staged rollouts with automated rollback capabilities.

Monitoring & Alerting

We continuously monitor infrastructure and application activity across all environments. Real-time alerts are generated for anomalous behavior, performance degradation, and security events. All alerts are triaged and investigated promptly by our engineering and security teams. Monitoring covers uptime, latency, error rates, authentication events, and resource utilization.

Security Inquiries

To request our SOC 2 Type II report, discuss security requirements, or report a security concern, contact us at security@solsticehealth.co.