Solstice HealthSolstice Health

Data & Security

Enterprise-grade security and compliance for life sciences data.

Compliance & Certifications

SOC 2 TYPE II

Independently audited annually. Our SOC 2 Type II report covers security, availability, and confidentiality trust service criteria. Reports are available to customers and prospects under NDA.

HIPAA ALIGNED

Infrastructure and processes are designed to support HIPAA-aligned data handling. Business Associate Agreements (BAAs) are available for customers who require them.

Data Protection

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through a dedicated key management service with automatic rotation.

Tenant Isolation

Customer data is logically isolated at every layer of the stack. Each organization's content, models, and knowledge base are managed independently with no cross-tenant access. Client data is never shared with or accessible by other customers.

AI Data Usage

Solstice does not use customer data to train, fine-tune, or improve our AI models. Customer content is processed in real-time to fulfill your requests and is not retained beyond what is necessary to provide the service.

Access Control

Authentication

Enterprise SSO via SAML 2.0 and OpenID Connect. Multi-factor authentication (MFA) is supported and can be enforced at the organization level. Session management includes configurable timeout and concurrent session limits.

Role-Based Access Control

Granular RBAC with configurable permission sets. Administrators control user access to workspaces, content, and platform features. The principle of least privilege is enforced across all internal and customer-facing systems.

Audit Logging

Comprehensive audit logs capture all user actions including logins, content creation, edits, approvals, exports, and administrative changes. Logs are immutable, retained per your organization's policy, and available for export.

Infrastructure & Operations

Cloud Infrastructure

The Platform is hosted on AWS with infrastructure deployed across multiple availability zones for redundancy. All infrastructure is managed through infrastructure-as-code with automated provisioning and configuration management.

Vulnerability Management

Continuous automated vulnerability scanning across application and infrastructure layers. Third-party penetration testing is conducted at least annually. Critical vulnerabilities are remediated within defined SLA timelines.

Incident Response

Documented incident response plan with defined roles, escalation paths, and communication procedures. Affected customers are notified of security incidents per contractual and regulatory timelines.

Business Continuity

Automated backups with point-in-time recovery. Disaster recovery procedures are tested regularly. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined in customer service agreements.

Security Inquiries

To request our SOC 2 Type II report, discuss security requirements, or report a security concern, contact us at security@solsticehealth.co.