Data & Security
Enterprise-grade security and compliance for life sciences data.
Compliance & Certifications
Independently audited annually. Our SOC 2 Type II report covers security, availability, and confidentiality trust service criteria. Reports are available to customers and prospects under NDA.
Data Protection
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through a dedicated key management service with automatic rotation.
Tenant Isolation
Customer data is logically isolated at every layer of the stack. Each organization's content, models, and knowledge base are managed independently with no cross-tenant access. Client data is never shared with or accessible by other customers.
AI Data Usage
Solstice does not use customer data to train, fine-tune, or improve our AI models. Customer content is processed in real-time to fulfill your requests and is not retained beyond what is necessary to provide the service.
Access Control
Authentication
Enterprise SSO via SAML 2.0 and OpenID Connect. Multi-factor authentication (MFA) is supported and can be enforced at the organization level. Session management includes configurable timeout and concurrent session limits.
Role-Based Access Control
Granular RBAC with configurable permission sets. Administrators control user access to workspaces, content, and platform features. The principle of least privilege is enforced across all internal and customer-facing systems.
Audit Logging
Comprehensive audit logs capture all user actions including logins, content creation, edits, approvals, exports, and administrative changes. Logs are immutable, retained per your organization's policy, and available for export.
Infrastructure & Operations
Cloud Infrastructure
The Platform is hosted on AWS with infrastructure deployed across multiple availability zones for redundancy. All infrastructure is managed through infrastructure-as-code with automated provisioning and configuration management.
Vulnerability Management
Continuous automated vulnerability scanning across application and infrastructure layers. Third-party penetration testing is conducted at least annually. Critical vulnerabilities are remediated within defined SLA timelines.
Incident Response
Documented incident response plan with defined roles, escalation paths, and communication procedures. Affected customers are notified of security incidents per contractual and regulatory timelines.
Business Continuity
Automated backups with point-in-time recovery. Disaster recovery procedures are tested regularly. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined in customer service agreements.
Data Residency
Customer data is stored and processed in secure AWS regions within the United States. All data remains within the designated region throughout its lifecycle, including processing, storage, and backup. Data residency options for other regions may be available upon request for enterprise customers.
Subprocessors
We use trusted third-party service providers to operate the Platform. All subprocessors are vetted for security and compliance prior to engagement and are subject to contractual data protection obligations.
A complete list of subprocessors is available upon request. Customers are notified of material changes to our subprocessor list at least 30 days in advance.
Secure Development
We follow secure software development lifecycle (SDLC) practices across all engineering work. This includes mandatory code reviews, automated testing in CI/CD pipelines, static application security testing (SAST), dependency vulnerability scanning, and container image scanning. All production deployments go through staged rollouts with automated rollback capabilities.
Monitoring & Alerting
We continuously monitor infrastructure and application activity across all environments. Real-time alerts are generated for anomalous behavior, performance degradation, and security events. All alerts are triaged and investigated promptly by our engineering and security teams. Monitoring covers uptime, latency, error rates, authentication events, and resource utilization.
Security Inquiries
To request our SOC 2 Type II report, discuss security requirements, or report a security concern, contact us at security@solsticehealth.co.