Security & Compliance
Enterprise-grade security protecting your data and your customers
Security First
Security is not an afterthought at Solid—it is built into every layer of our platform. We use industry-leading security practices, maintain compliance certifications, and continuously monitor for threats.
Data Encryption
Encryption in Transit
All data transmitted to and from Solid is encrypted using TLS 1.3 with perfect forward secrecy. We enforce HTTPS for all connections and do not support unencrypted HTTP.
- TLS 1.3 encryption for all connections
- Perfect forward secrecy (PFS)
- HSTS enabled with preloading
Encryption at Rest
All sensitive data is encrypted at rest using AES-256 encryption. Database encryption keys are rotated regularly and stored in secure hardware security modules (HSMs).
- AES-256 encryption for all databases
- Keys stored in HSMs
- Automatic key rotation
Compliance Certifications
PCI DSS Level 1
Solid is certified as a PCI DSS Level 1 Service Provider, the highest level of certification available. This means we meet the strictest security standards for handling credit card information.
SOC 2 Type II
Our SOC 2 Type II certification validates that we maintain strict controls around security, availability, processing integrity, confidentiality, and privacy.
GDPR Compliant
Full compliance with EU General Data Protection Regulation. We provide data portability, right to erasure, and transparent data processing.
CCPA Compliant
Compliant with California Consumer Privacy Act. Users have full control over their personal information with transparency and opt-out rights.
Infrastructure Security
- Multi-region redundancy - Infrastructure deployed across multiple AWS regions with automatic failover
- DDoS protection - Enterprise-grade DDoS mitigation at network and application layers
- Network isolation - Strict network segmentation and firewall rules limit attack surface
- Automated patching - Security patches applied automatically with zero downtime
- Intrusion detection - 24/7 monitoring with AI-powered anomaly detection
Access Controls
Multi-Factor Authentication (MFA)
Require MFA for all team members accessing your account. Support for TOTP authenticator apps, SMS, and hardware security keys (YubiKey, etc.).
Role-Based Access Control (RBAC)
Granular permission system lets you control exactly what each team member can access. Assign roles like Admin, Developer, Support, Finance, or create custom roles.
API Key Management
Generate separate API keys for each service with limited scopes. Rotate keys easily without downtime. Monitor all API activity with detailed logs.
SSO & SAML
Enterprise customers can enable Single Sign-On with Okta, Google Workspace, Azure AD, or any SAML 2.0 provider.
Data Privacy & Retention
- Data ownership - You own all your data. We never sell or share customer data with third parties.
- Data portability - Export all your data anytime in standard formats (JSON, CSV).
- Right to deletion - Request complete data deletion at any time. We permanently erase all data within 30 days.
- Data residency - Choose where your data is stored (US, EU, APAC) to meet local regulations.
- Audit logs - Complete audit trail of all data access and modifications for 90 days.
Incident Response
Our security team follows a documented incident response plan to detect, contain, and resolve security incidents quickly.
Detection
24/7 automated monitoring and threat detection
Containment
Immediate isolation to prevent spread
Resolution
Root cause analysis and remediation
Communication
Transparent notification to affected customers
Responsible Disclosure
Found a security vulnerability? We appreciate responsible disclosure and will work with you to address it quickly.
Trust Center
Access security documentation, compliance reports, and real-time system status.