Skip to main content

Solara Health Information Security

Updated: May 2025


Introduction

Security is a top priority for Solara Health. We have developed a comprehensive security program, guided by a formal, documented Information Security Management System (ISMS). This program includes policies, standards, and procedures designed to protect Solara Health’s data, customer information, and production systems.

External Security Attestations, Governance, and Compliance

  • Certifications: Solara Health is finalizing SOC 2 Type 1 certification and is on track for SOC 2 Type 2 certification in June 2025. Independent, third-party audits will be conducted annually.
  • Governance: A dedicated security committee meets weekly to oversee security initiatives, including vulnerability management and infrastructure improvements.
  • Continuous Improvement: Solara Health partners with a virtual Chief Information Security Officer (vCISO) to enhance its security posture continuously.

Data Hosting

  • Hosting Environment: Solara Health’s systems are hosted within Google Cloud Platform (GCP) secure data centers, certified under ISO 27001, SOC 1 & 2, PCI DSS Level 1, and other standards.
  • Security Tools: We utilize GCP’s Security Command Center and Cloudflare to monitor, alert, and protect against malicious activities.

Human Resources and Awareness

  • Background Checks: All employees undergo pre-employment background checks.
  • Security Training: New hires complete security awareness training, with annual refresher courses for all staff.
  • Policies and Contracts: Employees and contractors adhere to confidentiality clauses and relevant security policies.

Access Control

  • Principle of Least Privilege: Access is granted on a need-to-know basis.
  • Account Security: All individuals have unique usernames, and password policies enforce complexity in line with NIST standards.
  • Multifactor Authentication (MFA): MFA and Google Single Sign-On are required for system access.

Endpoint Security

  • Device Management: Laptops are centrally managed with enforced security policies, administrative restrictions, and tamper-protected anti-malware tools.
  • Automatic Locking: Devices lock after 15 minutes of inactivity.

Remote Access

  • VPN Security: Remote access to production systems requires VPN with MFA and role-based access controls.
  • Environment Separation: Separate paths exist for production support and development activities.

Network Security

  • Production Network Protection: Virtual firewalls and GCP security groups ensure traffic is restricted to the minimum necessary.
  • Logging: Administrative activities and access to customer data are centrally logged for traceability.

Vulnerability Management and Penetration Testing

  • Regular Scanning: External systems are scanned monthly for vulnerabilities, while internal scanning is continuous through GCP tools.
  • Third-Party Testing: Annual independent penetration tests are conducted on production systems.

Secure Development

  • Development Lifecycle: The Secure Development Lifecycle (SDLC) incorporates automated static application security testing and dependency analysis (via Dependabot).
  • Training and Reviews: Developers complete annual secure development training. All code changes undergo peer review and quality assurance testing.

Encryption at Rest and in Transit

  • Data Encryption: All data at rest is encrypted using AES 256-bit standards. Communication between systems employs TLS v1.2 or higher.
  • Full Disk Encryption: Employee laptops have enforced full-disk encryption.

Backups

  • Redundancy: Production data is backed up with GCP’s cross-region replication capabilities.
  • Testing: Business continuity and disaster recovery plans are tested annually.

Data Retention Policy

  • Retention: Customer data remains in production systems as long as required. Secure deletion processes are followed for data disposal, governed by our Data Retention Policy.

Third-Party Security Risk Management

  • Vendor Assessment: Third-party vendors are evaluated based on risk, data sharing, and system integration before engagement.
  • Ongoing Reviews: Regular assessments ensure third-party security controls remain effective.