Solara Health Information Security

Updated: May 2025


  1. Introduction

    2. Security is a top priority for Solara Health. We have developed a comprehensive security program, guided by a formal, documented Information Security Management System (ISMS). This program includes policies, standards, and procedures designed to protect Solara Health’s data, customer information, and production systems.


  2. External Security Attestations, Governance, and Compliance

    • Certifications: Solara Health is finalizing SOC 2 Type 1 certification and is on track for SOC 2 Type 2 certification in June 2025. Independent, third-party audits will be conducted annually.
    • Governance: A dedicated security committee meets weekly to oversee security initiatives, including vulnerability management and infrastructure improvements.
    • Continuous Improvement: Solara Health partners with a virtual Chief Information Security Officer (vCISO) to enhance its security posture continuously.


  3. Data Hosting

    • Hosting Environment: Solara Health’s systems are hosted within Google Cloud Platform (GCP) secure data centers, certified under ISO 27001, SOC 1 & 2, PCI DSS Level 1, and other standards.
    • Security Tools: We utilize GCP’s Security Command Center and Cloudflare to monitor, alert, and protect against malicious activities.


  4. Human Resources and Awareness

    • Background Checks: All employees undergo pre-employment background checks.
    • Security Training: New hires complete security awareness training, with annual refresher courses for all staff.
    • Policies and Contracts: Employees and contractors adhere to confidentiality clauses and relevant security policies.


  5. Access Control

    • Principle of Least Privilege: Access is granted on a need-to-know basis.
    • Account Security: All individuals have unique usernames, and password policies enforce complexity in line with NIST standards.
    • Multifactor Authentication (MFA): MFA and Google Single Sign-On are required for system access.


  6. Endpoint Security

    • Device Management: Laptops are centrally managed with enforced security policies, administrative restrictions, and tamper-protected anti-malware tools.
    • Automatic Locking: Devices lock after 15 minutes of inactivity.


  7. Remote Access

    • VPN Security: Remote access to production systems requires VPN with MFA and role-based access controls.
    • Environment Separation: Separate paths exist for production support and development activities.


  8. Network Security

    • Production Network Protection: Virtual firewalls and GCP security groups ensure traffic is restricted to the minimum necessary.
    • Logging: Administrative activities and access to customer data are centrally logged for traceability.


  9. Vulnerability Management and Penetration Testing

    • Regular Scanning: External systems are scanned monthly for vulnerabilities, while internal scanning is continuous through GCP tools.
    • Third-Party Testing: Annual independent penetration tests are conducted on production systems.


  10. Secure Development

    • Development Lifecycle: The Secure Development Lifecycle (SDLC) incorporates automated static application security testing and dependency analysis (via Dependabot).
    • Training and Reviews: Developers complete annual secure development training. All code changes undergo peer review and quality assurance testing.


  11. Encryption at Rest and in Transit

    • Data Encryption: All data at rest is encrypted using AES 256-bit standards. Communication between systems employs TLS v1.2 or higher.
    • Full Disk Encryption: Employee laptops have enforced full-disk encryption.


  12. Backups

    • Redundancy: Production data is backed up with GCP’s cross-region replication capabilities.
    • Testing: Business continuity and disaster recovery plans are tested annually.


  13. Data Retention Policy

    • Retention: Customer data remains in production systems as long as required. Secure deletion processes are followed for data disposal, governed by our Data Retention Policy.


  14. Third-Party Security Risk Management

    • Vendor Assessment: Third-party vendors are evaluated based on risk, data sharing, and system integration before engagement.
    • Ongoing Reviews: Regular assessments ensure third-party security controls remain effective.