EN CN FR DE JP KO ES
Search

Standards Compliance

To request access to any of the security documentation via our share vault, please
consult with your account team or contact us today to discuss your requirements

Solace has successfully completed its Service Organization Control (SOC) 2 Type 2 audit, which affirms Solace’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, including controls across Solace Cloud and its Human Resources, Legal, IT, and Cybersecurity.

Contact us for our AICPA SOC 2 Type 2 SSAE (audit) Report.

CSA logo

Solace has completed the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v3.1., which offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.

Contact us for our Cloud Security Alliance Consensus Assessments Initiative Questionnaire.

Solace’s ISO 27001:2022 Certificate of Registration

Solace has achieved ISO/IEC 27001:2022 certification – a significant achievement that demonstrates its longstanding to commitment to securing its own sensitive information and that of its customers.

Contact us for our ISO 27001:2022 Statement of Applicability (SoA).

HIPAA logo

Solace Cloud Platform meets the requirements for executing a Business Associate Agreement (BAA) as required to meet HIPAA compliance for engaging with subcontractors and service providers.

Contact us for a HIPAA Business Associate Agreement.

MVSP logo

Solace has successfully completed the Minimum Viable Secure Product (MVSP) evaluation. This achievement underscores our commitment to maintaining the highest security standards, ensuring that our products meet rigorous industry security benchmarks.

Contact us for our MSVP report.

Solace Information Security Policy

Solace Security Documentation is stored in a secure document repository and made available to customers who require it for their security processes. Contact us for access.

  • BCMS-01 Business Continuity Strategy
  • BCMS-02 Business Continuity Policy
  • ISMS-01-A Information Security Policy
  • ISMS-03 Cryptography Policy
  • ISMS-04 Risk Management
  • ISMS-05 Change Management Procedure
  • ISMS-07 Supplier Management
  • ISMS-08 Physical and Environmental Security Policy
  • ISMS-09 Access Control Policy
  • ISMS-10 Incident Management Procedure
  • PIMS-01 Data Privacy Policy
  • Solace Cloud Penetration Test Certificate
  • Solace Network Penetration Test Certificate
  • Data exchange specification – Solace Home Cloud site and Solace Cloud regions

GDPR

Solace values the privacy and security of all of our customers’ data. Specifically for EU-based customers, Solace Cloud complies with the General Data Protection Regulation (GDPR), which mandates that Solace protects the personal data and privacy of EU subjects. This means personal data will not be used for purposes other than what it was collected for, without explicit customer approval.

To request access to any of the security documentation via our share vault,
please consult with your account team or contact us today to discuss your requirements.

Contact Us

Product Security – All products

Operational Procedures

Solace has implemented robust and comprehensive operational security procedures to ensure access to Solace Cloud environments is restricted to authorized users, including:

  • Laptops and computers secured with encrypted storage (FileVault).
  • Access to production environments restricted to Ops engineers.
  • All access is logged and tracked.
  • Malware and anti-virus applications are installed wherever required.
  • Customer message data is never accessed by Solace or its employees.

Product Security – Cloud Services

Data In Transit

Solace Cloud protects your message data against eavesdropping by unauthorized users.

  • Solace Cloud messaging services support Transport Layer Security using Secure Sockets Layer (TLS/SSL), allowing applications to encrypt their data in transit to and from Solace Cloud.
  • Certificates are updated in the event of a security advisory and on a regular basis.

For highly sensitive data, Solace also recommends customers encrypt the message payload.

Data At Rest

Solace Cloud ensures any messaging data stored within the service is protected by encryption at rest.

  • Solace Cloud uses cloud-native services such as AWS Key Management Service (KMS) to adhere to data at rest best practices: the entire disk upon which customer data resides is encrypted.
  • At-rest encryption is always enabled and is not optional.
  • Message data is stored in the same cloud region in which the service is provisioned.

Customer Data Protection

Your user account details are secured using the most advanced processes, including:

  • Password salting.
  • Revocable API keys to control, manage and audit application access to Solace Cloud.
  • All personal data is encrypted and pseudonymised.

Solace Cloud stores customer data in AWS in the US East North Virginia region (us-east-1).

VPC Isolation

The ability to create virtual private clouds (VPCs) with separate security, subnets, and isolated network groups for staging, production and development is an application security best practice and is supported by Solace Cloud.

System Security

Solace Cloud is delivered using multiple software components and physical locations. Ensuring the security of this entire system includes:

  • DevOps standards
    • Security is covered in every step of the DevOps process, starting with feature definition, architecture and system design, software design and development, QA, and all way to deployment.
    • A security and compliance section is included in both Epics and Stories.
  • Coding standards / black duck-type checking, such as
    • OWASP top 10
    • CWE/SANS top 25
  • Vulnerability scanning conducted on a regular basis and upon changes to the system.
  • Data centers that host physical infrastructure are reviewed to ensure they provide the utmost in data security and protection, including 24/7 monitoring, limiting physical access to facilities to select cloud staff, and recurring assessments to certify compliance with industry standards.

Security Updates and Patching

It’s critical that all upgrades, service packs, hot fixes and security patches are updated on all Solace Cloud components to ensure they have the latest and most-secure code base. To that end:

  • Solace Cloud applies patches to your messaging services during scheduled service upgrade windows so that they are always up to date.
  • Solace Cloud uses a maintenance window to patch its management console, internal services, and any third-party services.
  • White Source Software vulnerability scans for any open-source source code within Solace Cloud components.

Product Security – Solace Event Broker

Security Updates and Patching

Solace follows industry standard practice to monitor, test, and remedy vulnerabilities for the Solace Platform family of products. Critical and high-level vulnerabilities are addressed in a release within 30 days of availability of an industry-accepted remedy. Other vulnerabilities will be fixed in all subsequent Production releases. Solace publishes critical vulnerability notifications, which are posted on the Security Vulnerability page.

Related Content

Security Overview

For technical documentation about Solace security features

Read more

Privacy and Legal

For privacy documentation related to doing business with Solace

Learn more

Security in Solace Cloud

For information on cloud security including architecture and data exhanged for operations

Read more