Standards Compliance

To request access to any of the security documentation via our share vault, please
consult with your account team or contact us today to discuss your requirements

Solace has successfully completed its Service Organization Control (SOC) 2 Type 2 audit, which affirms Solace’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, including controls across Solace PubSub+ Cloud and its Human Resources, Legal, IT, and Cybersecurity.

Contact us for our AICPA SOC 2 Type 2 SSAE (audit) Report

CSA logo

Solace has completed the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v3.1., which offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.

Contact us for our Cloud Security Alliance Consensus Assessments Initiative Questionnaire

Logo BSI

Solace has achieved ISO/IEC 27001:2022 certification – a significant achievement that demonstrates its longstanding to commitment to securing its own sensitive information and that of its customers.

Contact us for our ISO 27001:2022 Statement of Applicability (SoA)

HIPAA logo

PubSub+ Cloud Platform meets the requirements for executing a Business Associate Agreement (BAA) as required to meet HIPAA compliance for engaging with subcontractors and service providers.

Contact us for a HIPAA Business Associate Agreement

Solace Information Security Policy

Solace Security Documentation is stored in a secure document repository and made available to customers who require it for their security processes. Contact us for access.

  • BCMS-01 Business Continuity Strategy
  • BCMS-02 Business Continuity Policy
  • ISMS-01-A Information Security Policy
  • ISMS-03 Cryptography Policy
  • ISMS-04 Risk Management
  • ISMS-05 Change Management Procedure
  • ISMS-07 Supplier Management
  • ISMS-08 Physical and Environmental Security Policy
  • ISMS-09 Access Control Policy
  • ISMS-10 Incident Management Procedure
  • PIMS-01 Data Privacy Policy
  • Solace Cloud Penetration Test Certificate
  • Solace Network Penetration Test Certificate
  • Data exchange specification – PubSub+ Home Cloud site and PubSub+ Cloud regions

GDPR

Solace values the privacy and security of all of our customers’ data. Specifically for EU-based customers, Solace PubSub+ Cloud complies with the General Data Protection Regulation (GDPR), which mandates that Solace protects the personal data and privacy of EU subjects. This means personal data will not be used for purposes other than what it was collected for, without explicit customer approval.

Product Security – All products

Operational Procedures

Solace has implemented robust and comprehensive operational security procedures to ensure access to Solace PubSub+ Cloud environments is restricted to authorized users, including:

  • Laptops and computers secured with encrypted storage (FileVault).
  • Access to production environments restricted to Ops engineers.
  • All access is logged and tracked.
  • Malware and anti-virus applications are installed wherever required.
  • Customer message data is never accessed by PubSub+ Cloud or its employees.

Product Security – Cloud Services

Data In Transit

Solace PubSub+ Cloud protects your message data against eavesdropping by unauthorized users.

  • Solace PubSub+ Cloud messaging services support Transport Layer Security using Secure Sockets Layer (TLS/SSL), allowing applications to encrypt their data in transit to and from PubSub+ Cloud.
  • Certificates are updated in the event of a security advisory and on a regular basis.

For highly sensitive data, Solace also recommends customers encrypt the message payload.

Data At Rest

Solace PubSub+ Cloud ensures any messaging data stored within the service is protected by encryption at rest.

  • Solace PubSub+ Cloud uses cloud-native services such as AWS Key Management Service (KMS) to adhere to data at rest best practices: the entire disk upon which customer data resides is encrypted.
  • At-rest encryption is always enabled and is not optional.
  • Message data is stored in the same cloud region in which the service is provisioned.

Customer Data Protection

Your user account details are secured using the most advanced processes, including:

  • Password salting.
  • Revocable API keys to control, manage and audit application access to PubSub+ Cloud.
  • All personal data is encrypted and pseudonymised.

Solace PubSub+ Cloud stores customer data in AWS in the US East North Virginia region (us-east-1).

VPC Isolation

The ability to create virtual private clouds (VPCs) with separate security, subnets, and isolated network groups for staging, production and development is an application security best practice and is supported by Solace PubSub+ Cloud.

System Security

Solace PubSub+ Cloud is delivered using multiple software components and physical locations. Ensuring the security of this entire system includes:

  • DevOps standards
    • Security is covered in every step of the DevOps process, starting with feature definition, architecture and system design, software design and development, QA, and all way to deployment.
    • A security and compliance section is included in both Epics and Stories.
  • Coding standards / black duck-type checking, such as
    • OWASP top 10
    • CWE/SANS top 25
  • Vulnerability scanning conducted on a regular basis and upon changes to the system.
  • Data centers that host physical infrastructure are reviewed to ensure they provide the utmost in data security and protection, including 24/7 monitoring, limiting physical access to facilities to select cloud staff, and recurring assessments to certify compliance with industry standards.

Security Updates and Patching

It’s critical that all upgrades, service packs, hot fixes and security patches are updated on all Solace PubSub+ Cloud components to ensure they have the latest and most-secure code base. To that end:

  • Solace PubSub+ Cloud applies patches to your messaging services during scheduled service upgrade windows so that they are always up to date.
  • Solace PubSub+ Cloud uses a maintenance window to patch its management console, internal services, and any third-party services.
  • White Source Software vulnerability scans for any open-source source code within Solace PubSub+ Cloud components.