Säkerhetsdokument

# Solace AB Security White Paper

Solace’s approach to security ensures that all information stored and processed by the platform is protected through robust technical, organisational, and procedural safeguards.

## Introduction

This white paper outlines the robust security measures implemented by Solace to protect user data and ensure the integrity of our systems. In an increasingly interconnected world, the importance of strong security cannot be overstated. Solace is committed to providing a secure environment for all our users.

The nature of the data that Solace handles on behalf of its customers requires that security is a core part of the approach to building, scaling, and managing the service.

Security is a top priority within the company. The Chief Technical Officer and Chief Executive Officer oversees all security related initiatives and development. Our executive management team supported by the board of directors approves information security policies and standards. We conduct regular audits for our security controls annually according to the ISO27001 standard.

The purpose of this document is to outline how Solace ensures the safety and security of your data at all times.

## Table of contents

*   People security p.04
*   Product security p.07
*   Infrastructure and network security p.10
*   Use of Artificial Intelligence p.13
*   Security compliance p.15

## People security

Security is a key part of the culture at Solace. Our employees and consultants (commonly referred to as “employees”) are provided with clear and continuously updated procedures and policies, developed and maintained to inform them about expectations and provide them with guidelines on how to act in terms of information security.

All employees are required to sign a confidentiality agreement as part of their employment contract with Solace.

### Background checks

Before anyone joins the company, Solace conducts background checks.

The depth of these checks varies depending on the position the individual is taking. Background checks generally include verifying an individual’s education, previous employment, and references, as well as a background check with a credit reference agency.

### Employee Code of Business Conduct

The Solace Code of Business Conduct and Ethics outlines what is expected of everybody at Solace. All employees agree upon a set of principles that are adhered to and are asked to respectfully challenge each other when this may not be the case.

Employees agree to the Code of Business Conduct and Ethics as part of their on-boarding, and whenever there’s a change to it.

### Equipment and information usage

The Solace Acceptable Use Policies applies to all employees who use Solace’s IT resources and information. It provides guidelines for handling information and instructions on how to use our IT resources.

Employees must sign a written confirmation that they have read and understood the policy before being granted physical or logical access to Solace’s IT resources.

### Security awareness training

All employees participate in our security awareness training program on a regular basis to ensure awareness of the latest security threats and ways to mitigate the risks.

Managers get participation statistics and are expected to facilitate discussion and follow-up. Each person who processes personal data will undertake additional annual training for the applicable privacy regulations.

### Access control management

Access to operational applications, platforms and data is limited according to an employee’s role. Solace operates a general rule of least privilege, meaning that employees only receive the access they need to perform their role, and nothing more.

Multi-factor authentication (MFA) is mandated for all internal and administrative access to ensure consistent security level, high data quality, improve visibility and to reduce complexity for employees. Employee passwords must follow the complexity rules and be at least 8 characters long.

Account activities, such as sign-in attempts, password changes, permission changes, are logged and analysed.

### Access reviews

Manual access reviews are done at least quarterly, where access levels are approved and reviewed by designated system owners. Access will be revoked immediately in cases where the access is no longer appropriate for their role.

### Incident response plan

Solace’s incident response plan defines how Solace responds to events that threaten the security or privacy of confidential information, ensuring that incidents are properly identified, contained, investigated, and remedied.

### Supplier management

All new suppliers must pass a vendor risk assessment before Solace will commence service with them. Critical suppliers are reviewed, and risk assessed annually, to ensure that they still meet the security and performance requirements outlined by Solace.

## Product security

Security is our top priority when developing and delivering our products and services. Below you can find additional information regarding our product security.

### Encryption in transit

Solace only uses industry-standard algorithms and secure key management practices approved adhering to NIST. All sensitive data transferred in or out of the application and between system components/servers are encrypted during transmission with TLS 1.2 or higher.

### Data storage

Solace’s main datastores are operated and maintained by AWS. All customer data is encrypted at-rest with AES-256 block-level encryption.

Solace conducts automated backups which occur on a defined schedule across all environments. All backups are managed using features provided by our hosting provider installed on all critical servers and systems. Backup data is stored in secure, access-controlled storage to prevent unauthorised access or damage from environmental threats. Restore tests are done annually to ensure that data can be restored efficiently and reliably.

All files uploaded by users are automatically scanned by our integrated antivirus system to ensure safety and protection against malware. Customer data from production environments is never used in test environments.

### Access to customer data

Four different groups have access to Solace customers’ data:

1.  **Users**
    Users of the service will have access only to the data they themselves have submitted into the system.

2.  **Loved Ones**
    With the explicit consent of the user, nominated loved ones may be granted access to certain parts of the user’s data. Access is limited to what the user decides to share and can be withdrawn at any time.

3.  **Solace Staff**
    A limited number of authorised Solace personnel may access customer data. Such access is strictly role-based and logged. Solace staff will only view or process user data if necessary to:

    *   provide technical or customer support,
    *   ensure the secure functioning of the platform, or
    *   comply with legal or contractual obligations.

    All access follows the principles of data minimisation and need-to-know basis under GDPR (Art. 5(1)(c)).

4.  **Partners**
    Insurance companies and other contractual partners do not have direct access to identifiable user data. Instead, they may receive aggregated, pseudonymised, or anonymised data for purposes such as:

    *   reporting service usage trends,
    *   validating contractual performance, or
    *   enabling product/package integration.

    In cases where partners provide specific services (e.g., legal, financial, or practical support), access is limited to the minimum data necessary for delivering that service, always based on a lawful basis such as consent or contractual necessity under GDPR (Art. 6).

### Customer user account management

Customer user accounts are managed individually by Solace’s users, who are restricted to viewing and controlling only their own data. Authentication is available through email and password login or via social login options such as Google and Apple ID. Passwords must be at least eight (8) characters long and must not appear in any known major security breach databases.

Successful and failed login attempts are logged and analysed for malicious behaviour. Security and privacy controls related to customer access are regularly tested and verified through penetration testing and vulnerability scanning.

### Change management

Solace has a documented Change Management process which governs changes to infrastructure, data, and software development. From design to deployment, security considerations are paramount, ensuring that vulnerabilities are identified and addressed early in the development process.

Solace follows secure coding practices and conducts regular security audits of our applications. We adhere to industry best practices for application development, including the OWASP Top 10 guidelines. Our development practices are characterised by a small, experienced product team with a high degree of autonomy and responsibility.

To balance security, progress, quality, and creativity, Solace implements several controls. Risk is mitigated and efficiency improved through small changes, feature flags, and frequent deployments (multiple times per week). The engineering team is responsible for identifying, assessing, and mitigating security and privacy risks. All code is version controlled, and changes are made in feature branches and merged through pull requests. Pull requests must pass unit tests, code linters, LLM code analysis, dependency vulnerability checks, and require approval from two different developers. Development and production environments are fully isolated and do not share data. Information from production environments may not be copied into the development and testing environments. Procedures to roll back deployed changes exist and are regularly verified.

### Penetration testing

Solace conducts regular external penetration tests to identify vulnerabilities in its systems and network security. Any vulnerabilities or weaknesses that are discovered during the tests are addressed and remediated within an appropriate time frame.

The objective of these tests is to ensure that our systems and network are secure and that our customer data is protected from potential threats.

## Infrastructure and network security

### Data centers

Solace currently hosts production environment instances in the EU Region (AWS Frankfurt). Solace may utilise additional geographically distributed data centers within the EU region to ensure service continuity. In the event of disruption or outage, workloads can be securely transferred to alternative EU-based facilities, maintaining high availability, resilience, and compliance with GDPR and other applicable data protection regulations. The Region operates discreetly, and no customer or account data is transferred between the Regions.

### Physical security

Solace leverages Amazon Web Services (AWS) data centers for the infrastructure used to host our production servers and services. AWS has robust physical safety measures in place, such as fire detection and suppression, multi-resilient power sources, and strict access control policies.

For more information on AWS Data Centre Physical Security, see the AWS Security Whitepaper: [https://aws.amazon.com/compliance/data-center/controls/](https://aws.amazon.com/compliance/data-center/controls/)

### Monitoring and alerting

The Solace platform, services and third parties involved in the delivery of our services are monitored constantly. Solace has a robust and well-documented incident response plan in place. The plan includes procedures for detection, containment, eradication, recovery, and post-incident analysis. This is supported by the IT Continuity plan, to ensure consistent delivery of service.

## Use of Artificial Intelligence

Solace applies a responsible AI framework to ensure that the use of artificial intelligence is secure, transparent, and aligned with European regulatory requirements, including the EU AI Act and the General Data Protection Regulation (GDPR).

### Ethical AI Principles

*   **Human-centric design:** AI tools are used to support human decision-making. End-users remain in control of their information and choices.
*   **Transparency:** We inform customers and partners when and how AI is used in our services and provide explanations of outputs when appropriate.
*   **Fairness and non-discrimination:** We regularly test our AI models to identify and mitigate potential biases that could lead to unfair treatment of users.
*   **Accountability**: Responsibility for AI outcomes remains with Solace, not with the automated system itself. AI usage is logged and subject to audit.

### Minimization of Data Transfers to the U.S.

Solace uses globally recognized large language models (LLMs) provided by U.S.-based corporations (e.g., OpenAI, Google). To comply with GDPR and the EU AI Act, we implement strict safeguards to minimize and control international data transfers:

*   **EU-based processing by default:** All personal and sensitive data is processed and stored within the EU (AWS Frankfurt region). For U.S.-based 3rd party companies (e.g., OpenAI, Google) Solace uses EU-hosted instances so the data are stored within the EU.
*   **Data minimisation techniques:** Before data is sent to any external LLM provider, Solace applies data redaction, tokenization, and pseudonymisation to ensure that no directly identifiable personal data is transferred.
*   **No training on customer data:** Customer inputs and outputs are not used by LLM providers for training their models. Solace can use the pseudonymized user data to fine-tune models to improve accuracy of the outcomes. Solace enforces strict API settings and contractual Data Processing Agreements (DPAs) with relevant parties.
*   **Transfer impact assessments (TIA):** In line with the Schrems II ruling and EU Commission guidance, Solace AB conducts TIAs and implements Standard Contractual Clauses (SCCs) to ensure adequate protection of any data that may transit outside the EU.
*   **Encryption:** Any communication with LLM APIs is encrypted in transit (TLS 1.2+) and responses are validated before being stored in EU-based infrastructure.

### Compliance with the EU AI Act

Solace classifies its AI systems in accordance with the risk-based categories defined in the EU AI Act. Our use of LLMs is considered limited-risk AI, since outputs are informational and subject to user verification. We maintain detailed records of AI usage, data flows, and model interactions to ensure ongoing compliance and transparency.

Human oversight is embedded into AI-supported features, ensuring that no consequential decisions (legal, financial, or clinical) are made without human review and approval.

## Security Compliance

### Regulatory environment

Solace complies with applicable legal, industry, and regulatory requirements as well as industry best practices. Geographically discrete production instances allow our customers to use our services and stay compliant with regional regulations.

### Infrastructure provider

Solace’s service is hosted at Amazon Web Services (AWS) data centres, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001 and PCI DSS. We collaborate actively with AWS to identify the latest possibilities to enhance our technical infrastructure.

### Data retention

Data retention for customer data stored in the Solace application is controlled by the Customer. Upon termination of a customer relationship, the customer may request Solace to return its data before deletion. If an account remains inactive for three (3) consecutive years, the account and related personal data will be automatically erased. However, certain personal data may be retained for a minimum of seven (7) years, or longer where required, to comply with applicable legal, regulatory, and contractual obligations. All retention and destruction of data will be carried out securely and in accordance with Solace’s Record Retention Policy.

### Compliance and Certifications

Solace is committed to meeting all relevant industry regulations, best practices and achieving recognized security certifications, reflecting our dedication to the highest security standards. We are currently in the process of obtaining ISO 27001:2022 certification.

Our security controls will be audited annually to ensure ongoing compliance with the ISO 27001:2022 standard. By the end of 2025, copies of our latest Statement of Applicability (SoA) report and certification records will be available upon request by the end of 2025. We aim to launch a public Trust Center where most relevant compliance documents and policies can be reviewed by our users and partners.

### Data protection and privacy

When using the Solace application, personal data will be processed on users’ behalf. Solace will only use personal data related users to provide the service according to the instructions set out in the Data Processing Agreements between Solace and our customers.

We don’t sell our users’ personal data and we don’t share it with other companies without consent.

## Conclusion

Solace is dedicated to providing a secure and reliable platform for our users and partners. Our commitment to robust security measures, continuous monitoring, and adherence to industry best practices ensures that your data is protected. For any security-related inquiries, please contact <privacy@solace.care>