Solvvy Security

Last Updated: October 23, 2020

At Solvvy, we enforce various controls in order to follow compliance best practices and to protect our customers data. While we protect your data and ensure its privacy we understand the importance of supplying a top-performing application that is always available. Our security infrastructure contains a well-layered protection system. This includes team policies and procedures and incorporates continuous monitoring and automation built into our software development cycle. We have high standards for security and our commitment extends to our partners and trained third-party security professionals who provide guidance, ensure compliance, and validate security across all areas of the organization.

Data Center and Network Security Protocols

To keep your data safe the Solvvy platform runs on Google Cloud in their fully certified data centers which applies security controls and system checks. Our application is running on Google Kubernetes Engine (GKE) and is maintained by Google Cloud Platform for its uptime and security. 

Software Development Security Protocols

At Solvvy we conduct regular reviews and third-party penetration and monitoring. This is to ensure the security of the Solvvy platform at a code level and throughout the software development lifecycle process. Our software development lifecycle ISO 27001 standards to ensure quality and security. 

Platform Security Features

We ensure that our customers have complete control over their Solvvy platform instance allowing only authorized users to have the ability to access and manage user permissions within the app.

Internal Operations Security Controls

At Solvvy all of our employees go through comprehensive background checks and security training to mitigate social engineering threats and to improve the security and awareness of our employees. 

Compliance and Certifications

To secure company compliance obligations Solvvy maintains a comprehensive set of IT controls audited by independent firms regularly.

 

Data Center and Network Security Protocols

  • Protection Our network is protected through the use and integration of key Google Cloud security services that monitor and block malicious traffic and network attacks. We regularly monitor and log our network traffic in order to recognize external attackers and unusual activity. Regular third-party audits and penetration tests ensure the effectiveness of our data center and network security protection protocols.
  • Hosting The Solvvy platform is fully hosted within Google Cloud data centers that offer a comprehensive set of security capabilities and have been ISO 27001 and PCI/DSS Service Provider Level 1 certified, as well as maintains SOC II compliance. We review the security of our hosting providers and all sub-processors at least once annually.
  • Architecture Our network infrastructure is separated by development, staging, and production environments. These environments are completely isolated from each other and credentials used for each environment are unique. 
  • Virtual Private Cloud (VPC) All services are hosted within a VPC exposing only the limited hosts/port mappings required for public access. Internal access to our databases and servers are restricted to authorized personnel with VPN access only. In addition, we utilize context aware access to ensure devices with weak security controls can’t access customer data. 
  • Firewall The Solvvy platform’s external endpoints are each protected by an Google Cloud Web Application Firewall, which protects the platform from common web exploits that could affect availability and security. A third party penetration test validates the controls of our network firewall rules. 
  • Monitoring All production network systems, networked devices are constantly monitored by Solvvy’s monitoring systems. Physical security, power, and internet connectivity are monitored by Google Cloud. We continuously create service tickets to ensure alerts from our monitoring systems are remediated by one of our on-call engineers. 
  • Intrusion Detection and Protection Service ingress and egress points are instrumented and monitored to detect anomalous behavior. Monitored 24/7,these systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. A third party auditor reviews these controls once annually for a period of 6 months. 
  • Penetration Tests Solvvy partners with third-party vendors to conduct frequent penetration tests on Solvvy’s network, systems, services, and employees. 
  • Network Vulnerability Scanning Solvvy regularly conducts network scanning for quick identification of out-of-compliance or potentially vulnerable systems. Our production networks and systems are monitored 24/7 but a third party vendor for compliance. 
  • Encryption in Transit In order to protect data in transit, we use encryption protocols, such as Transport Layer Security (TLS) to protect the transport of data everywhere. This ensures that if hosts are compromised, attackers can not glean information by eavesdropping on network communications. We use certificates to protect communications from interception and misuse, and also have certificate expiration and renewal via automation in place to ensure proper key rotation.
  • Encryption at Rest All data, including backup data is stored using encryption on the volume, disk, or data stored level.

 

Software Development Security Protocols

  • Quality Assurance (QA) At Solvvy we have dedicated application security engineers who identify, test, and triage security vulnerabilities in the Solvvy platform code. The QA department reviews and tests the code base to ensure the security and stability.
  • Penetration Testing In addition to our extensive internal scanning and testing program, Solvvy employs a third-party security consultancy to conduct biannual penetration tests on our core web application application.
  • Vulnerability Scanning We employ a third-party, security consultancy to continuously scan our core applications against the Open Web Application Security Project (OWASP) Top 10 security risks. Our dedicated product security team tests and works with our engineering teams to remediate any discovered issues.
  • Responsible Disclosure Bug Bounty Program Our Responsible Disclosure Program gives security researchers an avenue for safely testing and notifying Solvvy of security vulnerabilities.
  • Separate Environments Testing and Staging environments are logically separated from the production environment. No client data is used in the development or test environments.

 

Platform Security Features

  • Secure Credential Storage Solvvy uses GCP resources to store and encrypt sensitive data. All GCP resources are encrypted at rest by default, using Google-managed keys. For specific services, encryption can also be configured to use customer-managed encryption keys using Cloud KMS or customer-supplied encryption keys. GCP server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256) or 128-bit Advanced Encryption Standard (AES-128)
  • Password PolicyOur agents and internal accounts with access to customer data require complex credentials and second-factor authentication. Virtual Private Network (VPN) clients are required to view any customer or end-user PII. 
  • Transmission Security All communications with Solvvy’s UI and APIs are encrypted using TLS encryption protocols.

 

Internal Operations Security Controls

  • Security Training Solvvy has a third-party security consultancy that provides all employees with security awareness training on their first day prior to being given network access. Additionally, employee security training is conducted on a biannual basis, and includes secure code training covering OWASP Top 10 security risks, common attack vectors, security controls, and HIPAA compliance.
  • Information Security Policies All Solvvy employees must read and acknowledge the information security policies prior to being given network access on their first day. Solvvy information security policies are reviewed and updated on a biannual basis.
  • Security Incident Response Solvvy has a documented incident response plan for all urgent issues that impact the production system. Additionally, Solvvy has a 24/7 Security Incident Response Team (SIRT) that specializes in handling security incidents properly within the organization from containment to notification of impacted users within a specific timeframe.
  • Endpoint Monitoring Through a customized set of security monitoring solutions all Solvvy employee endpoints are monitored 24/7 by our security team for any malicious activity.
  • Office Security We comply with SOC-II requirements by implementing guest management and physical access controls within our offices. We have logging and recording in place to implement and comply with the requirements set by the AICPA. We also use systems that log and monitor access to our facilities. Every employee is required to badge to gain access to our offices.

 

Compliance and Certifications

  • SOC 2 Solvvy has achieved SOC 2 Type II compliance with zero exceptions in accordance with AICPA Trust Service Principles and Criteria for System and Organization Control. Our complete SOC 2 Type II audit report is available to customers and prospects under NDA by emailing infosec@Solvvy.com.
  • EU-US and Swiss-US Privacy Shield TrustArc has reviewed and certified that our policies and procedures comply with EU-US and Swiss-US Privacy Shield requirements and our certifications can be viewed on the Privacy Shield list.
  • GDPR TrustArc has approved EU-US and Swiss-US Privacy Shield certifications, including our compliance with GDPR regulations. 
  • HIPAA Solvvy helps customers fulfill their HIPAA obligations by providing covered entities and business associates with appropriate security configuration options to safeguard protected health information (PHI). Our Business Associate Agreement (BAA) is available to customers upon request in alignment with HIPAA standards. 
  • ISO 27001 Solvvy is currently going through an ISO 27001 audit to ensure our ISO 27001 Information Security Management Systems  (ISMS) follow the guidance of ISO 27001 recommendations. 
  • Solvvy Privacy Policy Review the Solvvy privacy policy here.

 

What if I have questions about this policy or my Personal Data?

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to privacy@solvvy.com, and we will try to resolve your concerns.

Solvvy, Inc.
1510 Fashion Island Blvd, San Mateo, CA, 94404, United States