SOC 2 Type II certified.
Solar1 is SOC 2 Type II certified, covering security, availability, and confidentiality. An independent CPA firm audited our controls over a 12-month observation period. The report is available to enterprise customers under NDA.
Scope
Trust service criteria covered by the Solar1 SOC 2 audit.
Security (CC)
CertifiedThe system is protected against unauthorized access, use, or modification. Covers logical and physical access controls, change management, and risk management.
Key controls
- Role-based access control with least-privilege enforcement
- Multi-factor authentication for all production access
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Continuous vulnerability monitoring and annual penetration testing
- Security incident detection, response, and notification procedures
Availability (A)
CertifiedThe system is available for operation and use as committed or agreed. Covers uptime monitoring, disaster recovery, and capacity planning.
Key controls
- 99.9% monthly uptime commitment with SLA
- Multi-region AWS infrastructure with automatic failover
- Daily data backups retained for 90 days
- 4-hour recovery time objective (RTO)
- Continuous infrastructure monitoring with automated alerting
Confidentiality (C)
CertifiedInformation designated as confidential is protected as committed or agreed. Covers data classification, access restrictions, and confidentiality obligations.
Key controls
- Customer data treated as confidential by policy and contract
- Internal access to customer data restricted and logged
- Vendor contracts include confidentiality obligations
- Data retention and disposal procedures enforced
- Employee confidentiality agreements signed at hire
Audit type
SOC 2 Type II
Observation period
Jan 2024 – Dec 2024
Auditor
Independent AICPA-accredited CPA firm
Audit frequency
Annual
Report availability
Under NDA to enterprise customers
Questionnaire support
SIG Lite, CAIQ, VSAQ, custom
Common questions
SOC 2 — answered directly.
What is SOC 2 Type II?
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 Type II reports evaluate whether an organization's security controls are designed correctly (Type I) and whether they operated effectively over a period of time — typically 6–12 months (Type II). It is the industry standard for demonstrating security posture to enterprise customers.
Which trust service criteria does Solar1's SOC 2 cover?
Solar1's SOC 2 Type II report covers three trust service criteria: Security (required, also called Common Criteria), Availability, and Confidentiality. These are the most relevant criteria for an operational SaaS platform handling financial and employee data.
How do I request the Solar1 SOC 2 report?
Solar1's SOC 2 Type II report is available to enterprise customers and qualified prospects under a mutual NDA. Contact security@solar1erp.com with your organization name and the context of your request. We typically respond within 1 business day.
When was Solar1's last SOC 2 audit?
Solar1 undergoes annual SOC 2 Type II audits conducted by an independent, AICPA-accredited CPA firm. The most recent audit observation period covered January 2024 through December 2024. The next audit cycle begins January 2025.
Does Solar1 complete security questionnaires?
Yes. For enterprise customers and qualified procurement processes, Solar1 will complete standard security questionnaires (SIG Lite, CAIQ, VSAQ, or custom). Contact security@solar1erp.com to initiate the process. We typically complete questionnaires within 5 business days.
Request the SOC 2 Type II report.
The full report is available to enterprise customers and qualified procurement processes under a mutual NDA. Contact our security team to initiate the request.