How Sollos protects your data
We treat customer data as a liability — we collect the minimum needed to run the product and protect what we do collect with defenses at the database, network, and application layers. This page lists the concrete safeguards in place today.
Last updated: April 18, 2026
Tenant isolation enforced by the database
Every domain table has an organization_id and Postgres row-level security (RLS) policies prevent cross-tenant reads and writes. Isolation is enforced at the database layer, not in application code — even a compromised service key can't leak one customer's data to another.
Encryption in transit and at rest
All traffic is TLS 1.2+ (HTTPS everywhere). The database and file storage are encrypted at rest with AES-256 by default. Daily backups rotate on a 7-day cycle.
OAuth tokens wrapped with AES-256-GCM
When you connect Stripe, Google Calendar, or Sage, the resulting access and refresh tokens are encrypted with a platform-held key before being written to the database. A leaked backup alone cannot act on your connected accounts.
Authentication with verified sessions
Sessions are verified against Supabase Auth on every request using cryptographically signed claims — never just cookies. Passwords are hashed by Supabase (bcrypt). Optional leaked-password checking against HaveIBeenPwned (k-anonymity — no password ever leaves your browser).
Webhook signatures + idempotency
Every incoming Stripe webhook is verified against its secret and short-circuited if the event id has already been processed. Fake payment events or double-processing on retry are structurally impossible.
Rate limiting on every public surface
Public token URLs (invoices, reviews, freelancer claims, team invites) and auth endpoints are rate-limited per IP to defeat brute-force token enumeration and credential stuffing. A distributed Upstash Redis limiter covers every serverless instance.
No card data on our servers
All payment processing is handled by Stripe Checkout. Card numbers, CVCs, and bank account details never touch Sollos infrastructure. Our PCI obligation is the lightest tier (SAQ A).
Append-only audit log
Sensitive mutations (payroll runs, invoice voids, role changes, deletions) record an audit row with actor, action, and before/after snapshots. Owners and admins can browse the log in-product at Settings → Audit log.
Self-serve export and erasure
At any time, owners can download a single JSON bundle containing every row their organization owns, or schedule permanent deletion with a 30-day grace window. The grace window lets you recover mistakes — you can cancel deletion up to the last day. After the window elapses, every row and file is wiped and the organization record becomes a tombstone.
Data residency and sub-processors
Your data is hosted in Supabase (Postgres + Storage) and Vercel (edge). Transactional email goes through Resend; error reports through Sentry. See our Privacy Policy for the full sub-processor list and the data each one handles.
What we don’t claim
Sollos is not SOC 2 certified. We are not HIPAA covered. We do not yet offer a signed Data Processing Agreement for EU customers. These are on the roadmap as we scale, but we’d rather be honest about it than claim what we haven’t earned. If you need any of the above for a procurement review, email security@sollos3.com.
Report a vulnerability
Found a security issue? Please email security@sollos3.com rather than opening a public issue. We reply within one business day and will work with you on coordinated disclosure.
For the full list of sub-processors and data-processing details, see our Privacy Policy. For the legal agreement between you and us, see our Terms of Service.