Security.
Solvolyte handles datasets that are often proprietary to our partners. Here is our current security posture during the beta — concrete enough to start a real engagement and honest about what is not in scope yet. We will publish a SOC 2 / ISO-track plan as the team grows.
Data isolation
Each partner's data lives in a dedicated namespace; cross-tenant access is impossible by construction (separate buckets, separate IAM roles, separate KMS keys). Training jobs run on isolated GPU instances and the working dataset is wiped at job exit. We never co-mingle partner data in a shared training corpus without an explicit signed amendment.
Encryption
All connections use TLS 1.3 with HSTS. Datasets at rest are AES-256 encrypted on object storage with envelope encryption via a hardware-backed KMS. Database backups are encrypted with the same regime and stored in a separate region. Access keys rotate on a 30-day cadence and are stored only in the secrets vault — never in env files, repos, or chat threads.
Access controls
Production access is single-sign-on plus hardware-key MFA. Direct shell into prod requires a two-person review; standing prod access is limited to two named engineers and audited weekly. Application code uses scoped service accounts with least-privilege IAM. We enforce session timeouts and re-authentication on sensitive operations.
Source control + deploys
All code is reviewed before merge. Production deploys require two approvals and pass a CI gate (lint, type, unit tests, dependency audit). Dependencies are pinned with a lockfile and scanned weekly; critical advisories are patched within 14 days, high within 30. We sign release artefacts and verify on deploy.
Logging and audit
Access logs, admin actions, and data-export events are captured in an append-only audit log retained for 12 months. Logs are scrubbed of secrets at the source. Alerts fire on anomalous access patterns (off-hours, geo-anomaly, mass export). Partner audit-log streaming is on the roadmap and available on request today as a manual export.
Vulnerability disclosure
Found something? Email [email protected] (PGP key on request). We aim to acknowledge within 48 hours and remediate critical issues within 14 days, high within 30. We do not currently run a paid bug bounty but happily credit responsible reporters in a published hall-of-fame upon their consent. We will not pursue good-faith researchers under CFAA or equivalent.
Incident response
If a partner-affecting incident is confirmed, we notify named contacts within 72 hours of confirmation with the facts known so far, expected scope, and our containment status. A post-incident report follows within 14 days describing root cause, blast radius, and corrective action. We honour any tighter notification SLA you negotiate.
Sub-processors + supply chain
We use a small set of essential infrastructure providers (cloud compute, object storage, mail relay, error tracking). The current sub-processor list is available on request and we notify partners 30 days before adding any new processor that handles partner data. Build-time dependencies use a pinned lockfile; CI verifies SHAs match before publishing artefacts.
Roadmap
SOC 2 Type 1 is targeted for the first commercial release; Type 2 in the following twelve months. Partner-managed encryption keys (BYOK), VPC peering for data ingress, audit-log streaming, and HIPAA-track controls follow on partner demand. Penetration testing engagement starts pre-Type-1 with full report sharable under NDA.
Last updated · 2026-04-26 · Pre-launch · Subject to revision
Questions? Email [email protected].