The security of SolidSoft applications is treated as a continuous responsibility, with regular reviews and incremental improvements. This page summarises the principles that guide those decisions and the capabilities that follow from them.
1. Principles
- Defense in depth — multiple independent layers of protection (network, application, data) so that the failure of one does not compromise the others.
- Least privilege — every user, integration, and component has only the access strictly required.
- Tenant isolation — each customer’s data lives in a separate environment, with no shared schema and no shared credentials.
- Operational transparency — when something does not go as expected, the trail is available for internal audit and for the customer.
2. Tenant Isolation
Each customer accesses only its own data. The isolation model varies by application — some maintain a dedicated database per customer, others enforce strict separation at the application layer — but the principle is the same: no query crosses customer boundaries, and credentials for internal systems are not exposed to the client application.
3. Authentication and Session
- Signed token authentication with mandatory expiration and signature validation on every endpoint.
- Two-factor authentication (2FA) available, with alternative channels (authenticator app, email, SMS) depending on the product.
- Password policies with minimum complexity requirements and storage protected by modern, one-way cryptographic techniques.
- Access recovery through verified channels — never by disclosing existing credentials.
4. Communications
All communications between the client application, the backend, and the portals (client, supplier, technician) take place exclusively over HTTPS with modern TLS. There is no production endpoint exposed over plain HTTP.
5. Operations
- Encrypted backups stored in a location separate from production.
- Access and operation logs retained for periods compatible with incident investigation.
- Continuous monitoring of errors, latency, and anomalous patterns.
- Security updates applied in a short window after disclosure.
6. Responsible Disclosure
If you identify a vulnerability in one of our products, contact us at security@solidsoft.pt. We commit to responding within 5 business days and to keeping the reporter informed of resolution progress. We ask that you do not publicly disclose the issue until we have had the opportunity to fix it.
7. Limitations
This page describes SolidSoft’s security posture in general terms. For specific compliance questions (GDPR, data processing agreements, certifications), please contact us directly — we respond to supplier questionnaires and provide additional documentation under NDA.