Does Solara handle Protected Health Information (PHI)?

The marketing site stores no PHI. The platform handles PHI strictly under a signed BAA, with minimum-necessary access enforced by role and audit-logged at the request level. Reps see provider practice data (NPI, specialty, location) — not patient records, diagnoses, or treatment history.

What is your sub-processor list?

Available under NDA during the working session. Core infrastructure runs on enterprise cloud providers (US-East/US-West) with executed BAAs. Sub-processor changes are notified to partners with a 30-day advance window.

How does Solara handle a data subject access request (DSAR)?

Partners route DSARs through their privacy counsel; Solara responds within 30 days. The platform supports targeted record export and deletion at the NPI level with cryptographic verification.

What is the incident response process?

Security incidents are triaged within 4 hours and partners receive an initial notification within 24 hours of confirmed impact. Full post-incident report (root cause, remediation, prevention) is delivered within 7 days, exceeding HIPAA breach notification timelines.

Can we audit your controls?

Yes. Partners with a signed MSA can request a controls walkthrough during partner diligence. SOC 2 Type II report and audited penetration test summaries are available under NDA.

Where is data stored?

United States data centers only. No data transit outside US borders. Multi-region (US-East, US-West) for redundancy; no EU/APAC presence to remove cross-border transfer questions for US-only partners.

Solara · Trust & Security

Built for healthcare data, from the foundation.

Solara runs on infrastructure designed for the regulatory and data-governance expectations of medtech, specialty pharma, and payer-adjacent manufacturers. Your legal team will recognize the stack — and the controls walkthrough is included in the first working session, not gated behind a six-month procurement cycle.

Request controls walkthrough Read the FAQ

The Foundations

Four controls. Default-on.

These are the controls your security and legal teams will ask about first. Each one is in place before any partner contract is signed.

/01 · HIPAA

BAA on day one.

Every Solara engagement operates under a Business Associate Agreement, executed during the first five days of kickoff. PHI handling, minimum-necessary rules, role-based access, and audit logging are platform primitives — not add-ons negotiated later.

/02 · SOC 2

Type II controls in place.

Solara's control framework maps to SOC 2 Type II. Infrastructure is hosted with enterprise cloud providers under signed BAAs. Access is least-privilege, SSO-enforced, and audited. Type II attestation report available under NDA during partner diligence.

/03 · ENCRYPTION

TLS 1.3 in transit, AES-256 at rest.

All provider, adoption, and manufacturer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are rotated on a documented schedule and managed in a hardware-backed KMS. No customer-managed key (CMK) requirements imposed on partners.

/04 · EXPORT

Your data stays yours.

Adoption telemetry exports to your data warehouse on a schedule you control — daily by default, configurable down to hourly. No lock-in, no dark-pool analytics. Export formats: CSV, Parquet, or direct push to Snowflake, BigQuery, or Redshift.

The Stack

What's running underneath.

Healthcare-grade primitives across the stack. Detailed sub-processor list and architecture diagrams shared under NDA during diligence.

Solara infrastructure stack components
Layer	Controls
Compute	Enterprise cloud, US-only regions, BAA-signed
Database	Managed Postgres, encrypted at rest, automated point-in-time recovery
Identity	SSO with SAML 2.0 + SCIM provisioning, MFA-enforced for admins
Logging	Immutable audit log, 90-day hot retention + 7-year cold archive
Monitoring	Real-time anomaly detection on access patterns + data egress
Backups	Encrypted daily snapshots, 30-day retention, quarterly restore drills

Compute
Enterprise cloud, US-only regions, BAA-signed
Database
Managed Postgres, encrypted at rest, automated point-in-time recovery
Identity
SSO with SAML 2.0 + SCIM provisioning, MFA-enforced for admins
Logging
Immutable audit log, 90-day hot retention + 7-year cold archive
Monitoring
Real-time anomaly detection on access patterns + data egress
Backups
Encrypted daily snapshots, 30-day retention, quarterly restore drills

Incident Response

When something goes wrong — timelines you can write into a contract.

The wrong time to negotiate breach notification timing is during a breach. Solara commits to incident response windows that exceed HIPAA minimums, written into every partner BAA.

01
Triage within 4 hours
Security team confirms scope, classifies severity, opens partner-visible status page.
02
Initial notification within 24 hours
Partners with confirmed impact receive direct outreach with what we know and what we are doing.
03
Containment + remediation
Affected services isolated, root cause identified, fix deployed and verified.
04
Full post-incident report within 7 days
Root cause, remediation, prevention measures, and timeline — delivered before HIPAA breach notification deadline.

Security FAQ

The questions your security team will ask.

Does Solara handle Protected Health Information (PHI)?
The marketing site stores no PHI. The platform handles PHI strictly under a signed BAA, with minimum-necessary access enforced by role and audit-logged at the request level. Reps see provider practice data (NPI, specialty, location) — not patient records, diagnoses, or treatment history.
What is your sub-processor list?
Available under NDA during the working session. Core infrastructure runs on enterprise cloud providers (US-East/US-West) with executed BAAs. Sub-processor changes are notified to partners with a 30-day advance window.
How does Solara handle a data subject access request (DSAR)?
Partners route DSARs through their privacy counsel; Solara responds within 30 days. The platform supports targeted record export and deletion at the NPI level with cryptographic verification.
What is the incident response process?
Security incidents are triaged within 4 hours and partners receive an initial notification within 24 hours of confirmed impact. Full post-incident report (root cause, remediation, prevention) is delivered within 7 days, exceeding HIPAA breach notification timelines.
Can we audit your controls?
Yes. Partners with a signed MSA can request a controls walkthrough during partner diligence. SOC 2 Type II report and audited penetration test summaries are available under NDA.
Where is data stored?
United States data centers only. No data transit outside US borders. Multi-region (US-East, US-West) for redundancy; no EU/APAC presence to remove cross-border transfer questions for US-only partners.

Documents

What we share, and how to get it.

Under NDA

SOC 2 Type II report

Most recent attestation period, shared after a mutual NDA is executed. Typically reviewed during partner diligence alongside the architecture walkthrough.

Under NDA

Penetration test summary

Third-party annual pen test with findings, remediations, and re-test verification. Executive summary shared under NDA.

On Request

Business Associate Agreement template

Standard BAA, redlined during contract negotiation. Executed during Day 1–5 of partner kickoff so PHI handling is covered before any data flows.

On Request

Sub-processor list

Current list of infrastructure and tooling sub-processors with change-notification commitments. Updated whenever the stack changes; partners notified 30 days in advance.

Direct Line

Security questions go straight to engineering.

No sales triage. Email the team directly — typical response within one business day.

security@solarahealth.net Book a working session