UK-region data. Tenant-isolated. Honest about what we've certified.
We're not going to claim certifications we don't hold. Here's the truth about how SolarFleet is built, where it runs, and what we're working towards.
Controls in place today
UK-region data
Your operational data is held in a UK-region managed Postgres database (PlanetScale, via Cloudflare Hyperdrive). The application is served from Cloudflare's edge network; your data is stored in the UK.
Tenant isolation enforced in every query
Organisations share a managed database, and every query is scoped to your organisation. A continuous integration test asserts that no API route can return another organisation's data — isolation is verified on every change, not just promised.
Credentials encrypted at rest
Integration API keys (SolarEdge, Solis Cloud, etc.) are encrypted with AES-256-GCM before being stored. The encryption key is a secret held only in our Cloudflare environment — not in the database.
Encrypted in transit
All traffic to solarfleet.io is served over TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced. No plaintext endpoints.
Authentication & sessions
Sign-in is handled by WorkOS AuthKit — sessions and credentials are managed by WorkOS, so we never store your password ourselves. Sessions are signed, HTTP-only, Secure cookies. Organisation roles (owner, admin, member, client) gate every API route.
Managed backups
The database is backed up automatically by our managed database provider, with backups held in-region. We can restore from provider backups in a recovery scenario.
Compliance status
Different operators have different procurement requirements. Here's where we actually stand.
UK GDPR
We process personal data under UK GDPR. See our privacy policy for the legal basis of processing and your rights as a data subject.
SOC 2
We're not SOC 2 certified yet. We won't claim we are. The platform is designed against SOC 2 Type II control objectives and we're working towards formal audit readiness.
ISO 27001
We don't hold ISO 27001. If it's a procurement requirement for your organisation, let us know — we'll talk about what we can provide in the interim.
Report a vulnerability
Think you've found a security issue? Email security@solarfleet.io. We acknowledge reports within one working day, investigate in good faith, and credit researchers who want to be named. We won't pursue legal action against researchers acting in good faith under this policy. Please don't use automated scanners against production accounts.