UK-hosted. Per-tenant isolated. Honest about what we've certified.
We're not going to claim certifications we don't hold. Here's the truth about how SolarFleet is built, where it runs, and what we're working towards.
Controls in place today
UK-hosted infrastructure
All application servers, databases, and background workers run on Cloudflare's UK-region edge network. Data does not leave the UK in the ordinary course of operation.
Per-tenant database isolation
Every organisation gets its own dedicated database. Your operational data never shares a database with another customer. Tenant boundaries are enforced at the query layer, not just the application layer.
Credentials encrypted at rest
Integration API keys (SolarEdge, Solis Cloud, etc.) are encrypted with AES-256-GCM before being stored. The encryption key is a secret held only in our Cloudflare environment — not in the database.
Encrypted in transit
All traffic to solarfleet.io is served over TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced. No plaintext endpoints.
Authentication & sessions
Passwords are hashed with bcrypt. Sessions are issued as signed HTTP-only, Secure cookies. Organisation-level roles (owner, admin, member) gate every API route.
Daily backups
Tenant databases are backed up daily with point-in-time recovery. Backups are encrypted and stored within UK infrastructure.
Compliance status
Different operators have different procurement requirements. Here's where we actually stand.
UK GDPR
We process personal data under UK GDPR. See our privacy policy for the legal basis of processing and your rights as a data subject.
SOC 2
We're not SOC 2 certified yet. We won't claim we are. The platform is designed against SOC 2 Type II control objectives and we're working towards formal audit readiness.
ISO 27001
We don't hold ISO 27001. If it's a procurement requirement for your organisation, let us know — we'll talk about what we can provide in the interim.
Report a vulnerability
Think you've found a security issue? Email [email protected]. We acknowledge reports within one working day, investigate in good faith, and credit researchers who want to be named. Please don't use automated scanners against production accounts.