Security Overview
SonicSaaS is designed from the ground up to meet SOC 2 Type II compliance requirements. As a platform that manages firewall credentials and fleet operations, security is not a feature — it is a design constraint applied to every layer of the system.
Self-Hosted Trust Model
SonicSaaS is deployed on your own infrastructure. Your credentials, device data, and audit logs never leave your network. There is no shared cloud instance and no third-party access to your data.
This self-hosted model provides a strong security foundation:
- You control the encryption keys — device credentials are encrypted at rest with AES-256-GCM using keys you generate and manage
- You control network access — the platform runs inside your network alongside the firewalls it manages
- You control the data — the database runs on your infrastructure with no external telemetry or data sharing
Security Controls Summary
SonicSaaS implements layered security controls across every area of the platform:
| Area | Controls |
|---|---|
| Authentication | Database sessions, TOTP MFA, SSO (Microsoft Entra ID), rate limiting, account lockout |
| Authorization | Role-based access control with 5 roles, team-scoped data isolation, organization restrictions |
| Encryption | AES-256-GCM for credentials at rest, bcrypt for passwords, separate encryption keys per data class |
| Input Validation | Zod schema validation on all mutations, SSRF protection, parameterized queries |
| Audit Trail | Immutable audit log for all mutations, structured logging, log redaction |
| Infrastructure | Non-root containers, network isolation, security headers, resource limits |
| Change Management | CI pipeline (lint, types, tests), pre-commit hooks, dependency scanning, SAST/DAST |
Compliance Frameworks
SonicSaaS tracks controls across multiple compliance frameworks:
- SOC 2 Type II — primary target, 45 of 52 controls implemented
- OWASP Top 10 — all categories addressed
- NIST Cybersecurity Framework — mapped across all five functions
- ISO 27001, CIS Controls v8, PCI DSS v4 — supplementary coverage
See Compliance Status for the full control mapping.
Learn More
- Authentication & MFA — how sessions, MFA, and SSO work
- Roles & Permissions — the RBAC model and permission matrix
- Encryption — how credentials are protected at rest
- Data Privacy & Isolation — team scoping, input validation, data exposure prevention
- Infrastructure Security — container hardening, network isolation, security headers
- Backup & Recovery — disaster recovery procedures and recovery objectives
- Incident Response — severity classification and response procedures
- Admin Security Checklist — hardening steps for your deployment
Last updated on