Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Security & Compliance

Overview

Soarvo is a cloud-based SaaS platform built on AWS, designed and operated to meet enterprise security and compliance standards. This page summarises Soarvo's security posture — encryption, access controls, infrastructure, certifications, and how we handle incidents and updates.

ℹ️ Full security statement: This article is a customer-facing summary. The full Security Statement document and supporting certificates (Cyber Essentials Plus, penetration test summaries, AWS compliance attestations) are available on request from your Soarvo account contact or soarvo.com/contact.
At a Glance
Area
Soarvo's approach
Hosting
AWS, EU and/or UK data centre regions. Multi-region deployment for resilience.
Encryption at rest
AES-256 (S3 buckets, RDS database, backups). Keys managed in AWS KMS.
Encryption in transit
TLS 1.2 or higher. Certificates managed by AWS Certificate Manager.
Authentication
Email + password sign-in. Two-Factor Authentication (MFA) available for every account. SSO supported.
Compliance
Aligned with ISO/IEC 27001 framework. GDPR / Data Protection Act 2018 compliant. Soarvo holds Cyber Essentials Plus.
Penetration testing
Annual external pen tests by an independent CREST-authorised provider. Summary reports available on request.
Threat detection
AWS GuardDuty (continuous monitoring + malware scanning on uploads). AWS Shield (DDoS protection). AWS WAF (application-layer protection).
Where Your Data Lives

Soarvo runs entirely on Amazon Web Services (AWS), with data residency in the EU and/or UK regions. AWS data centres are physically secured, redundantly powered, and compliant with multiple global security standards (ISO/IEC 27001, PCI-DSS, FedRAMP).

Customer data is stored across three AWS service types:

  • S3 (Simple Storage Service) — uploaded files (orthomosaics, point clouds, shapefiles, photos). Encrypted with AES-256, locked down with fine-grained access policies, and not publicly accessible. Access is logged via AWS CloudTrail to a dedicated audit account.
  • RDS (Relational Database Service) — feature data, attributes, user accounts, project structure. Encrypted at rest via AWS KMS. Network-isolated inside a VPC; no public internet exposure. Automatic backups also encrypted.
  • Secrets Manager — credentials, API keys, integration secrets. Encrypted with KMS and access-controlled via IAM.
ℹ️ NCSC alignment: Our infrastructure framework meets NCSC Cloud Security Principle 2 (Asset Protection & Resilience) and is configurable to address specific client residency or sovereignty requirements.
Encryption

At rest

All data stored in Soarvo uses AES-256 encryption — recognised as a robust enterprise standard. Encryption keys are managed in AWS KMS and rotated according to AWS best practice. Database snapshots and S3 buckets are encrypted by default.

In transit

All connections to Soarvo — web portal, mobile app, public API — use TLS 1.2 or higher. SSL/TLS certificates are managed by AWS Certificate Manager, including automatic renewal.

Access Control

Access to customer data is controlled entirely by your designated Administrators and Project Managers. No Soarvo staff or third-party can access your data without explicit permission from your authorised users.

  • Administrators control the user list and assign roles.
  • Administrators, Project Managers, and Project Supervisors share specific projects and locations with team members.
  • All access provisioning is auditable and traceable.
  • Privileged operations require multi-factor authentication.

See User Roles & Permissions for the full role and permission matrix, and Sharing Projects & Locations for the sharing model.

MFA: Two-Factor Authentication is available on every Soarvo account. We strongly recommend enabling it for any Administrator or Project Manager — see Two-Factor Authentication (MFA) for setup.
Threat Detection & Protection

Soarvo combines several AWS-native security layers to defend against external threats:

  • AWS GuardDuty — continuous monitoring for compromised instances, unusual API activity, suspicious DNS, and malware in user-uploaded files. Sourced from VPC Flow Logs, CloudTrail, and DNS logs.
  • AWS Shield — protects DNS (Route 53) and CloudFront from network and transport-layer DDoS attacks (SYN/ACK floods, UDP reflection, volumetric attacks).
  • AWS WAF (Web Application Firewall) — application-layer protection. Filters and monitors HTTP/S traffic to defend against SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  • VPC Isolation — Amazon VPC isolates infrastructure. Security Groups and Network ACLs restrict inbound/outbound traffic; AWS PrivateLink connects services without internet exposure.
  • SonarQube — static code analysis in our GitHub Actions CI/CD pipeline, checking every code change for quality, security, and maintainability issues.
  • AWS Inspector — automatic dependency vulnerability scanning on all Lambda functions and container images.
Logging, Monitoring & Audit

Every action against the Soarvo platform is logged:

  • AWS CloudTrail — records all API activity across our AWS environment.
  • VPC Flow Logs — capture network traffic metadata for anomaly analysis.
  • AWS Config — tracks configuration changes and validates compliance with security policies.

Logs are exported from each AWS environment to a separate Log Archive Account with restricted access. The archive is the source of truth for security audits, compliance investigations, and incident forensics.

Patching & Updates

Routine patches

Routine patches are applied on a scheduled maintenance window. All changes are tested in DEV and UAT environments before deployment to LIVE. Deployments occur during low-usage periods to minimise disruption. Routine updates are included with your subscription at no additional cost.

Critical patches

Critical patches addressing urgent vulnerabilities are expedited — typically applied within 24-72 hours after testing. Immediate severity assessment, rapid DEV/UAT testing, expedited approval for emergency deployment, and emergency maintenance windows if required.

Post-deployment verification

All patching activity is logged for audit. Post-patching reviews confirm that updates do not adversely affect system performance.

See Release Notes — Soarvo Portal and Release Notes — Soarvo Mobile for the latest changes.

Independent Security Review
  • Annual penetration testing by an independent CREST-authorised security provider. Covers infrastructure, application layers, and access controls. Summary reports available on request.
  • Cyber Essentials Plus — Soarvo holds a current Cyber Essentials Plus Certificate of Assurance.
  • SonarQube + AWS Inspector — continuous automated vulnerability scanning of code and dependencies in every deployment pipeline.
Business Continuity

Soarvo is built for resilience:

  • Multi-region AWS deployment — service is hosted across multiple regions (VPC / Subnets). If one region experiences an outage, failover to an alternate region can occur seamlessly.
  • Automated failover — Route 53 health checks and load balancers redirect traffic during degradation or failure.
  • Backup and recovery — segregated backup storage and annual restoration testing of mirrored systems available under separate client agreements.
Data Protection & GDPR

Soarvo's data protection framework complies with all relevant legislation, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

  • Privacy Policy and Data Processing Agreement are included in the Soarvo Terms of Use.
  • The Data Processing Agreement (DPA) appendix of the Soarvo Terms of Use governs personal-data processing.
  • Personal data is processed only as needed to deliver the service.
  • Data subject requests (access, erasure, portability) are honoured in line with GDPR timelines.
Supply Chain

The Soarvo platform incorporates open-source software and third-party components — including Cesium, Google Maps, Bing Maps, and Ordnance Survey maps — each subject to its respective licence and third-party terms. Support for these components is provided through the standard processes and tools offered by the third parties.

Secure Development

The Soarvo engineering team follows industry-standard secure development practices:

  • Coding practices — adherence to industry guidelines; code reviews and tests detect vulnerabilities early.
  • CI/CD pipeline — automated and manual tests run on every change.
  • Controlled upgrade process — every upgrade tested in DEV and UAT before production. Regression testing confirms new changes don't introduce vulnerabilities.
  • Continuous improvement — production monitored for anomalies and security issues; feedback loops accelerate remediation.
Requesting Documentation

The following documents and attestations may be shared with verified customers, prospective customers, and partners where appropriate, subject to confidentiality review and/or NDA:

  • Full Security Statement (covering everything on this page plus configuration detail)
  • Cyber Essentials Plus certificate
  • Penetration test summary reports
  • AWS compliance attestations (including ISO/IEC 27001 and SOC reports), accessible through AWS Artifact subject to AWS access permissions. 
  • Data Protection Agreement (Appendix B of Soarvo Terms of Use)

To request, contact your Soarvo account contact or use soarvo.com/contact.

What's Next?