Our Approach

SonicSaaS manages firewall credentials and fleet operations — we take this responsibility seriously. Security is a design constraint on every change, not an afterthought.

Credential Encryption

All device credentials are encrypted at rest using AES-256-GCM with versioned, hex-encoded storage. Credentials are decrypted only at request time on the server — they are never exposed to the client browser or included in API responses.

Authentication

Database-backed sessions (not JWT)
TOTP-based multi-factor authentication
SSO via Microsoft Entra ID
Role-based access control with team scoping on every query

Infrastructure

Hosted on Microsoft Azure
TLS encryption for all connections
Database connections encrypted in transit
Network isolation between tenants

Audit Logging

Every mutation — device operations, policy changes, user actions — is recorded in an immutable audit log with timestamp, actor, and action details. Audit logs are retained for compliance purposes.

Compliance

SonicSaaS is designed with SOC 2 Type II controls in mind. We are actively working toward formal certification. Our security practices include regular dependency auditing, static analysis (Semgrep), secret scanning (Gitleaks), and container scanning (Trivy).

Responsible Disclosure

If you discover a security vulnerability, please report it to [email protected]. We will acknowledge receipt within 48 hours and work with you to understand and address the issue. We do not pursue legal action against good-faith security researchers.