solidSF security covers how your CAD data is encrypted, where it lives, who can reach it, and how we respond when something is wrong. Browser CAD security is the same problem as any production SaaS — we treat it that way.
Every file you create in solidSF is encrypted at rest with AES-256 on the object store, and every byte in transit moves over TLS 1.3. Keys are managed by AWS KMS in our primary region and rotated on a fixed schedule. There is no plaintext copy of your design data on any disk we operate.
Backups are encrypted with the same scheme and kept in a separate AWS region. Restore drills are run quarterly. We do not export design data to third parties for analytics or training without explicit consent.
solidSF uses role-based access control inside every workspace. Owners, admins, editors, and viewers each get a tightly scoped set of permissions. Document-level overrides let you share a single part or assembly without exposing the rest of a project.
Sessions are short-lived. Every privileged action against a Team or Enterprise workspace is logged with actor, target, IP, and user-agent.
Documents in solidSF are private by default. This is a deliberate departure from the Onshape free tier, which makes every public document searchable on the open web. A solidSF document is reachable only by accounts you explicitly invite or by link recipients you explicitly enable.
Sharing is always explicit. There is no hidden "default share" toggle, no organisation-wide global read, and no scraping endpoint. Public sharing requires a per-document opt-in and is reversible at any time.
The solidSF surface runs on Cloudflare at the edge — TLS termination, DDoS absorption, bot management, and rate limiting all happen before a request reaches us. Document storage, compute, and the Rust CAD kernel run inside AWS in the United States.
Workspaces are isolated. There is no shared mutable storage that crosses tenant lines and no internal API that lets a workspace read a document outside its own boundary. Production systems are reachable only through bastioned, MFA-enforced operator paths.
US data residency is the default for every paying customer today. Regional residency (EU, UK) is on the roadmap for Enterprise — contact security@solidsf.com if you need it.
solidSF is on the SOC 2 Type II path. Controls are being implemented and formal audit timing will be published when available. Customers under NDA can request the current security packet.
For privacy, solidSF supports data subject requests for access, export, and deletion. Detailed handling is described in our privacy policy. solidSF is United States-only at launch; EU availability is on the roadmap.
Send security reports to security@solidsf.com. We commit to:
A public researcher acknowledgements page (a hall of fame) is planned alongside the SOC 2 announcement.
For security issues, contact security@solidsf.com. For privacy or data subject requests, contact privacy@solidsf.com. For general enquiries, see solidsf.com/contact. PGP key on request.