Compliance
Honest current state of Solid Accounting's compliance posture. We don't claim certifications we don't have; the table below is what we actually do today plus what's in flight.
At-a-glance
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Type I observation period started Q2 2026. Type II expected Q1 2027. |
| GDPR | Compliant | Data export, deletion, and processing transparency in place. See GDPR page. |
| CCPA (California) | Compliant | Same controls as GDPR — California residents have equivalent rights. |
| HIPAA | Not applicable | Solid is general-purpose accounting software. We don't process Protected Health Information. If you're a healthcare practice, your bookkeeping (invoices, expenses, payroll) isn't PHI even if your clinical system is. |
| PCI-DSS | Not applicable | We don't process cardholder data. License sales go through Stripe (PCI Level 1). Bank Feeds go through Plaid (PCI Level 1). Cardholder data never touches Solid. |
| ISO 27001 | Considering | Customer demand-driven. If you need this, email us. |
| FedRAMP | Not applicable | Solid is desktop software; no SaaS offering to be FedRAMP'd. |
What we mean by "compliant"
For frameworks where we say Compliant, we've implemented the controls, documented them, and would withstand an audit. We haven't paid for third-party attestation in every case.
For In progress, we're actively running the operational discipline (logs, reviews, evidence collection) against a controls list, with a third-party auditor engaged.
For Not applicable, the framework's scope doesn't include what Solid does. We say so explicitly rather than evasively.
Data residency
| Data | Stored where |
|---|---|
Your .solid file | Your computer |
| Cloud Backup blocks (managed) | Backblaze B2 region you choose; default US East |
| Cloud Backup blocks (BYO) | Wherever your bucket lives |
| License records | Solid's infrastructure (US) |
| Bank Feeds metadata | Plaid (US for US accounts; EU for EU accounts) |
For EU customers needing strict EU residency: use Cloud Backup with a BYO destination in an EU bucket. Your license-server records (name, email, license key) are in the US — that's a small enough surface to be GDPR-clearable but worth flagging.
Vendor-risk-review packet
If you need a signed packet for a procurement review:
- Email
security@solidaccounting.comwith your procurement contact's name and the framework(s) involved - We send the most current security questionnaire fill (CAIQ, SIG-Lite, custom)
- Turnaround: 3-5 business days for standard packets; longer for custom requests
We don't charge for these.
Where we explicitly don't meet a bar
A few things to set expectations:
- No SOC 2 Type II yet — we're in observation. If your procurement requires existing Type II, talk to us; we may have remediation.
- No third-party penetration test on file — a quarterly external pentest is on the post-launch roadmap.
- No formal data processing agreement (DPA) signed individually unless you ask — our standard terms include processing terms; bilateral DPAs available on request for enterprise customers.
- No HIPAA Business Associate Agreement (BAA) — Solid isn't appropriate for files containing PHI even if BAAs were available. Use a healthcare-specific accounting product if you process PHI.
Reporting compliance issues
If you've identified a compliance gap or potential issue:
- Email
security@solidaccounting.com - Or use the contact form at solidaccounting.com/support
We acknowledge within 24 hours and treat compliance reports the same as security reports — see Security → Incident response.
Cross-references
- Security whitepaper — the technical security architecture
- GDPR compliance — EU-specific details (when shipped)
- SOC 2 status — current observation period (when shipped)