Skip to content

Security Overview

1. Company & System Context

Soon provides a cloud-based Workforce Management (WFM) Software as a Service (SaaS) solution. Our platform is designed to assist businesses with employee scheduling, time and attendance monitoring, labor forecasting, and regulatory compliance.

  • Architecture: Soon is a SaaS platform hosted exclusively on Amazon Web Services (AWS). Our infrastructure leverages managed services for compute, databases, and content delivery to ensure stability and scalability.

  • Key Components: The system architecture includes a core API, AI-driven forecasting services, and various enterprise integrations.

  • Data Types: We handle operational and customer data, including Personally Identifiable Information (PII) such as names, email addresses, work schedules, and optional location data.

2. Security Governance & Direction

Information security is a core pillar of our operational strategy.

  • ISO 27001 Commitment: We are currently implementing an ISO/IEC 27001-aligned Information Security Management System (ISMS). This framework ensures our security practices meet internationally recognized best practices.

  • Ownership: Security governance is led by our CEO, with internal ownership managed by the Risk and Compliance function to ensure executive-level oversight.

  • Principles: Our security posture is built on three fundamental principles:

  • Least Privilege: Access is granted only to the information required for a specific role.

  • Defense in Depth: We employ multiple layers of complementary controls to protect our assets.

  • Risk-Based Approach: Controls are driven by business needs and formal risk assessments.

3. Risk Management

Soon maintains a proactive and structured approach to identifying and mitigating threats.

  • Methodology: We perform periodic risk assessments where risks are evaluated based on their likelihood and impact on confidentiality, integrity, and availability.

  • Risk Domains: Our risk management focus includes:

  • Unauthorized access to customer data.

  • Third-party and supply chain integration risks.

  • Cloud infrastructure misconfigurations.

  • Service availability and business continuity.

4. Key Security Controls

Access Control

  • RBAC: We enforce Role-Based Access Control to ensure users only have access commensurate with their tasks.

  • Authentication: Multi-factor authentication (MFA) is required for remote and privileged access.

  • Production Access: Access to production systems is tightly controlled and limited to authorized personnel.

Infrastructure & Cloud Security

  • AWS Hosting: All services are hosted in AWS, utilizing network isolation and environment separation (e.g., dev, staging, and production).

  • Network Security: We use firewalls (AWS Security Groups), Virtual Private Clouds (VPC), and segregated subnets to protect our environment.

Application Security & Data Protection

  • Secure Development: We follow secure coding principles and conduct code reviews as part of our SDLC.

  • Encryption in Transit: All data transmitted over public networks is encrypted using TLS.

  • Encryption at Rest: Customer data and backups are encrypted at rest using AES-256.

  • OWASP Practices: Our development standards are informed by industry-standard best practices to prevent common vulnerabilities.

Monitoring & Incident Response

  • Logging: Centralized logging and monitoring are implemented via tools like AWS CloudWatch and Sentry.

Backup & Availability

  • Resilience: We perform regular backups and maintain the ability to restore critical systems to ensure high availability.

5. Compliance Status & Roadmap

  • Current Status: Our ISO 27001 implementation is currently in the draft and implementation phase.

  • Roadmap: We are committed to achieving full certification to validate our adherence to international security standards. Soon remains open to security reviews and detailed questionnaires from our partners during this process.