SECURITY OVERVIEW Soon for enterprise security review |
|---|
Document version 1.3 · Last reviewed May 2026 · security@soon.works
AT A GLANCE
| Service | Cloud-based workforce scheduling SaaS (Soon) |
|---|---|
| Hosting | Amazon Web Services, EU-West-1 (Ireland) |
| Data residency | European Union - GDPR-aligned |
| Encryption | TLS 1.2+ in transit; AES-256 at rest |
| Authentication | SSO and SAML supported; MFA enforced for production access |
| Infrastructure certifications | AWS: ISO/IEC 27001, SOC 1, SOC 2, PCI DSS |
| Security program | ISO/IEC 27001-aligned ISMS |
| Data Processing Agreement | Available; aligned with GDPR requirements |
1. Platform and data¶
Soon is a cloud-based workforce scheduling and operational planning platform delivered as Software-as-a-Service. It is hosted entirely on Amazon Web Services in the EU-West-1 (Ireland) region, with all customer data stored within the European Union to meet EU data residency requirements.
The platform processes user account data, employee names and email addresses, scheduling and workforce planning data, and operational forecasting and reporting data. Soon does not require, request, or process special categories of personal data.
2. Governance and risk management¶
Information security is owned at the leadership level and operated by engineering management. Soon maintains an Information Security Management System aligned with ISO/IEC 27001, covering policies, access controls, supplier management, and incident response.
Our security program is built on three principles:
Least privilege. Access is restricted to the minimum required for each role and reviewed regularly.
Defense in depth. Multiple layers of technical and operational controls protect infrastructure, applications, and access.
Continuous risk assessment. Risks affecting customer data, infrastructure, integrations, availability, and applications are reviewed on a recurring basis and prioritised by likelihood and impact.
3. Infrastructure and cloud security¶
Soon runs on Amazon Web Services in the EU-West-1 (Ireland) region. AWS is independently certified against ISO/IEC 27001, SOC 1, SOC 2, and PCI DSS, and these attestations apply to the underlying infrastructure used by Soon. AWS compliance reports are available to customers under NDA via AWS Artifact.
Network security. All ingress to production runs through AWS-managed load balancers with TLS termination. Workloads run inside isolated Virtual Private Clouds with restrictive security group rules. Production, staging, and development environments are logically separated.
Patching and vulnerability management. Operating system and platform patching at the infrastructure layer is managed by AWS. Application dependencies are monitored for known vulnerabilities, and updates are applied through our standard release process.
Backup and recovery. Production databases are backed up automatically with point-in-time recovery, and backup integrity is monitored. Recovery procedures are documented and reviewed.
4. Access control and authentication¶
Customer authentication. Soon supports enterprise Single Sign-On via SAML with all major identity providers, including Microsoft Entra ID, Okta, and Google Workspace.
Internal access. Access to production systems is restricted to authorised engineering personnel on a least-privilege, role-based basis. Multi-factor authentication is enforced for all access to production systems and critical infrastructure. Access is reviewed on joiner, mover, and leaver events.
Personnel security. All staff sign confidentiality agreements. Security awareness expectations are communicated to staff and reviewed periodically. Background checks are performed where legally permissible and appropriate to the role.
5. Application security and data protection¶
Secure development. All code changes go through peer review before merge. Deployments are automated and traceable. Development practices follow OWASP secure coding guidance, and the application is designed to mitigate common web application risks including the OWASP Top 10.
Encryption. All data in transit is protected with TLS 1.2 or higher. Customer data and backups are encrypted at rest using AES-256.
Data protection and GDPR. Soon acts as a data processor under GDPR. A Data Processing Agreement is available and forms part of standard customer contracting. Soon supports customer obligations for data subject rights including access, correction, and deletion. A current sub-processor list is maintained and shared on request.
6. Monitoring, logging, and incident response¶
Soon maintains centralised logging and continuous monitoring across production systems. Infrastructure metrics are collected via AWS CloudWatch and application errors are tracked via Sentry, with alerting configured for availability and error-rate anomalies.
Incident response. Security incidents are triaged by severity and handled by engineering leadership. Customers are notified without undue delay of any incident affecting their data or service, in line with GDPR and contractual commitments.
7. Business continuity¶
Soon's architecture relies on AWS managed services with multi-availability-zone redundancy for high availability. Backups, recovery procedures, and operational runbooks support restoration in the event of an infrastructure failure or data loss event.
8. Security contact¶
For security questionnaires, vendor risk reviews, or further detail on any control listed above, please contact security@soon.works. Soon participates fully in customer security reviews as part of enterprise onboarding.