Table of Contents

Technical Security Overview

Read Time: 4 mins

1.0 Purpose

This document has been compiled to provide clients and partners with an overview of Sonar Software’s security-related technologies, policies, and best practices by addressing many of the most common questions and areas of importance to our valued business partners.

The information in this document is to be considered highly confidential and may only be distributed with permissions within the implementing organization.

If you require any additional information please reach out to your Sonar contact and they will initiate the internal request immediately.

2.0 Information Security

2.1 Cloud Security

Sonar leverages the power and security of Microsoft Azure, DigitalOcean, and Amazon Web Services (AWS) to keep client data secure, confidential, and private in the cloud.

Microsoft Azure Cloud Infrastructure Certifications: ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1, ISO 22301, SOC 1-3, CSA STAR.

DigitalOcean Cloud Infrastructure Certifications: ISO 9001, ISO 27001, ISO 14001, ISO 50001, ISO 22301, SOC 1-3, CSA STAR, PCI-DSS.

AWS Cloud Infrastructure Certifications: ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1-3, FedRAMP & FIPS.

Laws, Regulations & Privacy: PIPEDA, CISPE, FERPA, HIPAA, ITAR & EU DPD.

Alignments/Frameworks: CIS, CJIS, CSA, FISC, FISMA, ICREA, NIST & EU-US Privacy Shield.

All Data Centers maintain SSAE-16 attestation in conjunction with their auditor. SSAE-16 attestation is based on an in-depth series of documented controls covering the operational management of the Data Center Hosting infrastructure.

For more details, visit:

2.2 Network Security

  • Network Security Group controlled access to our private VNets.
  • Extended Detection and Response (XDR) monitoring of security vulnerabilities and threats.
  • Intrusion detection and prevention systems to protect against malware threats, brute-force attacks, SQL injections, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms, and botnets.
  • Operating procedures, security policies, and processes ensuring the safety of all Sonar employees, suppliers, partners and customers.
  • Operating procedures, security policies, and processes controlling the quality of, and maintaining the integrity of, all Sonar information systems and services.
  • Monitoring systems providing continuous availability and optimized performance.
  • VPN Administration of all servers.
  • Centralized logs for all services.
  • Audit logs of all environmental changes.

2.3 Data Security

  • Data is transmitted to and from our servers over HTTPS and is encrypted in transit (TLS) using 256 bit AES (or higher) encryption.
  • Data is stored and encrypted at rest using AES 256-bit encryption.
  • All communications use SSL (Secure Sockets Layer) encryption and all data is stored in SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers.
  • Tokenization of sensitive client payment data.
  • Geographic Data residency options are available.

2.4 Physical Security 

Sonar applications are hosted on Microsoft Azure in state-of-the-art regional data centers, designed to protect mission-critical systems with fully redundant subsystems and compartmentalized security zones. Our cloud data centers adhere to the strictest physical security measures including, but not limited to, the following:

  • Multiple layers of authentication for server area access
  • Two-factor biometric authentication for critical areas
  • Camera surveillance systems at key internal and external entry points
  • 24/7 monitoring by security personnel
  • All physical access to the data centers is highly restricted and stringently regulated

2.5 User Controls

Access to Sonar sessions is under the control of Super Administrators. Sonar Super Administrators are assigned by the customer for each Sonar instance with module-based user roles, and granular-access permissions.

3.0 Application Security

3.1 Application Environment

  • Code check-ins that are peer reviewed
  • Enforced password complexity rules and restrictions on re-use
  • Session access control to restrict access to session data
  • Session timeout policy in place and enforced
  • Server OS Hardening and Configuration Management
  • HTTP Security Headers
  • XSS-Protection
  • X-Frame-Options
  • HTTP Strict Transport Security
  • Cache-Control
  • X-Content-Type
  • Content-Security-Policy

3.2  Penetration Testing

Sonar completes annual independent penetration testing to check for exploitable vulnerabilities, and to ensure the integrity of our online defenses.

4.0 Technology Governance

4.1 Compliance

Sonar is actively working towards ISO/IEC 27001 certification, and our goal is to have this complete within the next 12 months.. Sonar’s commitment to privacy and security are centered around protecting your data, preventing external threats, empowering your individual rights, and the transparency enumerated by the GDPR (General Data Protection Regulation). Sonar’s cloud service platform meets a number of international and industry-specific compliance standards, such as the General Data Protection Regulation (GDPR), CCPA (California Consumer Privacy Act), PIPEDA (Personal Information Protection and Electronic Documents Act), and the NIST Cybersecurity Framework (CSF).

4.2 Privacy Practices

Sonar has implemented a Privacy Management Program aligned with global privacy requirements, including PIPEDA, CCPA, and PCI DSS.

We utilize leading-edge tokenization as our encryption method to ensure the highest level of security in transferring sensitive data. We have stringent requirements and processes to follow when choosing our data-storage providers, who must maintain the highest level of compliance with privacy legislation.

 4.3 Operational Management & Access

Sonar may require access to customer data when dealing with support requests. When this is required, the Sonar customer support agent will request access from the customer Administrator, who will then grant the access and be responsible for removing it when the support request is completed.

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy. We have strict policy and technical access controls that prohibit employee access except in these circumstances.

How did we do?

Sonar's Security Strategies