🛡️ Opensolr Information Security Policy

This document outlines Opensolr’s current data security and privacy practices.
Our policies evolve with the industry, so please check back for updates or Contact Us with suggestions.

1. Introduction

• Opensolr is ISO9001 & ISO27001 Certified
  (Recognized standards for quality and information security.)

• Types of Data Processed:

  • Logical Data:
  • User identification and profile data.
  • Used to provide the Solr Cloud Hosting Platform and related services, managed securely with Role-Based Access Control (RBAC).
  • Solr Data:
  • The data you host with Opensolr, in your own designated environment/server.
  • Stored globally with leading datacenter and cloud providers, including:
    • AWS
    • Hetzner
    • HostHatch
    • Alibaba Cloud

2. 🔒 Confidentiality

• All data types are protected under our GDPR Information Security Policies and our main privacy policy.

• Logical Data:

  • Securely stored on encrypted Opensolr Main Data Servers (AWS Cloud).
  • Identifies each user (free, paid, or blocked status).
  • User activity logs are encrypted and provide a full transparency trail.
  • Only accessible to the Opensolr Account Owner via the Control Panel.
  • Security policies:
    • User/Password Authentication
    • Two-Factor Authentication (Authy/SMS, optional)

• Solr Data:

  • Securely stored per your choice of datacenter/cloud.
  • Security policies:
    • SSL Data Transmission
    • HTTP Authentication
    • IP Access-Based Authorization
  • Accessible only to the Account Owner and invited team members (verified).
  • Never made public unless the Owner explicitly authorizes it, via our Support Helpdesk.

3. 🧩 Integrity

• Logical Data (User Identity):
  • Not changed by Opensolr employees except:
    • Upon explicit owner request (via Support Helpdesk).
    • By the owner through the Control Panel (with full change logs).
• Solr Data:
  • Updated/removed only by the Account Owner or authorized team members after passing security checks.

4. ⚡ Availability

• All authorized users have reliable, timely access to Opensolr services.
• Infrastructure is built for high availability and resilience, even during failures.
• Risk mitigation & high availability:
  • Solr Data Backup tools for creating, downloading, or restoring data/configs.
  • Solr Index Replication for direct index replicas across regions.
  • Main system replication & redundancy worldwide.
  • Custom and third-party Web Application Firewall (WAF) systems (e.g., Apache mod_security).

5. 🎯 Authenticity

• Uses the latest SSL standards and configurations for secure, authentic transfers.
• Never requests or transfers biometric or location data.
• All data transfers are subject to:
  • WAF AI verification (blocking/whitelisting)
  • SSL security keys and fingerprint verification for authentic transmissions

6. 📝 Non-Repudiation

• Opensolr keeps detailed logs and revisions of all critical data transfers, user identification, and actions.
• All support interactions are logged and revisioned via our Support Helpdesk System.

Questions or feedback?
Contact us here.

📄 Opensolr General Data Privacy Terms

1. Membership and Agreement

• Becoming an Opensolr member is only possible via the Opensolr Registration Form.
• By registering, you agree to our Terms of Service, General Privacy Policy, and this GDPR Privacy Agreement.

2. Data Collected by Opensolr

• Opensolr collects minimal mandatory data at registration:
  • Email address
  • Chosen password
• You may change your password at any time.
• To update your registration email address, submit a formal request to support@opensolr.com.
• Members may optionally add more personal data (e.g., website, social links) and create Opensolr Cloud Indexes to store data as needed.
• Opensolr does NOT directly collect, store, or process any billing or payment information from members or third parties.
• Your Solr Index Data is never accessible to Opensolr staff, subcontractors, or third parties without your consent—except in urgent technical emergencies required to restore service.

3. Personal Data Processing

• Opensolr will never make public, sell, or trade any member’s personal information.
• Your email address is used solely for login and identification.
• Strict security measures protect all data stored and processed via Opensolr cloud infrastructure.
  See our Cloud Data Security FAQ for more details.
• As above, Opensolr never directly collects or stores billing or payment data.
  All payments and billing are processed through highly secure, PCI-compliant APIs provided by Stripe.com.

4. Data Security

• All data on Opensolr infrastructure is protected by SSL encryption.
• SSL certificates are re-keyed and renewed annually.
• Opensolr.com always uses EV-SSL for maximum browser and user trust.
• All accounts can activate Two-Factor Authentication (2FA) via SMS or Authy.
  Our 2FA system is delivered securely via SSL and managed by Twilio.

5. Communication Policy

• Opensolr will never send unsolicited emails or postal mail.
• All official Opensolr communications are mandatory for members and limited to:
  • System maintenance and emergency alerts
  • Membership notifications (trial expiration, resource usage, password resets, etc.)
  • Service developments and updates relevant to all members

To opt out of Opensolr communications, you must request account cancellation by emailing support@opensolr.com.

🏆 Opensolr: ISO27001 & ISO9001 Certified

Why ISO Certification Matters

At Opensolr, we believe that trust, quality, and security are the foundation of every successful search solution.
That’s why we’re proud to be officially certified for both ISO27001 (Information Security Management) and ISO9001 (Quality Management).

🔐 ISO27001: Information Security Management

• World-class data protection: Your data is managed using global best practices for confidentiality, integrity, and availability.
• Continuous risk management: We proactively identify and mitigate security threats to keep your information safe.
• Compliance assurance: Our ISO27001 certification means Opensolr meets strict requirements recognized by businesses and regulators worldwide.

🏅 ISO9001: Quality Management

• Consistent, reliable service: Our processes are optimized for quality, efficiency, and continuous improvement.
• Customer focus: We put your needs at the center of everything we do, driving high customer satisfaction.
• Process transparency: ISO9001 ensures clear procedures, fewer errors, and a smooth customer experience.

🌍 The Benefits for You

• Peace of mind: Your data and services are protected by proven, independently audited standards.
• Business readiness: Opensolr can support even the most demanding enterprise, compliance, and public sector requirements.
• Trusted partnership: Our commitment to quality and security is not just a promise—it’s certified.

Want to know more about our certifications or request documentation?
Contact our team — we’re happy to help.

🔐 Opensolr Security Mechanisms

At Opensolr, your data security is at the heart of everything we do.
Here are the key security mechanisms we implement to keep your search infrastructure safe:

1. 🛡️ IP Access Rules per Request Handler

• Restrict access to critical Solr request handlers (such as /select, /update, etc.) by IP address.
• Configure your own rules to allow only specific IP addresses or use the "all" wildcard for broader access.
• Gain precise control over which systems can interact with your indexes.

2. 🔑 HTTP Authentication

• Protect your index with a username and password, required for every request.
• Ensure only authorized users and systems can access or update your Solr data.
• Simple, robust access management for every request handler.

3. 🔒 SSL Connections

• All communication—across the Opensolr website and all cloud servers—is protected by state-of-the-art SSL encryption.
• Safeguard your data in transit, with industry-standard encryption for all web and API traffic.

Want to learn more about how we protect your data or set up advanced security?
Contact our team—we’re here to help.

🌐 Opensolr AJAX & HTTP Authentication Requests

AJAX-based HTTP requests are a modern, secure way to interact with Opensolr from your own web applications and client-side scripts.
To ensure maximum security for our users and infrastructure, Opensolr implements a strict CORS (Cross-Origin Resource Sharing) and origin whitelisting policy for all AJAX requests that require HTTP Authentication.

🔒 Why Whitelisting Is Required

• Security First:
  Restricting allowed origins helps protect your Solr data from unauthorized or malicious cross-site requests.
• Minimizing Attack Surface:
  Only approved domains can interact with your index via AJAX, which blocks drive-by and XSS-style attacks.
• Compliance:
  Many enterprise and regulatory frameworks require origin controls for API and cloud service access.

🚦 How to Request AJAX HTTP Auth Access

To enable AJAX access from your website or app, follow these steps:

1. Submit a Support Ticket

2. Click the link and fill out the ticket form.

3. Provide the Following Details:

4. Origins:
   The exact domains or origins (e.g., https://yourapp.com, https://admin.partner.com) you will be making AJAX requests from.
5. Index or Cluster Name:
   The name of the Solr index or cluster you want to access via AJAX.

6. Account Email:
   The email address used to register your Opensolr account.

7. We Whitelist Your Origins:
   Our team will configure the Opensolr cloud to allow AJAX requests only from your specified domains.

🛡️ What Happens Next?

• Once your origins are whitelisted, you’ll be able to make secure, authenticated AJAX requests to your Opensolr index.
• Requests from other, non-approved domains will be blocked by default for your safety.
• You can update your list of allowed origins at any time—just submit another ticket!

Have questions or special requirements?
Contact support—we’re here to help you build securely and confidently with Opensolr.

🔑 Opensolr Index HTTP Authentication Policy

It is now mandatory that every Opensolr index is protected with HTTP authentication to ensure security and privacy.

🚀 Default Credentials for New Indexes

When you create a new index, Opensolr automatically sets up HTTP Auth credentials:

• Username:
  opensolr
• Password:
  Your account’s Automation REST API KEY

You can find your API KEY in your Opensolr dashboard.

🛠️ How to Change HTTP Auth Credentials

You may change your HTTP Auth username and password at any time:

1. Go to your Opensolr Index Control Panel.
2. Click the Security tab on the left menu.
3. Update your credentials as needed.

⚠️ Important Notes on API Keys

• When you generate a new API KEY in your Control Panel Dashboard:
  • Newly created indexes will use the new API KEY as their password.
  • Existing indexes will keep their old API KEY as the password.
    (Regenerating your API KEY does not change the password for indexes you created earlier.)

If you want to update the password for an existing index, change it manually in the Security tab.

💡 Pro Tip

• Keep your API KEY confidential—it acts as the password for HTTP authentication.
• Regularly review and update your credentials, especially if you rotate API keys for security.

Need help or have questions?
Contact Opensolr support anytime!

🛡️ Opensolr & The Log4j Vulnerability (CVE-2021-44228)

What is the log4j exploit?

The log4j vulnerability (CVE-2021-44228) is a critical security issue discovered in December 2021.
It allows attackers to execute remote code on vulnerable systems, by exploiting the way log4j logs certain input—potentially turning any untrusted log entry into a system command.

Summary:
If a vulnerable application logs user-controlled input using log4j, an attacker can craft input that gets executed as code on the server.

🚨 Is Opensolr affected by the log4j exploit?

No. The Opensolr service is not vulnerable.
This vulnerability was fully patched across the entire Opensolr ecosystem on December 11, 2021.

Your Solr data and indexes hosted by Opensolr have been—and remain—protected.

📋 Did this vulnerability impact my servers or data?

No.
- Opensolr patched all managed environments immediately after the vulnerability was disclosed. - However: We strongly recommend you review and patch any of your own Java applications or infrastructure, if they use log4j.

🧩 Am I safe if I’m running Solr version 1–8?

Yes.
- The Opensolr patch protects all Solr versions, regardless of which you are running. - This was not a Solr-specific issue—it was a vulnerability in the log4j library, used by many Java applications. - If log4j is patched, your Solr install is safe.

Need a different Solr version?
- You can add a new index with a recent Solr version container/server from your Opensolr Control Panel. - (Custom migrations or upgrades can be performed by our team for a fee.)

⚠️ What if I run Solr or other Java apps myself?

• If you manage your own Java services (inside or outside Opensolr), you should patch or update log4j immediately.
• There are many detailed guides and official resources available online:
  • See the Apache log4j Security Page for mitigation steps.

🛡️ Best Practices & Next Steps

• Always apply vendor security patches promptly.
• Monitor official Solr and Apache log4j channels for updates.
• Contact Opensolr support for assistance or questions about your managed indexes.

Security is a shared responsibility. Opensolr is committed to protecting your data and providing fast, transparent responses to new threats.

Dataimport (DIH) can not be reached

Due to certain security concerns, the dataimport (DIH) Solr feature is now globally disabled, form the entire Opensolr ecosystem.
However, you are still free to use the dataimport (DIH) Solr feature, by requesting that we enable it for your index(es), using our Support Helpdesk, at: https://opensolr.freshdesk.com/ or, directly via email, at support@opensolr.com

Important:

• It is now mandatory, that every Opensolr index is password protected.
• When creating a new index, the default HTTP Auth credentials, are:
  • Username: opensolr
  • Password: Your account's Automation REST API KEY, that can be found in your dashboard, at: https://opensolr.com/admin/solr_manager/dashboard
• You can always change your HTTP Auth credentials, from your Opensolr Index Control Panel, by clicking on the Security tab, on the left side of the index administration menu.

You can enable TFA in your Opensolr account as follows:

• Login to your account at: https://opensolr.com/users/login
• Navigate to User->Two Factor Authentication
• Enter your phone number
• Enjoy Two Factor Authentication the next time you logout/login!