Understanding Encryption
A plain-language guide to how Soli protects your client data. No technical background required.What encryption means in plain language
Encryption is a way of scrambling information so that only the intended recipient can read it. Think of it like putting a letter inside a locked box. Anyone can carry the box from point A to point B, but only the person with the key can open it and read the letter inside. Without the key, the contents look like random nonsense.
Soli uses encryption to protect every piece of client data that passes through its systems — form submissions, text messages, voicemail recordings, voicemail transcripts, and AI call transcripts. The data is scrambled before it leaves the device where it was created, and it stays scrambled until it reaches your authorized device, where it is unscrambled so you can read it.
How Soli Forms protects submissions
Here is what happens when a client fills out a form on your website, step by step:
The client fills out the form in their web browser — their name, contact information, reason for seeking services, insurance details, or whatever fields your form includes.
The data is encrypted in the browser before it is sent anywhere. The client's browser uses your practice's public encryption key to lock the data. This happens automatically — the client does not need to do anything special.
The encrypted submission travels to the server and is stored there. The server never sees the unscrambled data. It holds the locked box, but it does not have the key.
Only your device can open it. When you open the Soli Forms application on your computer, your private encryption key — which lives only on your device and never leaves it — unlocks the submission so you can read it.
The private key that unlocks your submissions is generated on your device when you create your account. It is stored in your device's secure storage and is never uploaded to any server. This is why Soli Forms uses a local-first architecture — your device is the only place where the key exists.
How Soli Line protects messages
Soli Line takes a slightly different approach because phone communication needs to work across multiple devices (your desktop computer, your phone, and potentially a colleague's device). Here is how it works:
Your login creates a unique key. When you sign in, your password is used to derive an encryption key through a process called key derivation. Your password goes through 600,000 rounds of a mathematical function that produces a unique key. This key exists only in your device's memory while you are signed in.
Messages are locked with a shared line key. Each phone number in your practice has its own encryption key (called a line key). This line key is what actually encrypts and decrypts messages on that number. The line key itself is encrypted with your personal derived key and stored on the server in that locked form.
Only authorized devices can read them. When you sign in on any device — desktop or mobile — your password derives the same key, which unlocks the line key, which unlocks your messages. The server stores everything in encrypted form and cannot read any of it.
This design means that if you lose your phone, your messages are safe. The device that was lost cannot decrypt anything without your password. You can sign in on a new device and access all your encrypted message history immediately.
What “zero-knowledge” means
When Soli says it is a "zero-knowledge" platform, it means that Soli's servers cannot read your data. The term comes from the fact that the company has zero knowledge of what your encrypted information contains. Soli stores your data, transmits it between your devices, and backs it up — but at no point can any Soli employee, server process, or automated system read the actual content.
This is fundamentally different from most software that claims to be "secure." Many platforms encrypt data "at rest" (when it is sitting on a hard drive) and "in transit" (when it is moving across the internet), but the company itself holds the keys and can decrypt your data whenever it wants — for support requests, legal demands, or internal analysis. With Soli, the keys live on your devices. Even if Soli's servers were compromised, the attacker would find only encrypted data they cannot read.
What a BAA is and why it matters
A Business Associate Agreement (BAA) is a legal contract required by HIPAA whenever a healthcare provider shares protected health information (PHI) with a third-party service. If you use software that touches client data — names, contact information, treatment details, billing records — the software company is considered a "business associate" and must sign a BAA with you.
The BAA establishes legal responsibility. It means the business associate agrees to protect PHI according to HIPAA standards, report any breaches, and limit how the data is used. Without a BAA, using a software tool to handle client information puts your practice at risk of a HIPAA violation — even if the tool itself is technically secure.
Soli provides a BAA as part of every subscription. For Soli Line, the telephony infrastructure provider (Telnyx) also operates under a separate BAA that covers the carrier layer. This means the entire chain — from your client's phone call, through the carrier, to Soli's server, to your device — is covered by appropriate legal agreements.
How this is different from other platforms
Most practice management tools store your client data in a way that the company can access. They may encrypt data "at rest" on their servers and "in transit" over the internet, but the company holds the decryption keys. This means the company's employees, support staff, and servers can technically read your client information. It also means that if the company is hacked, the attacker may gain access to readable data.
Soli's approach is different. Because your encryption keys never leave your devices, the data stored on Soli's servers is unreadable without your keys. A breach of Soli's servers would expose only encrypted data — which is useless without the keys that exist only on your personal devices. This is the same model used by privacy-focused email and password management services.
For a therapist, this means you can confidently tell your clients that their intake information, messages, and voicemails are protected by the strongest practical level of encryption available — and that not even the software company can read them.
A note on responsibility
Because Soli cannot access your encryption keys, it also cannot recover your data if you lose access to all of your authorized devices (in the case of Soli Forms). Choose a strong, memorable password and keep your devices secure. For Soli Line, your password is the foundation of your encryption — any device where you sign in can access your messages, so protect your credentials accordingly.