Overview
At ChartMogul, we pride ourselves on maintaining your data in a safe and trustworthy environment and having implemented controls and best practices to provide the highest standard of security for our users.
The following is an overview of our privacy and security protocols. Our processes are constantly improving — refer to this document for updates.
Data access
Securing access to data starts with people — and we invest a lot of time in hiring the best. Our teams are made up of professionals with experience building highly secure, enterprise-scale applications for companies of all sizes, from startups to large public companies. At ChartMogul, we train all new hires (regardless of their role) on up-to-date security policies and industry standards.
Your data is your property, and we’ll never sell it to anybody. We will only access your ChartMogul account with your permission — or if we detect suspicious activity or believe our Terms of Service are being violated. In addition, we monitor, log, and continuously review all employee access to your data.
Data privacy
- GDPR compliant: ChartMogul and all our third-party providers comply with the EU’s General Data Protection Regulation.
- Credit cards: We do not process nor store any credit card details belonging to you or your customers. In fact, no credit card data ever transits through or is stored in our infrastructure.
- Passwords: We encrypt all passwords before storing them in our database. You are responsible for choosing a strong password and keeping it secret. Two-factor authentication is available to all ChartMogul users, and we strongly recommend enabling it as an additional layer of security.
Application security
- Encryption in transit and at rest: Data sessions are always protected with TLS protocols. Our databases are encrypted at rest, following industry standards.
- Crafting security: We train our developers in secure software development practices. Additionally, we use automated code analysis solutions in our development pipeline to ensure vulnerabilities aren’t introduced to our codebase.
- Building secure applications: Our security team takes part in both the design and implementation of any new feature that could increase our attack surface.
- Security assessments: We carry out security code reviews and penetration testing on an annual basis to ensure the integrity of our platform.
- Incident response plan: We follow SANS Incident Response methodology to handle incidents happening on our platform. We run a comprehensive post-mortem on each incident in order to both prevent such incidents from happening again and improve our remediation actions.
- SOC 2 Report: We have our SOC 2 Type 2 report and regularly submit to external audits to demonstrate continued compliance. To request our most recent SOC 2 report, please sign our NDA here: https://app.hellosign.com/s/K3BwPUnU
Resiliency and availability
- 99.9% uptime: ChartMogul’s availability consistently exceeds 99.9%.
- 24x7 monitoring: Our engineering team performs on-call rotations to monitor application, software, and infrastructure using best-of-breed services that are highly reliable and compliant with industry standards.
- Disaster recovery: We back up all customer data using replicas with additional backup snapshots.
- Fault tolerance: Our architecture provides multiple failover instances to prevent outages due to single points of failure.
Infrastructure and networks
ChartMogul is fully hosted on AWS within the Europe region. In our network topology, we make use of:
- Cloudflare as our network and web application firewall.
- Amazon VPC to segment our internal network.
We monitor our networks using a variety of solutions, including Cloudflare, Datadog and Sysdig.
Frequently asked questions
I am a ChartMogul customer, and there is suspicious activity in my account. What should I do?
Please contact us immediately.
I am a security researcher, and I’ve found a vulnerability in ChartMogul. How can I report it?
At ChartMogul, we welcome input from and are happy to work with security researchers. Please review our Vulnerability Disclosure Policy for more information on reporting security vulnerabilities.
Updated: August 16, 2023