NEW: Chisel featured in 42 G2 reports for Spring 2024. Click to learn more 🏆

Security Policy

At Chisel, we maintain top performance and give you the best user experience while keeping your data secure.

SOC2 Certified

Chisel is SOC 2 Type 2 Certified. A copy of the SOC 2 Type 2 report can be provided upon request.

24/7 Dedicated security team

Chisel's security team is available round-the-clock to promptly address security alerts and incidents.


Chisel is hosted on Amazon Web Services, providing end-to-end security and privacy features built-in.

Data storage and password encryption

All user passwords are hashed with a PBKDF2-based robust hashing algorithm and individual salts per password.

Data encryption in transit

The industry-standard Transport Layer Security (TLS) is implemented in all communication between Chisel servers and the client browser for enhanced security.

Credit card & payment security

All payments are processed through our partner Stripe. We do not store any credit card information or related personal information on our servers.

Business continuity

The architecture of Chisel enables business continuity, daily backups, and disaster recovery strategies for resuming operations in the case of inevitable disruptions.

Privacy policy

Our privacy policy is designed to ensure that your data is always protected. You can read more about our privacy policy here.


Access to data within the Chisel application is governed by role-based access controls (RBAC). Chisel has 2 major permission levels for users (maker with admin access, contributor with limited access).

Separate Environments

Production environment is logically separated from the testing and staging environments. No Service Data is used in our development or test environments.

High availability (HA)

Chisel’s systems offer 99% or higher operational uptime, ensuring maximum availability for our users.

Intrusion Detection & Prevention

Our security protocols continuously monitor our systems and will alert our security team every time unusual activity is detected, enabling timely resolution.

DDoS Mitigation

We use AWS WAF to protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.

Logical Access

The Production network is only accessible to authorized personnel using multiple-factor authentication and on a strict need-to-know basis, employing the principle of least privilege.

Virtual Private Cloud

We use a virtual private cloud (VPC) with access control lists (ACLs) to block unauthorized requests from reaching our internal server network.

Monitoring & Backups

We log all actions taken on production consoles or in the application. The audit logs are stored and analyzed by Cloudwatch, and archived to Amazon S3.

Authentication & Permissions

Access to customer data is strictly limited to authorized employees who require it for their job responsibilities. We protect access to our cloud services through SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies.

Framework Security Controls

We limit exposure to OWASP Top 10 security risks by using modern and secure open-source frameworks that include security controls. These controls reduce our exposure to threats like SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).

Pentests & Vulnerability Scanning

We proactively engage independent security experts at least once a year to conduct thorough penetration tests on both our application and network.

Immediate Response to Security Incidents

All system alerts are escalated to our 24/7 security teams. Team members are trained on how to respond to these incidents, including communication and escalation channels.

Secure Code Development (SDLC)

Our engineers get regular training on our security controls, along with OWASP Top 10 security risks and other common attack vectors.

QA & Testing

Our dedicated security team identifies, tests, and triages security vulnerabilities, while our Quality Assurance (QA) team reviews and tests our code base weekly.

Security Policies

Our security policies are based on the ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points and are updated frequently and communicated to all employees.

Employee Policies

All new employees complete Security and Awareness training annually, and must sign a confidentiality agreement as part of their contract.


Security concern?

If you think you may have found a security vulnerability, please get in touch with our security team at

in Implementation Index for Product Management
in Usability Index for Strategy and Innovation Roadmapping Tools
in Momentum Grid® Report for Enterprise Feedback Management
in Momentum Grid® Report for Strategy and Innovation Roadmapping Tools

Craft amazing products with Chisel!