Security Policy
At Chisel, we maintain top performance and give you the best user experience while keeping your data secure.
At Chisel, we maintain top performance and give you the best user experience while keeping your data secure.
Chisel is SOC 2 Type 2 Certified. A copy of the SOC 2 Type 2 report can be provided upon request.
Chisel's security team is available round-the-clock to promptly address security alerts and incidents.
Chisel is hosted on Amazon Web Services, providing end-to-end security and privacy features built-in.
All user passwords are hashed with a PBKDF2-based robust hashing algorithm and individual salts per password.
The industry-standard Transport Layer Security (TLS) is implemented in all communication between Chisel servers and the client browser for enhanced security.
All payments are processed through our partner Stripe. We do not store any credit card information or related personal information on our servers.
The architecture of Chisel enables business continuity, daily backups, and disaster recovery strategies for resuming operations in the case of inevitable disruptions.
Our privacy policy is designed to ensure that your data is always protected. You can read more about our privacy policy here.
Access to data within the Chisel application is governed by role-based access controls (RBAC). Chisel has 2 major permission levels for users (maker with admin access, contributor with limited access).
Production environment is logically separated from the testing and staging environments. No Service Data is used in our development or test environments.
Chisel’s systems offer 99% or higher operational uptime, ensuring maximum availability for our users.
Our security protocols continuously monitor our systems and will alert our security team every time unusual activity is detected, enabling timely resolution.
We use AWS WAF to protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.
The Production network is only accessible to authorized personnel using multiple-factor authentication and on a strict need-to-know basis, employing the principle of least privilege.
We use a virtual private cloud (VPC) with access control lists (ACLs) to block unauthorized requests from reaching our internal server network.
We log all actions taken on production consoles or in the application. The audit logs are stored and analyzed by Cloudwatch, and archived to Amazon S3.
Access to customer data is strictly limited to authorized employees who require it for their job responsibilities. We protect access to our cloud services through SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies.
We limit exposure to OWASP Top 10 security risks by using modern and secure open-source frameworks that include security controls. These controls reduce our exposure to threats like SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).
We proactively engage independent security experts at least once a year to conduct thorough penetration tests on both our application and network.
All system alerts are escalated to our 24/7 security teams. Team members are trained on how to respond to these incidents, including communication and escalation channels.
Our engineers get regular training on our security controls, along with OWASP Top 10 security risks and other common attack vectors.
Our dedicated security team identifies, tests, and triages security vulnerabilities, while our Quality Assurance (QA) team reviews and tests our code base weekly.
Our security policies are based on the ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points and are updated frequently and communicated to all employees.
All new employees complete Security and Awareness training annually, and must sign a confidentiality agreement as part of their contract.
If you think you may have found a security vulnerability, please get in touch with our security team at security@chisellabs.com
