Security

How we protect your data and keep Chartcastr secure.

Infrastructure Security

TLS Encryption

All traffic is encrypted using TLS 1.2+ with HTTPS enforced via HSTS preload. We score A+ on SSL Labs.

Content Security Policy

Strict CSP headers prevent XSS attacks by restricting script and resource sources.

SOC 2 Compliance

In progress.

Database Security

PostgreSQL with TLS connections, encrypted at rest, and automatic backups with point-in-time recovery.

Security Certification

CASA Type 2 Certified

We are CASA (Cloud Application Security Assessment) certified through the App Defense Alliance. This certification validates our security posture and commitment to protecting customer data.

View Details

Relevant security documentation is available upon request. Contact us for compliance documents, security questionnaires, or additional certification details.

Authentication & Access

Clerk Authentication

Enterprise-grade auth with MFA support, secure session management, and bcrypt password hashing.

OAuth 2.0 Integrations

Google and Slack connections use OAuth 2.0. Tokens are encrypted at rest and never exposed to browsers.

Role-Based Access

Organization-scoped access controls ensure users only see their own data. All queries are account-scoped.

No Shared Passwords

Every user has individual credentials. No shared accounts or default passwords exist.

Data Protection

Encryption at Rest

Sensitive data including OAuth tokens are encrypted at rest using AES-256.

Transient Image Storage

Generated chart images are stored in Cloudflare R2 with signed URLs and auto-expire within 24 hours.

No Credential Logging

Passwords, tokens, and API keys are never written to logs.

Data Minimization

We only collect what's needed to provide the service. Sheet data is fetched on-demand, not stored.

Secure Development

  • Automated CI/CD pipelines with GitHub Actions and protected branches
  • Dependency scanning and lockfile integrity verification
  • Debug modes and development features disabled in production
  • Code review required for all changes to protected branches

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Security Inquiry Form

For security questions, vulnerability reports, or compliance documentation requests:

Report Security IssueRequest Documentation

Questions About Security?

For general inquiries about our security practices or data protection, reach out to us.

Contact UsFollow Updates

Chartcastr