Security Overview

How we keep your data safe and our systems reliable

Summary

Security is as important to us as it is to you. We know you are placing trust in us and guarantee that we will not knowingly compromise that. We strive to provide a reliable and secure environment, while maintaining a high speed of development and growth.

Chameleon operates continuous testing and monitors a complete set of security and infrastructure controls that may appear in a SOC 2 audit. We identify vulnerabilities and seek to continually improve our security posture.

We have recently finished our SOC2 Type II Audit period and expect the official report in September 2021.

This document was last updated August 2021


Data security

  • Chameleon Management has approved all policies that detail how customer data may be made accessible and should be handled confidentially. These policies are accessible to all employees and contractors.

  • Chameleon authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.

  • Chameleon has established written policies related to retention periods for the confidential information it maintains.

  • Chameleon has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.

  • Chameleon only collects basic, non-identifying data such as page loads. No personal or private data is collected by default. For the full list of what we collect see here.

  • Chameleon stores all it's data in USA-based databases that are encrypted at rest with AES-256.

  • Chameleon's transactional email provider, Postmark uses opportunistic TLS encryption, which is becoming the standard for SMTP. Read more about this here. To learn more about email encryption you can read this overview from Google.

  • Chameleon does not handle any credit card information. We use Stripe, a first-class payment processor, which is PCI-Compliant and maintains security best practices. You can read more about these here.


Infrastructure security

  • All of Chameleon's services run in the cloud. Chameleon does not run its own routers, load balancers, DNS servers, or physical servers.

  • Chameleon infrastructure is hosted in a fully redundant, secured VPN environment, to leverage firewall protection, private IP addresses and other security features. We host different components of our application and our APIs separately.

  • The vast majority of Chameleon's services and data are hosted on Heroku (part of Salesforce App Cloud) and Amazon Web Services (AWS) facilities in the USA.

  • Both Heroku and AWS maintain best-in-class security processes and equipment, including reports, certifications, independent assessments. You can read about this for Heroku here and for AWS here.

  • Chameleon's Heroku data center is based in the US, which has been accredited under: ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FISMA Moderate; and Sarbanes-Oxley (SOX).

  • Chameleon's data is stored using our database provider, MongoDB Atlas.

  • Data is backed-up daily and all backups are encrypted. You can read more about these here.

  • Chameleon uses MongoDB’s Elastic Deployments backup solution for datastores that contain customer data. You can read more about this here.

  • Chameleon is served over HTTPS with HSTS preloaded for trychameleon.com and all Chameleon web application communications (incl. cookies) are encrypted over 256 bit TLS (resembling protocols used by banks and financial institutions). Our certificates are 2048 bit RSA, signed with SHA256.

  • Chameleon ensures that all connections to its web application from its users are encrypted and TLS protocols are enforced.

  • Chameleon has implemented monitoring tools (such as New Relic and Bugsnag) for Chameleon's databases, servers, and messaging queues. These notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

  • Chameleon has an established key management process in place to support the organization's use of cryptographic techniques.

  • Chameleon requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.

  • No public SSH is allowed.

  • Chameleon engages with a third-party to conduct vulnerability scans of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

  • Chameleon engages with a third-party to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

  • Chameleon aims to maintain 99.9% uptime or higher across our services. You can check and subscribe to our stats and incident history from our status page.

  • Chameleon utilizes multiple availability zones to replicate production data across different zones.


Organizational security

  • Chameleon's new hires and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.

  • Chameleon Management has approved security policies, and all employees agree to these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.

  • Chameleon conducts background checks (administered by Checkr) for all employees that have access to customer data.

  • Chameleon has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with the Chameleon's security policies and procedures. This includes the identification and reporting of any incidents. All full-time employees are required to complete these training annually.

  • Chameleon reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.

  • Access to infrastructure and code review tools are removed from terminated employees within one business day.

  • Chameleon has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and/or employee transfers.

  • Chameleon has established formal guidelines for passwords to govern the management and use of authentication mechanisms, including the use of a password manager (1Password for Teams. You can learn how this improves our safeguards here.)

  • Chameleon ensures that all company-issued computers use a screensaver lock with a timeout of no more than 60 seconds, and have encrypted hard-disks. Further, security patches are applied automatically and antivirus software is installed on workstations to protect the network against malware.

  • Chameleon uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin. Only authorized Chameleon personnel can push or make changes to production code.

  • Chameleon operates a test-driven development approach. This means Chameleon builds rigorous tests, which must pass before any new code is deployed into production environments.

  • Chameleon tracks security deficiencies through internal tools and closes them within an SLA, that management has pre-specified.

  • Chameleon provides a process for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints to external users and workforce members.

  • Chameleon uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.

  • Chameleon has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks, based on identified threats and the specified tolerances.

  • Chameleon engages with a third-party to conduct a Risk Assessment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

  • Chameleon has an established BC/DR plan that outlines roles, responsibilities and detailed procedures for recovery of systems.

  • Chameleon has implemented an Incident Response Policy that includes creating, prioritizing, assigning, and tracking follow-ups to completion. This also includes responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.


More information