Chartbeat is committed to keeping your privacy and data secure. Chartbeat employs a wide variety of technical and organizational security measures and dedicates significant effort towards maintaining data security. A short summary can be found below.
Chartbeat protects the confidentiality of customer data in several ways:
Our Chartbeat terms of service, which all customers must adhere to, prohibit sending personally identifiable information (PII) to Chartbeat. PII includes any data that can be used to reasonably identify an individual, including (but not limited to) names, email addresses, or billing information.
Chartbeat data may not be shared without customer consent, except under certain limited circumstances, such as when required by law.
Chartbeat security and engineering team take measures to guard against external threats to data. Internal access to data (e.g., by employees) is regulated and subject to access controls.
Chartbeat masks IP addresses by default.
Chartbeat requires that all of our third party vendors abide by our confidentiality and security measures, and obey similar restrictions.
Data ingress: Chartbeat supports encryption via HTTPS for all data being sent to Chartbeat systems, and strongly encourages all customers to only send data via HTTPS.
Data egress: All Chartbeat APIs supports sending data via HTTPS. Chartbeat dashboards only support HTTPS.
Encryption at rest: Where feasible, sensitive data is stored under encryption. Passwords and other highly sensitive information are hashed and salted.
All Chartbeat servers are hosted on Amazon Web Services, which in turn employs industry standard protections. More information from AWS can be found here.
Permissioning: We restrict access to all Chartbeat servers to only those employees with a need to access. All servers employ role-based permissioning.
Firewall: All servers are protected via VPN. Chartbeat's VPN employs role-based permissioning.
Chartbeat employs several systems for monitoring and detecting potential threats. These systems are evaluated on (at minimum) an annual basis to ensure accuracy and completeness.
All major new projects undergo Privacy Impact Assessments to determine any impacts of work on privacy, and appropriate steps for risk remediation.
Permissions: Logs are kept of all permissions changes for at least 90 days.
Data requests: Logs are kept for all API- and UI-based requests for data for at least 30 days.
All employees receive security training by a member of our security team within their first week of employment. This training is redone as needed.
Chartbeat maintains an Incident Response Policy.
Chartbeat maintains a Business Continuity Plan.
For more information, please contact our data protection officer at firstname.lastname@example.org