Chatlio Security
We take security and privacy seriously, adhering to enterprise-level security standards that keep your customer data protected.
Compliance
See our Data Privacy Framework participant listing here.
Information on how to sign our DPA.
Chatlio is GDPR compliant. When you use our services you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. See our Privacy summary page for more details about our GDPR compliance.
Chatlio’s personnel will not process Customer Personal Data without authorization. Personnel are obligated to maintain the confidentiality of any Customer Personal Data and this obligation continues even after their engagement ends.
The technical and organizational measures implemented by Chatlio to provide an appropriate level of security include:
Measures of pseudonymization and encryption of personal data
Data is encrypted in-transit using TLS. Where applicable, data is encrypted at rest within the product(s) by AWS.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Chatlio uses vulnerability assessment, patch management, threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses, and other malicious code.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Business resiliency/continuity and disaster recovery procedures are in place, as appropriate, and are designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Our production database has automatic backups enabled and backups are encrypted.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Chatlio uses multiple types of automated vulnerability scans and assessments which are run at various frequencies (e.g. when code changes occur, daily, weekly, and monthly). Additionally, we have third-party penetration tests ran and allow for vulnerabity reports to be submitted securely to us for evaluation.
Measures for user identification and authorization
Chatlio uses logical access controls designed to allocate appropriate privileges according to role, applying the principle of least privilege access. Chatlio applies a zero-trust model of identification and authorization. In addition, all Employees are required to use password manager and unique passwords and strong multi-factor authentication, including requiring the use of two-factor authentication (2FA) for all Chatlio accounts. We perform periodic review of Employees access and promptly revoke access when employment terminates.
Measures for the protection of data during transmission
Chatlio implements effective measures to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by implementing protective measures against active and passive attacks on the sending and receiving systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities.
Measures for the protection of data during storage
Where applicable, data is encrypted within the product(s) by AWS.
Measures for ensuring physical security of locations at which personal data are processed
Physical and environmental controls are inherited from Amazon Web Services, Inc. (AWS)
Measures for ensuring events logging
Chatlio has system audit and event logging and related monitoring procedures in place to record user access and system activity. Automated analytics are used to generate alerts for suspicious or potentially malicious activity.
Measures for ensuring system configuration, including default configuration
Chatlio configuration is stored in the environment for maximum portability between environments using the twelve-factor app methodology. Baseline configuration is enforced with a default configuration set.
Measures for internal IT and IT security governance and management
Chatlio uses network security controls that provide for the use of enterprise firewalls (AWS and Cloudflare) and layered DMZ architectures, as well as intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of an attack.
Change management controls and procedures are established to ensure human review of production changes is performed to identify potential security issues before changes are made.
Measures for certification/assurance of processes and products
Chatlio regularly reviews its processes on an annual or as-needed basis.
Measures for ensuring data minimisation
Chatlio ensures data minimisation by processing only that data which is relevant and necessary for the provision of the service.
Measures for ensuring data quality
Chatlio will monitor data processed and any inaccuracies will be erased or modified without delay. Chatlio also monitors IP addresses for abuse and spam and will block any traffic originating from abusive IP blocks.
Measures for ensuring limited data retention
Chatlio only collects personal data that is absolutely necessary to fulfill a purpose. The data collected and the time it is stored is reviewed internally on an as-needed basis. Chatlio deletes personal data on request from customer.
Measures for ensuring accountability
Chatlio has defined roles and responsibilities within the company designed towards ensuring the confidentiality, integrity and availability of Personal Data. These roles and responsibilities are reviewed annually to ensure continued efficacy and compliance with Applicable Privacy Laws. Chatlio employs least privilege access mechanisms to control access to Personal Data. Role-based access controls are employed to ensure that access to Personal Data required for the provision, maintenance and securing of the Services is for an appropriate purpose and approved with management oversight.
Measures for allowing data portability and ensuring erasure
Data subject request processes are in place to handle erasure and data portability requests. Customers may reach out to [email protected] in order to exercise their rights.
Security Monitoring and Patch Management
Our team is constantly monitoring security notifications from all 3rd party software libraries and if identified, we apply any relevant security patches without undue delay. Please contact us at [email protected] if you have any security related concerns or feedback.
Infrastructure
All of Chatlio’s application and data infrastructure is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in.
Designed with redundancy, fault tolerance and disaster recovery at the forefront, our databases (Amazon Aurora) are distributed across three separate availability zones (data centers). All our infrastructure is within our virtual private cloud (VPC) with production access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
Uptime and Data Availability
We strive for a 99.99% uptime across all our products and to support that, we host our monitoring and logging systems outside of AWS and employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services. In the unlikely event that data stored in the Chatlio database were to be lost or damaged, we would be able to restore from backup with a loss of data no more than 1 hour. During this time we would not provide additional contingency plans to delivery data due to the very short nature of the recovery time.
Data Center
All data is stored in AWS infrastructure, housed in Amazon-controlled data centers. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. It is safe to say Amazon is much better at physical security than we are capable of being, so we leave it to them.
Application
Through the use of automated and manual analysis, as well as constant security review of 3rd party libraries, we ensure to the best of our abilities that we are delivering products that are free from security defects. All Chatlio web application communications support TLS v1.2. We enforce the same level of encryption used by many banks and financial institutions.
Data encryption
We do our best to ensure all customer data is encrypted in transit and at rest while stored in our databases, including user email addresses, user passwords, and API keys. All traffic to our web applications are served over TLS v1.2 or higher. We have automated testing to ensure our encryption certificates are valid and up to date with latest best practices.
Reporting Security Issues
At Chatlio, we understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner.
If you discover a vulnerability or are a customer who is concerned your account has been compromised, please notify us via our Signal number. We encourage you to encrypt sensitive information; please see below for a Signal number.
When reaching out to us, please include:
- A detailed summary of the issue, including a list of steps for how we can reproduce it.
- Correct contact information, such as an email address, by which we can reach you in case we need more information.
We believe in placing our users’ interests first. We believe that responsible disclosure involves privately notifying us of any security vulnerabilities and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. For our part, while we are working on addressing the vulnerability, we will advise customers of potential risk if appropriate where it does not increase the overall risk to customers. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.
We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:
- Do not attempt to access, modify, destroy, or disclose our users’ information.
- Do not attempt to deface or degrade our services.
- Do not violate applicable law.
The combined contributions of all security professionals in our community are essential to keeping us all secure. We thank everyone in the community for their efforts.
Signal Number: We encourage you to encrypt sensitive information you send to us as a part of your vulnerability disclosure. You can use our Signal number by sending a request for our Signal number to [email protected] We will respond promptly.