We take security seriously. Read more here:
SOC 2 Type II audited
Chargehound is committed to maintaining the security of its customers' information. Chargehound has successfully completed a Service Organization Controls 2 (SOC 2) Type II audit with a 3rd-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.
More information on SOC 2 reports can be found here.
Hosting and Physical Security
Chargehound servers are hosted on Amazon Web Services (AWS) and Heroku, an application platform that in turn uses services provided by AWS. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
Isolation of Services
Chargehound servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
File Systems and Communication
All pages containing sensitive data related to customers or user data are restricted to HTTPS encrypted connections. All access to the Chargehound API is restricted to HTTPS encrypted connections. All data retrieval from Stripe is done via Stripe Connect using your Stripe Account ID. All data retrieval from Stripe is done with your Stripe Account ID over a secure connection with Stripe’s API. All data retrieval from Braintree is done via Braintree Auth. All data retrieval from Braintree is done over a secure connection with Braintree’s API. Any webhooks Chargehound sends to production systems are required to use HTTPS.
User passwords are secured with BCrypt. They are never stored in the database in plaintext and are not readable by staff, instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party. Clients are required to have reasonably strong passwords. Passwords do provide access to the Chargehound website, however, and it is the responsibility of the end user to protect this password with care.
Integrations with Stripe and Braintree are facilitated via their official OAuth applications: Stripe Connect, and Braintree Auth. You can revoke Chargehound's access at any time via your Stripe Dashboard, or Braintree Dashboard.
For certain integrations we may ask for an API key or login credential with minimal permissions, as well as additional webhooks. The API key or login credential we store will be encrypted and will never be revealed to the end user or to Chargehound personnel. You can change or remove these credentials at anytime in order to remove access.
No Chargehound staff will access your business metrics unless required for support reasons. In cases where staff must access the dashboard in order to perform support, we will ask for your consent, except when responding to a critical security issue or suspected abuse.
When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum data needed to resolve your issue.
Credit Card Safety
When you register your credit card with Chargehound, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available online.
Chargehound developers have been trained in secure coding practices. Chargehound application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Chargehound application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
Reporting System Failures and Breaches
If at anytime you become aware of a system failure or breach, please contact us immediately at: firstname.lastname@example.org