At Charma, our top priority is the security of our customer’s data. We heavily invest in security through our written policies and our technical infrastructure. We’ve reviewed our software and policies to ensure compliance with The General Data Protection Regulation (GDPR). We also enlist the services of 3rd parties to ensure our application is secure. We undergo an annual penetration test that mimics the work of sophisticated attackers, and in July 2021, we received our SOC 2 Type II certification by the auditing firm LWBJ. To request a copy of our SOC 2 Type II report or penetration test results please email support@charma.com to sign an NDA.
Code Deployment
We use Github’s Branch Protection Rules to ensure that no code can be deployed without a passing review by another engineer. We also use Continuous Integration to ensure that no code is deployed unless it passes an extensive suite of automated tests. Finally all code deploys are broadcast to Slack, providing real time visibility into what was deployed and when.
Infrastructure
Our application and database servers are hosted on Heroku, a cloud application platform which runs on top of Amazon Web Services (AWS). Our application also uses AWS directly for Encryption Key Management, CDN and File Storage. Both AWS and Heroku are SOC2-certified and maintain robust security policies. You can read more about AWS and Heroku’s security policies here:
Encryption
Charma encrypts all communication between its servers and end users’ browsers using HTTPS. All data in our production database is encrypted at rest with AES-256, block-level storage encryption. Highly sensitive data such as OAuth tokens is further encrypted at the application level.
Backup of Data
We create daily backups of our production database. Backups are retained for 30 days.
Passwords and Authentication
We require use of two-factor authentication to sign in to all critical internal software, including AWS and Heroku. We manage passwords to all internal software using 1 Password, which enforces strong password hygiene.
Employees
All new employees must undergo a background screening before beginning employment at Charma. In addition, all employees must complete an annual cybersecurity awareness training and agree to our informational security policies. All employee laptops use hard drive encryption.
https://aws.amazon.com/security/
https://www.heroku.com/policy/security
If you have identified a potential security vulnerability in our system, please report it within 24 hours by emailing security@charma.com. We will respond to your report within 48 hours.