Security

Last updated: March 19, 2026

Your business data is sensitive, and we treat it that way. Chartimatic is built on a security-first architecture designed to protect your information at every layer.

🔒

Encryption in Transit

All connections use TLS 1.2+ encryption. Data moving between your browser, our servers, and third-party APIs is always encrypted.

🗄

Encryption at Rest

All stored data is encrypted at rest using AES-256 encryption through our database provider, Supabase, running on AWS infrastructure.

🔑

OAuth-Only Integration

We never store your third-party passwords. All integrations use OAuth 2.0 tokens with minimal permission scopes. You can revoke access anytime.

🛡

Authentication

User authentication is managed by Supabase Auth with secure cookie-based sessions, PKCE flow, and automatic token refresh.

💳

Payment Security

All payments are processed by Stripe, a PCI DSS Level 1 certified processor. We never see or store your full credit card number.

🌐

Infrastructure

Hosted on Vercel (edge network) and Supabase (AWS). Both providers maintain SOC 2 compliance and global redundancy.

Data Handling Practices

Minimal data collection — We only request the data needed to generate your briefing. No unnecessary permissions.
No data selling — Your business data is never sold, shared with advertisers, or used to train AI models.
Row-level security — Database policies ensure users can only access their own data. Admin access is restricted and audited.
Secure API keys — All sensitive API keys and tokens are stored as encrypted environment variables, never in source code.
Regular updates — Dependencies are kept current and monitored for known vulnerabilities.

AI Data Processing

Chartimatic uses an AI provider (xAI/Grok) to turn your connected analytics into the natural-language briefing you read in your dashboard and email. To do that, we do not send raw Google user data (Google Analytics or Google Ads reporting data) or Shopify Protected Customer Data to the AI provider. Instead, we first compute aggregated, de-identified summaries from your connected data — percentage changes, period-over-period trends, top-N category rollups, and similar non-identifying metrics — and only those summaries are processed by the AI provider to generate the user-facing briefing text. The AI provider does not store this data beyond the request lifecycle, and we do not use your data to train AI models.

Incident Response

In the event of a security incident, we will:

Investigate and contain the issue within 24 hours.
Notify affected users within 72 hours of confirmation.
Provide a full post-incident report and remediation plan.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@chartimatic.com. We appreciate responsible disclosure and will acknowledge your report within 48 hours.

Questions?

For security-related inquiries, contact security@chartimatic.com.