Security

Last updated: March 19, 2026

Your business data is sensitive, and we treat it that way. Chartimatic is built on a security-first architecture designed to protect your information at every layer.

🔒

Encryption in Transit

All connections use TLS 1.2+ encryption. Data moving between your browser, our servers, and third-party APIs is always encrypted.

🗄

Encryption at Rest

All stored data is encrypted at rest using AES-256 encryption through our database provider, Supabase, running on AWS infrastructure.

🔑

OAuth-Only Integration

We never store your third-party passwords. All integrations use OAuth 2.0 tokens with minimal permission scopes. You can revoke access anytime.

🛡

Authentication

User authentication is managed by Supabase Auth with secure cookie-based sessions, PKCE flow, and automatic token refresh.

💳

Payment Security

All payments are processed by Stripe, a PCI DSS Level 1 certified processor. We never see or store your full credit card number.

🌐

Infrastructure

Hosted on Vercel (edge network) and Supabase (AWS). Both providers maintain SOC 2 compliance and global redundancy.

Data Handling Practices

Minimal data collection — We only request the data needed to generate your briefing. No unnecessary permissions.
No data selling — Your business data is never sold, shared with advertisers, or used to train AI models.
Row-level security — Database policies ensure users can only access their own data. Admin access is restricted and audited.
Secure API keys — All sensitive API keys and tokens are stored as encrypted environment variables, never in source code.
Regular updates — Dependencies are kept current and monitored for known vulnerabilities.

AI Data Processing

When generating insights, your business data is sent to our AI provider (xAI/Grok) for processing. This data is used solely for generating your briefing and is not stored by the AI provider beyond the request lifecycle. We do not use your data to train AI models.

Incident Response

In the event of a security incident, we will:

Investigate and contain the issue within 24 hours.
Notify affected users within 72 hours of confirmation.
Provide a full post-incident report and remediation plan.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@chartimatic.com. We appreciate responsible disclosure and will acknowledge your report within 48 hours.

Questions?

For security-related inquiries, contact security@chartimatic.com.