• Changelog

Introduction

Security is one of our biggest priorities here at Chaiz. On this page we have provided information about the security of your data, our general security practices, and how you can reach a member of the security team if you have questions that haven’t been answered below.

Overview

The Chaiz platform safeguards customer data using a variety of controls:

• Chaiz application data is secured in transit using TLS, and encrypted at rest in Chaiz’s database.
• The Chaiz application logically separates production user data, and access to user data is protected by strong authentication and authorization controls. Production user data is never replicated to test or development systems.
• Chaiz audits changes to the application throughout the development lifecycle: architecture reviews are performed as well as stringent automated and manual code review processes.
• Chaiz monitors application servers, infrastructure, and the Chaiz network environment to detect potential abuse.
• Chaiz is hosted on our Cloud Service Provider Microsoft Azure which regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP and many others. Additional details are available here.

Application Security

• Code analysis: Chaiz’s development teams conduct design reviews, automated and manual code reviews, and code audits for all code we deploy.
• Software Development Lifecycle (SDLC): Chaiz follows a defined SDLC to ensure that code is written securely. During the design phase, security threat modeling and secure design reviews are performed for new releases and updates.
• Credential management: Chaiz uses Microsoft Azure Key Vault, which automatically manages key generation, access control, secure storage, backup, and key rotation. Cryptographic keys are assigned to specific roles based on least privilege access, and they are automatically rotated yearly. Key usage is monitored and logged.
• Vulnerability & patch management: Chaiz conducts regular vulnerability scans and ongoing package monitoring for our infrastructure. Both external and internal-facing services are patched on a regular schedule. Any issues identified are triaged and addressed based on their severity within our environment.
• Web Application Firewall (WAF): All publicly available sites utilise a third-party Web Application Firewall to deter attempts to exploit common vulnerabilities.

Security profile

• Data Access Level: Internal (i.e., Chaiz employees will only directly access customer data for troubleshooting purposes. This may be in response to a request from a customer, provider, or finance company, or due to incidents or malfunctions of the application.)