Security is as important to us as it is to you. We know you are placing trust in us and guarantee that we will not knowingly compromise that.

We strive to provide a reliably secure environment, while maintaining a high speed of development and growth.

Infrastructure security

  • All of our services run in the cloud. Chameleon does not run our own routers, load balancers, DNS servers, or physical servers
  • Chameleon infrastructure is hosted in a fully redundant, secured VPN environment, to leverage firewall protection, private IP addresses and other security features. We host different components of our application and our APIs separately.
  • The vast majority of our services and data are hosted on Heroku (part of Salesforce App Cloud) and Amazon Web Services (AWS) facilities in the USA.
  • Both Heroku and AWS maintain best-in-class security processes and equipment, including reports, certifications, independent assessments. You can read about this for Heroku here and for AWS here.
  • Our Heroku data center is based in the US and hosted and managed by AWS, which has been accredited under: ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FISMA Moderate; and Sarbanes-Oxley (SOX)

Service levels (uptime) and monitoring

  • We have observed 99.9% uptime or higher across our services. You can check and subscribe to our stats and incident history from our status page.
  • Our in-house engineering team (based in the USA) monitors and logs errors using world-class tools, such as New Relic and Bugsnag.
  • Chameleon operates a test-driven development approach. This means we build rigorous tests, which must pass before any new code is deployed.

Data security

  • When you add the Chameleon script to your site (directly or via we start collecting some basic, non-identifying data such as page loads. For the full list of what we collect see here.
  • All our data is stored in the USA, using our database provider, Compose (part of IBM’s Cloud Services Group).
  • Compose operates a security disclosure program and completes third-party audits (with globally-recognized providers). You can read about this here.
  • Our data is backed-up hourly for the first day and then daily and all backups are encrypted. You can read more about these here.
  • Chameleon uses MongoDB’s Elastic Deployments backup solution for datastores that contain customer data. You can read more about this here.
  • We maintain strict privacy controls and a testing framework to ensure data privacy within our application. This prevents one customer being able to access another’s data.
  • Chameleon is served over HTTPS and all Chameleon web application communications (incl. cookies) are encrypted over 256 bit SSL (resembling protocols used by banks and financial institutions). Our certificates are 2048 bit RSA, signed with SHA256.
  • Our email provider, Mandrill (by MailChimp), uses opportunistic TLS encryption, which is becoming the standard for SMTP. Read more about this here. To learn more about email encryption you can read this overview from Google.
  • Chameleon does not handle any credit card information. We use a first-class payment processor, Stripe which is PCI-Compliant and maintains security best practices. You can read more about these here.

Internal security

  • Chameleon conducts background checks (administered by Checkr) for all employees and contractors that have access to customer data.
  • Only authorized employees are able to access user data or sign-in to your Chameleon account, for the purpose of resolving a specific issue. In such cases, we do our best to respect your privacy as much as possible, and only access data needed to resolve your issue.
  • All tools used by Chameleon employees are two-factor enabled where possible. We use *secure passwords managed by 1Password for Teams and you can learn how this improves our safeguards here.
  • Any violations of our policies or practices is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.

More information

  • Any maintenance, outage and operational or security issues are reported on our status page.
  • To report a vulnerability, please fill out this form. We take these seriously and are committed to responding and fixing any issues as quickly as possible. Security investigators that share vulnerabilities with us (but not publicly or with third-parties) may be rewarded with credit on our site and / or a financial reward, at our discretion.  

Last updated - Nov 2020

Did this answer your question?