Security
Last updated: 19 April 2026
We take security seriously. This page summarizes the technical and organizational measures Chatrix applies. Enterprise customers can request a detailed security questionnaire response at [email protected].
Infrastructure
- Production hosting in the European Union.
- Production, staging and development are segregated; credentials are not shared between environments.
- Hardened Linux base images. Unnecessary services disabled.
- Cloudflare in front of public endpoints for DDoS protection and TLS termination.
Encryption
- In transit: TLS 1.2+ for all public endpoints; HSTS enforced on chatrix.live.
- At rest: database and file storage encrypted at the storage layer.
- Passwords hashed with bcrypt (cost factor 12).
- JWT signing keys rotated periodically.
Access control
- Role-based access control in the operator dashboard (owner, admin, agent).
- Least-privilege for operational access to production systems.
- Multi-factor authentication available for operator accounts.
- Per-organization "allowed-domains" policy for Enterprise isolation.
Monitoring and backups
- Centralized application and infrastructure logging.
- Alerting on anomalies and errors.
- Daily encrypted backups with retention and periodic restore testing.
Secure development
- Code review required for all changes.
- Dependency updates monitored; security patches prioritized.
- Secrets never committed to source control; managed via dedicated secret store.
- Static analysis and type checking in CI.
Incident response
- Documented runbooks for detection, containment, eradication and recovery.
- Customer notification in line with GDPR Art. 33 and our Data Processing Agreement.
- Post-incident review and remediation tracking.
Responsible disclosure
If you believe you have found a security vulnerability in Chatrix, please report it to [email protected].
We commit to:
- acknowledge your report within 3 business days;
- triage and scope within 10 business days;
- share a remediation or mitigation timeline with you;
- credit responsible reporters (with your consent).
Please do not publicly disclose until we have had a reasonable opportunity to remediate.
Compliance
- GDPR — we act as processor; see our DPA and Privacy Policy.
- Sub-processor list available on request at [email protected].
- ISO 27001 / SOC 2 — on our roadmap; not yet certified.
Contact
AP Software, Poland — [email protected]