Chameleon completes SOC 2 Type II certification for the second consecutive year

We’ve been audited across over 190 controls (across the AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy) to verify our systems, processes, and policies meet best-in-class standards over an extended timeframe and have received an exception-free report.

Chameleon’s product adoption platform enables SaaS teams to build beautiful, targeted in-product UX patterns; inc. product tours, microsurveys, checklists, and tooltips.

Chameleon is installed within our customers’ applications and receives user data, so we understand our responsibility to maintain the highest standards in security and reliability. 

Accordingly, we maintain a strong security posture, which includes certifications such as SOC 2, as well as ongoing external penetration and vulnerability tests, and a paid bug-bounty program now running for 5+ years. 

SOC 2 (System and Organization Controls 2) is a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to help organizations provide customers with the assurance that they are meeting the highest standards for security, availability, and confidentiality of information.

This year’s SOC 2 report covers Chameleon’s controls over how we onboard and offboard members of our workforce, how we segregate and protect customer data, how we manage our software vendors, how we enforce two-factor authentication, how we test our code, and more.

Our compliance was audited by Schneider Downs, a nationally recognized CPA firm registered with the Public Company Accounting Oversight Board. 

SOC 2 has two versions: Type I and Type II. The former is an audit at any single point in time and does not assess whether the organization is continuing to adhere to the same standards at other times or in other situations. 

Type II covers a period of time, within which auditors can assess the security motion at any point and ask for evidence from any situation. This is a far more robust assessment of security standards at an organization, and accordingly, the version that Chameleon is committed to. 

Beyond our audit, we maintain an “always secure” and “continuous monitoring” approach, using Drata, to observe and maintain our SOC 2 controls 24/7. This ensures we’re immediately notified of any potential risks, enabling us to react quickly and maintain the highest compliance “uptime”. Chameleon can also provide this real-time report of our compliance to customers, so they can be confident we are always meeting our commitment to being best-in-class. 

Chameleon maintains EU General Data Protection Regulations (GDPR) and California Privacy Rights Act (CPRA or “CCPA 2.0”) compliance, as well as all other state privacy and protection laws currently in place. We adhere to the strictest regulations on data privacy and protection. 

We do not collect any personal data by default and offer our customers and their end-users the key rights enshrined in GDPR (such as the right to opt-out and the right to be forgotten.) 

In addition, Chameleon regularly conducts external pen tests and vulnerability assessments, maintains key insurances, and offers SSO for customers. To sign a DPA with Chameleon, please email us at security@chameleon.io. 

Your data is always in safe hands with Chameleon. To learn more, please leverage the following resources:

• Read our security statement here

• Visit our Security & Privacy help center here

• Review our responsible disclosure program here

• View Chameleon’s system status and uptime here

• Email us here for any security questions or to request a summary of our SOC 2 report

If you’re interested in trying Chameleon, you can sign up for a free account or book a personalized demo.