Celebrating an Exception-Free SOC2 Type II Hat-trick

SOC 2 Type II audits a variety of controls across people, systems, processes over an extended time period

The SOC (“System and Organization Controls”) 2 certification, set by the American Institute of Certified Public Accountants (AICPA), is considered the gold standard for security accreditation, measuring controls against 5 “Trust Principles”: Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

Examples of controls tested include workforce onboarding and offboarding processes, customer data protection, software vendor management, multi-factor authentication (MFA), and stringent code testing protocols. These controls were tested over a period of time as part of the Type II audit (vs. Type I, which is a test at a single point in time) demonstrating that adoption and maintenance of strong security practices is part of our normal day-to-day operations. Our audit was conducted by an esteemed CPA firm, Schneider Downs.

To support our ongoing commitment to security, Chameleon leverages Drata, a security and compliance automation platform, to continuously monitor controls and provide real-time alerts of any risks. This ensures full visibility into our state of compliance and security and minimizes response times to resolve any potential threats. 

Chameleon regularly conducts external penetration tests, vulnerability assessments, and other threat reviews, and these, along with our SOC 2 report, are available to customers or prospects (upon signing an NDA). Please email us with requests or questions. 

Beyond this, we have continued our "responsible disclosure" / bug bounty program and regularly review, categorize, and action relevant findings from submissions. Over the past year we have paid out many hunters that have conducted tests and supported our systems becoming stronger. 

Chameleon is GDPR and CPRA/CCPA 2.0 compliant, and serves many customers in geographies (e.g. Europe) regulated by stringent data protection laws. 

Chameleon does not collect any personal data by default, and offers methods to hash/encode any identifying attributes sent to Chameleon. To learn more please review this help center or email us to obtain a copy of our DPA. 

Chameleon already uses password-less authentication; leveraging email “magic links” (that help authenticate the email addressed used to sign-up or login) or single sign-on (‘SSO’). Google SSO is available to all accounts, at no additional cost, and we have recently rolled out SSO via other providers to all customers, as an add-on; see more below. 

In 2023 we launched multi-factor authentication, available for all customers and accounts, at no additional cost. We strongly encourage all customers to enable this to provide an additional safeguard against unauthorized access to your Chameleon account. Turn this on for your account here.

When installing Chameleon, sending a “User ID” is necessary to allow targeting individual users with in-app experiences. To prevent unauthorized access to these “User IDs” by bad actors, Chameleon offers the ability to send encoded IDs, using a secret key, when installing with JavaScript. 

In the past year, we extended the ability to leverage this User ID encoding when installing Chameleon with a CDP such as Twilio Segment. In addition, we’ve rolled out an updated installation page that strongly promotes the use of User ID encoding, and warns customers when they are not using this feature. Learn more about identity verification here.

To help our customers stay better informed of security and privacy updates (e.g. subprocessor updates) we now offer the ability to subscribe to these updates from within our application. This can include a group email or alias (e.g. security@yourcompany.com) enabling our customers to more easily access relevant updates via the most appropriate channel/inbox for them. Set this up here.

We continue to seek ways to improve our security features and adoption of these by customers. You can review all of our recent product updates here or “follow” Chameleon’s LinkedIn account here for regular, passive updates. 

Single sign-on ('SSO') via a third-party identity provider (e.g. Okta, Azure AD etc.) is a robust way to securely and confidently manage application access for company employees.

Historically this has been more adopted by more mature companies, and so many SaaS applications have taken advantage by offering SSO only as part of “Enterprise” pricing bands, which can be manifold more expensive than other pricing tiers. This has led to what is dubbed the “SSO tax” -- requiring companies to pay significantly more to have access to more secure authentication to a SaaS platform. 

Chameleon believes strongly that all companies should employ secure practices and is making SSO via a third-party provider available to all customers, regardless of pricing plan, at a fixed price ($4k / year). This enables our smallest customers (paying only a few hundred dollars per month on a Startup plan) to our largest customers (paying six-figures annually) to have access to this functionality at the same price.

You can enable SSO for your Chameleon account today, via a self-service option, without needing to speak to sales or support -- simply visit your billing page. 

More information on our security protocols

Chameleon is a business-critical application for many companies, helping deliver relevant, contextual, personalized messaging and information to users just-in-time. We understand the trust that our customers place within us by including the Chameleon code in their applications, and accordingly we endeavor to set the highest standards in our approach to security and privacy. 

To learn more about our approach: 

• Read our security statement here.

• Explore our Security & Privacy help center here.

• Learn about our responsible disclosure program here.

• Check Chameleon’s system status and uptime here.

For security inquiries or questions please email us at security@chameleon.io.