CHAOSSEARCH has made investments into our security program from day one, and we have ingrained those principals deeply into our culture. Our commitment to security started even before we launched CHAOSSEARCH to the general public. We strive to ensure the safety and integrity of your data and will continue to improve and evolve our security program.

This page details the CHAOSSEARCH product architecture as well as the security measures we take to keep your data safe and secure.

socforserviceorganizationslogosos

SOC 2

CHAOSSEARCH has completed our SOC 2 Type 1 examination for the Security, Availability, and Confidentiality trust service principles for CHAOSSEARCH. This SOC 2 report assures our customers that we have designed and implemented sufficient security controls defined by the American Institute of Certified Public Accountants (AICPA) in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. A copy of this report is available to our prospects and customers under an NDA. Please reach out to your account manager or email sales@chaossearch.io to schedule a discussion to review.

hipaa-logo

HIPAA

CHAOSSEARCH has designed its control environment to satisfy the requirements of the Security Rule of the Health Information Portability and Accountability Act (HIPAA). Where applicable as a non-health services provider, the design of controls implemented to achieve the criteria of the relevant AICPA trust services principles, detailed within our SOC 2 report, is intended to satisfy HIPAA requirements. CHAOSSEARCH can enter into a Business Associate Agreement (BAA) with our customers as well as explore any other custom Data Privacy Agreements.

data

Product Architecture

Built on AWS, CHAOSSEARCH provides a Software as a Service to its customers. Security is part of the operational fabric leveraging engineered security configurations to protect clients and their data. Customers grant read-only cross-account access via an AWS Identity and Access Management (IAM) role. The customer also grants read/write access to a separate Amazon S3 storage bucket dedicated exclusively to the storage of CHAOSSEARCH computed indexes within the customers' control.

CHAOSSEARCH never needs to return to the source data after indexing. The customer always has the option to remove CHAOSSEARCH access to the source data.

Data transmission is via SSL/TLS with customer accounts living within their own individual TLS encrypted networks. Customers can revoke CHAOSSEARCH access to their data via the Amazon IAM access role at any point in time. All customers' data lives in their own Amazon S3 storage bucket – source data as well as computed indexes.

image-removebg-preview

Customer Data Protection

As a result of the product architecture, CHAOSSEARCH does not hold or store any customer data. Data access that the customers provide to CHAOSSEARCH via the Amazon IAM access role by the authorized users of the service is considered confidential. Customer data never leaves the CHAOSSEARCH production environment for any reason. We encrypt all data communication between the Customer Amazon S3 bucket and the CHAOSSEARCH cloud platform with Transport Layer Security (TLS). CHAOSSEARCH does not leverage any block storage devices such as HDD, SSD, or NVME. Customer data only exists in memory temporarily during indexing or query and expires when the request completes. CHAOSSEARCH further protects customer data by aggressively leveraging Amazon EC2 Spot instances for a majority of the data indexing and data query processes and have an average lifetime of approximately one hour before being retired.

Physical-Security

Physical Security

CHAOSSEARCH leverages Amazon Web Services (AWS), the secure cloud services platform, for elastic compute power, data storage, content delivery, and additional functionality to help us scale, grow and burst securely to meet the needs of our customers all in real-time. CHAOSSEARCH is backed by Amazon Simple Storage Service (Amazon S3), which offers industry-leading scalability, data availability, security, and performance. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage. CHAOSSEARCH leverages established best practices for security controls as part of the security program. CHAOSSEARCH uses our customers’ Amazon S3 object storage as its data repository. AWS provides a secure and scalable environment for data with replication, high availability, and data durability built-in. You can read more details on the physical security of Amazon Web Services on their compliance site.

GDPR

GDPR

CHAOSSEARCH is committed to complying with the EU General Data Protection Regulation (GDPR) as well as helping our customers ensure their compliance with these regulations such as the "Right to be Forgotten." GDPR helps to strengthen and standardize user data privacy across the EU and any business that could potentially handle EU resident personal data no matter the locality of the company. Review our full GDPR statement here.

image1

Credit Card and Payment Information

CHAOSSEARCH is not a payment processor and partners with 3rd Party PCI-certified vendors for customer credit card processing.

Responsible Disclosure

If you encounter a security issue with the CHAOSSEARCH Platform, please report it to us at security@chaossearch.io. We take all reports of security issues and potential vulnerabilities very seriously and work to resolve these issues as soon as possible. Please note that it is against the CHAOSSEARCH Acceptable Use Policy to run security scanning tools against the platform.