Data Security
Security overview
ChargeOver takes data security very seriously. We understand that you're trusting us with your data, and we do everything possible to keep that data secure. Below are some things we do to keep your data safe.
- We house all of our servers in secure, US-based data centers
- We filter all incoming and outgoing traffic through hardware firewalls
- We do not utilize wireless access at all within our network
- We store all possibly sensitive data encrypted on our servers
- We only allow incoming connections into our network via industry-standard SSL or HTTPS encrypted sessions
- We regularly run penetration-testing exercises and vulnerability-checks against our network
- We track and monitor incoming and outgoing connections extensively
- We utilize industry-standard 256-bit encryption for all SSL connections
- We perform weekly, ASV-certified security scans or audits, internal and external network scans, and other PCI compliance checks
Level 1 service provider
ChargeOver is a PCI DSS Level 1
compliant service provider.
PCI compliance is certified and attested by a PCI ASV on a quarterly basis, and Attestation of Compliance (AOC) and Report on Compliance (ROC) documents are available on request.
Data security
The following data is encrypted at rest within ChargeOver. There may be other data that's encrypted at rest as well, but at the very least this much is.
- ACH bank account numbers, routing numbers, name on the bank account and bank account address information
- Configuration data
- Essentially how you have configured ChargeOver
- API and webhook credentials and settings
- This includes anything like webhook URL, API public or private keys
- SMTP, Sendgrid, Mandrill and Mailgun credentials
- Credit card numbers, name on card, credit card address information, client-side encryption tokens and client-side encryption options
- Payment gateway credentials and tokens
- Integration credentials and configuration
- This includes anything like API keys entered for integrated applications
Encryption is via the following algorithms.
- Rijndael-256 (AES-256) with a unique IV
- Each individual record has it's own unique salt
- 32 character salt for some data and 40 character salt for other data
- Each specific ChargeOver account
- Each customer of ChargeOver has their own specific encryption key
The following data is hashed at rest within ChargeOver
- Administrator passwords
- User passwords
Hashing is done via the following algorithm
- PBKDF2 algorithm
- 10,000 iterations, key length of 32
- Each individual record has it's own unique salt of 40 characters
- Each specific ChargeOver account
- Each customer of ChargeOver has their own specific salt appended to the record's salt
We also mask or scrub a number of pieces of data before we write anything to logs. We scrub or mask credit card data, ACH data, passwords, password reset tokens, etc. before logging emails, webhook responses, debug logs and more
Physical security
We maintain our own redundant mini-cloud, either VSphere or VMWare, with redundant physical machines in our own locked rack cabinet.
Our primary data center is Flexential, ViaWest in Minneapolis, Minnesota, USA. The data center features:
- SSAE 16 and ISAE 3402 Service Organization Control (SOC) 1 Type II, SOC 2 Type II and SOC 3 reports
- PCI DSS, HIPAA, HITRUST CSF, NIST 800-53, ITAR, and US-EU Safe Harbor Privacy framework
Auditing and compliance
ChargeOver is independently audited by three organizations for security and PCI compliance.
- Security Metrics - A leading provider and innovator in data security and compliance for organizations worldwide, provides PCI compliance and penetration testing of ChargeOver
- Synopsys - One of the world’s largest application security firms, provides security compliance testing and penetration testing of ChargeOver
- Intuit - #1 small-business accounting software and payment processor in the world, provides security and compliance testing of ChargeOver
What if ChargeOver has an outage?
Our support team will direct you to our status page if there is an issue we are actively working on. There, our team will post post mortems and updates about any system wide issues that we experience.
Need more information?
If you have further questions about security or PCI compliance, feel free to contact us and we can clarify further and send you piles of documentation, security audits, and PCI compliance checks to show you just how far we go to ensure your data is secure.