ChargeOver takes data security very seriously. We understand that you're trusting us with your data, and we do everything possible to keep that data secure. As an overview
- House all of our servers in secure, US-based data centers.
- Filter all incoming and outgoing traffic through hardware firewalls.
- Do not utilize wireless access at all within our network.
- Store all possibly sensitive data encrypted on our servers.
- Only allow incoming connections into our network via industry-standard SSL/HTTPS encrypted sessions.
- Regularly run penetration-testing exercises and vulnerability-checks against our network.
- Track and monitor incoming and outgoing connections extensively.
- Utilize industry-standard 256-bit encryption for all SSL connections.
- Perform weekly, ASV-certified security scans/audits, internal and external network scans, and other PCI compliance checks.
Level 1 Service Provider
ChargeOver is a PCI DSS Level 1 compliant service provider.
PCI compliance is certified and attested by a PCI ASV on a quarterly basis, and Attestation of Compliance (AOC) / Report on Compliance (ROC) documents are available on request.
The following data is encrypted at rest within ChargeOver (there may be other data that's encrypted at rest as well, but at the very least this much is):
- ACH bank account numbers, routing numbers, name on the bank account, bank account address information
- Configuration data (e.g. how you have configured ChargeOver)
- API and webhook credentials and settings (webhook URL, API public/private keys, etc.)
- SMTP/Sendgrid/Mandrill/Mailgun credentials
- Credit card numbers, name on card, credit card address information, client-side encryption tokens, client-side encryption options,
- Payment gateway credentials and tokens
- Integration credentials and configuration (includes any API keys, etc. entered for integrated applications)
Encryption is via the following algorithms.
- Rijndael-256 (AES-256) with a unique IV
- Each individual record has it's own unique salt (32 character salt for some data, 40 character salt for other data)
- Each specific ChargeOver account (e.g. each customer of ChargeOver) has their own specific encryption key
The following data is hashed at rest within ChargeOver
- Administrator passwords
- User passwords
Hashing is done via the following algorithm
- PBKDF2 algorithm
- 10,000 iterations, key length of 32
- Each individual record has it's own unique salt (40 characters)
- Each specific ChargeOver account (e.g. each customer of ChargeOver) has their own specific salt appended to the record's salt
We also mask/scrub a number of pieces of data before we write anything to logs. We scrub/mask credit card data, ACH data, passwords, password reset tokens, etc. before logging emails, webhook responses, debug logs, etc.
We maintain our own redundant mini-cloud (VSphere/VMWare) with redundant physical machines in our own locked rack cabinet.
Our primary data center is Flexential / ViaWest in Minneapolis, Minnesota, USA. The data center features:
- SSAE 16 and ISAE 3402 Service Organization Control (SOC) 1 Type II, SOC 2 Type II and SOC 3 reports
- PCI DSS, HIPAA, HITRUST CSF, NIST 800-53, ITAR, and US-EU Safe Harbor Privacy framework
Auditing and Compliance
ChargeOver is independently audited by three organizations for security and PCI compliance.
- Security Metrics - A leading provider and innovator in data security and compliance for organizations worldwide, provides PCI compliance and penetration testing of ChargeOver.
- Synopsys - One of the world’s largest application security firms, provides security compliance testing and penetration testing of ChargeOver.
- Intuit - #1 Small-business accounting software and payment processor in the world, provides security and compliance testing of ChargeOver.
Need More Information?
If you have further questions about security or PCI compliance, feel free to contact us and we can clarify further and send you piles of documentation, security audits, and PCI compliance checks to show you just how far we go to ensure your data is secure.