The Lifecycle of Your Data
When you submit a file to Chunkr, it undergoes a carefully controlled lifecycle designed to maximize security and privacy:- Secure Upload: Your data is transmitted to our platform over encrypted TLS channels. Whether you upload a file directly, provide a URL, or send a base64-encoded string, your data is protected in transit.
- Ephemeral Storage & Zero Data Retention: Upon receipt, your file is stored in our secure, access-controlled GCS (Google Cloud Storage) and Cloud SQL via GCP (Google Cloud Platform). For maximum security and privacy, you can configure a custom expiration time for each task. Once this period expires, all associated data - including original files, outputs, and any temporary assets - is permanently deleted from our servers. We keep minimal information for billing and auditing. For more details on how to configure this, see our guide on Data Retention.
- Data Segregation: We maintain strict logical separation of data between our customers. Your data is never commingled with that of other customers.
- Strictly No Training: We will never use your data to train our models. Your data is yours and yours alone.
Our Comprehensive Security Framework
To provide a multi-layered defense for our systems and your data, we have implemented a comprehensive set of security controls, policies, and procedures across all areas of our organization.Access & Authentication Control
- Principle of Least Privilege: Access to sensitive data and infrastructure is granted on a strict, need-to-know basis. We have a formal process for granting, reviewing, and revoking access rights.
- Strong Authentication: Multi-Factor Authentication (MFA) is mandatory for administrative access to all critical services, and we enforce strong password policies.
- Regular Audits: We maintain inventories of accounts and assets and conduct regular reviews of access permissions. Dormant accounts are promptly disabled.
Data Protection & Encryption
- End-to-End Encryption: All customer data is encrypted in transit using strong TLS protocols and encrypted at rest using industry-standard AES-256 encryption.
- Data Management: We maintain a full data inventory and have established clear data management and retention policies to ensure your data is handled responsibly throughout its lifecycle.
- Endpoint Security: All end-user devices are equipped with anti-malware, firewalls, and full-disk encryption to protect data.
Infrastructure & Network Security
- Secure by Design: Our infrastructure is deployed using Infrastructure-as-Code (IaC) principles, ensuring that our security configurations are version-controlled, auditable, and consistently applied.
- Network Defenses: We utilize a defense-in-depth strategy that includes Web Application Firewalls (WAF) and restrictive firewall rules to protect our public-facing infrastructure.
- Continuous Monitoring: Our infrastructure and network are continuously monitored for performance and security anomalies. We collect and analyze audit logs from all critical systems.
Operational & Application Security
- Secure Development: We have established a secure software development lifecycle (SDLC), where all changes to our infrastructure and applications are logged and require peer review.
- Vulnerability Management: We conduct regular automated security scanning of our infrastructure and perform periodic penetration tests to identify and remediate vulnerabilities.
- Disaster Recovery: We have a robust business continuity and disaster recovery plan, which is tested regularly. Our backups are automated, isolated, and encrypted.
People & Policy
- Security Culture: All employees undergo regular security awareness training and are bound by a code of conduct and confidentiality agreements.
- Risk Management: We perform regular risk assessments to proactively identify and mitigate potential threats to our platform and have a formal risk management policy in place.
- Vendor Security: We maintain a vendor management program to ensure that all third-party services meet our stringent security and compliance standards.
Our Compliance Posture
We understand that our enterprise customers operate in regulated industries. That’s why we’ve invested heavily in ensuring our platform meets the highest standards of security and compliance.- SOC 2 (Type I and Type II): We are currently undergoing both SOC 2 Type I and Type II audits, demonstrating our commitment to maintaining a secure and reliable platform. These audits, conducted by an independent third party, validate that our security controls are designed and operating effectively. To request a copy of our latest SOC 2 report, please contact our sales team.
- HIPAA Compliance: For our customers in the healthcare industry, we offer a HIPAA-compliant processing pipeline. We are prepared to sign a Business Associate Agreement (BAA) to ensure that any Protected Health Information (PHI) is handled in accordance with HIPAA’s stringent security and privacy rules.
Our Subprocessors
To deliver our services, we partner with a select group of third-party vendors. Each subprocessor is vetted to ensure they meet our stringent security and privacy standards. The following table details these partners and the data they handle.| Vendor | Service | Country |
|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure & Storage | United States |
| Microsoft Azure | Cloud Infrastructure | United States |
| Google Cloud Platform (GCP) | Cloud Infrastructure | United States |
| Cloudflare | Content Delivery Network | United States |
| OpenAI | AI Model Provider | United States |
| PostHog | Product Analytics | United States |
| SigNoz | Analytics & Monitoring | United States |