At Chargebee, we recognize the trust our customers place in us when they share their business and customer information. We take this responsibility with the utmost seriousness. That's why privacy and data security are essential pillars of our business. We are committed to handling your data, and that of your customers, with the highest standards of care, confidentiality, and compliance.
Chargebee has a mature cyber security program aligned to NIST Cyber Security Framework and is certified for ISO 27001.
Infrastructure Security
Chargebee uses Amazon's AWS platform and infrastructure. Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.
AWS deployments follow secure by design principle and are architected based on AWS security best practices. In addition, the entire cloud infrastructure is continuously monitored for its security posture through modern tools.
Host Security
Hardening: All servers / containers instances are built on top of CIS certified images sourced from AWS Marketplace, which are regularly patched / rehydrated. All cloud services follow cloud security guardrails which are also monitored for deviation through cloud security posture management program.
Hi-Trust Access: Chargebee's cloud infrastructure can only be accessed only through hi-trust network segment - authentication to which is protected through multi-factor authentication. This is complimented by layered network layer access controls e.g. bastion host, ACLs, security groups, VPC routes.
Malware Protection: All instances have preventive as well as detective controls to protect against malware execution, ransomware attack etc. reducing risk of system intrusion. Anomalous events triggered by malware protection tools are monitored & acted upon by 24*7 security operations center.
Monitoring
Chargebee operates 24*7 Network Operations Center and Security Operations Center which does continuous monitoring of infrastructure and product stack. Anomalies and errors are monitored & acted upon as per response SOPs.
Identity & Access Management (IAM)
Chargebee uses multi-factor authentication to grant access for all administrative operations including both infrastructure and Chargebee service. Administrative privileges are granted per "Role Based Access". Detailed information on when/why the operations are carried out are documented and notified to the cloud infrastructure / security team before performing any changes in the production environment.
Availability
Availability zones: Chargebee's application is hosted on AWS and deployed across multiple Availability Zones (AZs) to ensure high availability and fault tolerance. The stateless architecture further enhances resilience by eliminating session-level data dependencies.
Data Backup and Recovery: Automated backup mechanisms to perform daily snapshots of databases. These backups are retained for a defined period, providing a reliable recovery window in the event of data loss or corruption. This approach ensures consistent data protection and supports efficient restoration to maintain system resilience.
Application Security
Chargebee follows Secure SDLC which includes key practices like threat modelling, SAST, DAST, SCA and external VAPT. Software security gates are integrated with software delivery pipeline which does continuous scan for security vulnerabilities in code. Reveal also offers functionalities that strengthen security, including:
- Encryption: Chargebee's application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.
- Two-factor authentication: This feature allows you to secure your account with both a password and an additional code through email.
- Role-based access control: Role based access can be granted for the users in your Chargebee Reveal account. User roles are assigned by sending an invite. Roles need to be specified to the new user before sending an invite to define the kind of access. Chargebee Reveal application has predefined user roles available. In addition, custom roles can also be created to grant one or more privileges that allow users to perform specific tasks as required.
- XSS: All user input is properly encoded when displayed to ensure XSS vulnerabilities are mitigated.
- SQL Injection: We use prepared statements for database access to avoid SQL Injection attacks.
- Encrypted Data Storage: The keys for various third party services (like payment gateway) are stored in our database in encrypted form.
ISO 27001 Certification
Chargebee complies with globally recognized standards in data handling, and is independently assessed by third party auditors, ensuring that we meet the rigorous standards of ISO 27001.
ISO 27001 (formally known as ISO/IEC 27001:2022) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes with the aim of keeping information secure.
With ISO's robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization.
Chargebee is ISO 27001:2022 certified and we're committed to identifying risks, assessing implications and putting in place systemised controls that inspire trust in everything that we do - right from our codebase to physical infrastructure to people practices.
Data Privacy
Chargebee follows industry-leading practices to protect the personal data entrusted to us. Our approach is designed to ensure that data is:
- Lawful Collection and Processing: We ensure that personal data is collected only when there is a valid legal basis to do so. Chargebee provides clear notices and obtains consent where required, ensuring transparency and fairness in how data is gathered and used.
- Purpose Limitation: Data is collected and processed only for specific and legitimate purposes.
- Data minimisation: Chargebee only collects the minimum information necessary for the provision of our service. We do not process any special categories (as per Article 9 of GDPR) of personal data.
- Data Retention: We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected or to comply with legal and regulatory requirements.
For more details about our certifications, security or data handling practices, please contact us at compliance@chargebee.com or privacy@chargebee.com.
