Security Policies & Procedures

About Chargebee

Chargebee offers Subscription Management and Recurring Billing Solution for online businesses across various industries. Businesses can automate billing, invoicing and payments collection using Chargebee as their extended solution on the cloud. Businesses can leverage Chargebee's highly secure, scalable system to provide a great billing experience to their customers.

We take security very seriously and we continuously look for opportunities to make improvements.

PCI Compliance

Chargebee is PCI-DSS Level 1 Service Provider.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures that have to be followed by the organizations that process, store or transmit card data. The PCI Security Standards Council is governed by the five major payment card brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

ISO 27001:2013

Chargebee is ISO certified.

ISO 27001 is an information security management standard that specifies the requirements for information security management best practices within an organization. This includes the assessment and treatment of information security risks to suit the needs of an organization. Chargebee is assessed by an independent third party auditor which validates that Chargebee's information security management program is comprehensive and follows leading security best practices.

Physical & Network Security

We use Amazon's AWS platform and infrastructure for Chargebee. Chargebee employees do not have any physical access to our production environment.

Here are more details about security setup of AWS.

“Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.”

In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure such as

  • Distributed Denial Of Service (DDoS) Attacks

  • Man In the Middle (MITM) Attacks

  • IP Spoofing

  • Port Scanning

  • Packet sniffing by other tenants

Administrative operations

We use two factor authentication for access to all our administrative operations including both infrastructure and Chargebee service. Administrative privileges are restricted to very few employees. Additionally both application level roles and AWS roles are used to ensure only required operations are allowed for specific users.

Any administrative access are automatically logged and mailed. A detailed information on when/why the operations are carried out are documented and notified to the security team before doing any changes in the production environment.

Host Security

SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server. In addition our servers can be accessed only from restricted IPs.

Hosts are segmented and access are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.

Application Security

  • Secure Access

    Chargebee application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.

  • XSS

    All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.

  • CSRF

    All POST requests are checked for CSRF token before processing the request.

  • SQL Injection

    We use prepared statements for database access to avoid SQL Injection.

  • Encrypted Data Storage

    We do not store sensitive card details on any Chargebee network. The keys for various third party services (like payment gateway) are stored in our database in encrypted form.

Vulnerability Scanning & Patching

We periodically check and apply patches for third party software/services. As & when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA.

Data Storage & Redundancy

We use Amazon's RDS for database. The automated backup feature is configured for RDS. We backup data for upto 30 days. We have configured amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. More details @


We use both internal and multiple external monitoring services to monitor Chargebee. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormality in the request pattern.


We are working continuously to make our system secure. If you find any security issues, please submit it to We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.