Security Overview

Summary

Security is as important to us as it is to you. We know you are placing trust in us and guarantee that we will not knowingly compromise that. We strive to provide a reliable and secure environment, while maintaining a high speed of development and growth.

Chameleon is SOC 2 Type II compliant and received a clean attestation report (with no exceptions) in December 2024.

Chameleon has implemented a continuous testing and monitoring system over a complete set of security and infrastructure controls that provide the basis of a SOC 2 audit. This provides a real-time view of threats and is line with the most cutting-edge security measures taken by SaaS businesses today.

This document was last edited March 2025

Data security

Chameleon Management has approved all policies that detail how customer data may be made accessible and should be handled confidentially. These policies are accessible to all employees and contractors.
Chameleon authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.
Chameleon has established written policies related to retention periods for the confidential information it maintains.
Chameleon has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.
Chameleon only collects basic, non-identifying data such as page loads. No personal or private data is collected by default. For the full list of what we collect see here.
Chameleon's subprocessors are GDPR compliant and reviewed annually.
Chameleon stores all it's data in USA-based databases that are encrypted at rest with AES-256.
Chameleon's transactional email provider, Postmark uses opportunistic TLS encryption, which is becoming the standard for SMTP. Read more about this here. To learn more about email encryption you can read this overview from Google.
Chameleon does not handle any credit card information. We use Stripe, a first-class payment processor, which is PCI-Compliant and maintains security best practices. You can read more about these here.

Infrastructure security

All of Chameleon's services run in the cloud. Chameleon does not run its own routers, load balancers, DNS servers, or physical servers.
Chameleon infrastructure is hosted in a fully redundant, secured VPN environment, to leverage firewall protection, private IP addresses and other security features. We host different components of our application and our APIs separately.
The vast majority of Chameleon's services and data are hosted on Heroku (part of Salesforce App Cloud) and Amazon Web Services (AWS) facilities in the USA.
Both Heroku and AWS maintain best-in-class security processes and equipment, including reports, certifications, independent assessments. You can read about this for Heroku here and for AWS here.
Chameleon's Heroku data center is based in the US, which has been accredited under: ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FISMA Moderate; and Sarbanes-Oxley (SOX).
Chameleon's data is stored using our database provider, MongoDB Atlas.
Data is backed-up daily and all backups are encrypted. You can read more about these here.
Chameleon uses MongoDB’s Elastic Deployments backup solution for datastores that contain customer data. You can read more about this here.
Chameleon is served over HTTPS with HSTS preloaded for trychameleon.com and all Chameleon web application communications (incl. cookies) are encrypted over 256 bit TLS (resembling protocols used by banks and financial institutions). Our certificates are 2048 bit RSA, signed with SHA256.
Chameleon ensures that all connections to its web application from its users are encrypted and TLS protocols are enforced.
Chameleon has implemented monitoring tools (such as New Relic and Bugsnag) for Chameleon's databases, servers, and messaging queues. These notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
Chameleon has an established key management process in place to support the organization's use of cryptographic techniques.
Chameleon requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.
No public SSH is allowed.
Chameleon engages with a third-party to conduct vulnerability scans of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.
Chameleon engages with a third-party to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.
Chameleon aims to maintain 99.9% uptime or higher across our services. You can check and subscribe to our stats and incident history from our status page.
Chameleon utilizes multiple availability zones to replicate production data across different zones.

Organizational security

Chameleon's new hires and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.
Chameleon Management has approved security policies, and all employees agree to these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.
Chameleon conducts background checks (administered by Checkr) for all employees that have access to customer data.
Chameleon has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with the Chameleon's security policies and procedures. This includes the identification and reporting of any incidents. All full-time employees are required to complete these training annually.
Chameleon reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.
Access to infrastructure and code review tools are removed from terminated employees within one business day.
Chameleon has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and/or employee transfers.
Chameleon has established formal guidelines for passwords to govern the management and use of authentication mechanisms, including the use of a password manager (1Password for Teams. You can learn how this improves our safeguards here.)
Chameleon ensures that all company-issued computers use a screensaver lock with a timeout of no more than 60 seconds, and have encrypted hard-disks. Further, security patches are applied automatically and antivirus software is installed on workstations to protect the network against malware.
Chameleon uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin. Only authorized Chameleon personnel can push or make changes to production code.
Chameleon operates a test-driven development approach. This means Chameleon builds rigorous tests, which must pass before any new code is deployed into production environments.
Chameleon tracks security deficiencies through internal tools and closes them within an SLA, that management has pre-specified.
Chameleon provides a process for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints to external users and workforce members.
Chameleon uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.
Chameleon has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks, based on identified threats and the specified tolerances.
Chameleon engages with a third-party to conduct a Risk Assessment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.
Chameleon has an established BC/DR plan that outlines roles, responsibilities and detailed procedures for recovery of systems.
Chameleon has implemented an Incident Response Policy that includes creating, prioritizing, assigning, and tracking follow-ups to completion. This also includes responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.

Subprocessors

As with any SaaS business, Chameleon uses best-in-class products ("vendors") to help us deliver the best functionality and user experience for our customers. This section gives an overview of what we use and where you can find more information about the GDPR compliance of these vendors.

To learn more about Chameleon's commitment to GDPR, please read this article.

To stay informed about any subprocessor changes, please enter your (or the appropriate) email address into the Security & Privacy Notifications field under Account Settings in your Dashboard.

Core infrastructure

Heroku

Heroku is a cloud platform to host and deploy our application code (the basis of the Chameleon software application). This serves as the infrastructure that allows us to log you into the correct account or show you the correct colors when you add a particular HEX code, etc.

Learn about Heroku's GDPR compliance here and its Privacy Policy here.

MongoDB

MongoDB is our database provider, where we store all data associated with Chameleon. This holds the information about the configuration of a tour you created or the history of what a user has seen (to ensure they don't see it again). It's our source of truth and a key component in allowing Chameleon to function.

Learn about MongoDB's GDPR compliance here and its Privacy Policy here.

Fastly

Fastly is a content delivery network that serves as the endpoint for all of our customer-facing APIs, where our JavaScript is loaded from, and where responses are cached for subsequent re-use.

Learn about Fastly's GDPR compliance here and its Privacy Policy here.

Data analytics

Mixpanel

Mixpanel is an analytics platform that helps us understand what parts of our product users are engaging with. We also track overall tour data by account (e.g., how many tours were started on a certain domain). We don't collect or see any user attribute data you are sending to Chameleon here.

Learn about Mixpanel's GDPR compliance here and its Privacy Policy here.

Hotjar

Hotjar is a website analytics and session replay product that helps us see clearly what actions our website visitors take and where they might get stuck or confused. This alerts us to issues that we can resolve.

Learn about Hotjar's GDPR compliance here including its Privacy Policy.

Twilio Segment

Segment is an API hub; in addition to our database, we send all user interaction and analytics data through Segment and then onwards to other vendors.

Learn about Segment's GDPR compliance here and its Privacy Policy here.

Billing

Stripe

Stripe is our credit card and payment processing platform. Stripe handles all the sensitive credit card and account information on our behalf so we can rely on their super-secure system and keep your data safe.

Learn about Stripe's GDPR compliance here and its Privacy Policy here.

Communications

Intercom

Intercom helps us manage our support (tickets and help articles) with our customers. Intercom also supplements our customer data from other sources, and you can read more about this here.

Learn about Intercom's GDPR compliance here and find its Privacy Policy here.

Customer.io

Customer.io helps us manage our email communication (such as feature announcements or blog updates) with our customers.

Learn about Customer.io's GDPR compliance here including its Privacy Policy.

Postmark

Postmark is a transactional email management platform. We use it to send emails such as magic login links or when you invite your colleagues to Chameleon.

Learn about Postmark's GDPR compliance here including its Privacy Policy.

Slack

Slack is our internal communications platform (instead of email) and also contains a stream of events that our customers are taking, such as payments, errors, usage, and tickets. This helps everyone know about issues to respond to quickly and provides us a clearer idea of what's happening "in the wild."

Learn about Slack's GDPR compliance here and its Privacy Policy here.

Advertising

AdWords by Google

We use AdWords pixel (cookie) to enable us to show visitors to our website ads about Chameleon and our content on the Google platform. This helps remind prospective customers about Chameleon's value and helps us grow our business.

Learn about AdWords' GDPR compliance here and its Privacy Policy here.

You can learn how to manage Google's ads here.

Facebook (Meta)

We use Facebook pixel (cookie) to enable us to show visitors to our website ads about Chameleon and our content on the Facebook platform. This helps remind prospective customers about Chameleon's value and helps us grow our business.

Learn about Facebook's GDPR compliance here and its Privacy Policy here.

You can learn how to turn off Facebook's personalized ads here.

Twitter

We use Twitter pixel (cookie) to enable us to show visitors to our website ads about Chameleon and our content on the Twitter platform. This helps remind prospective customers about Chameleon's value and helps us grow our business.

Learn about Twitter's GDPR compliance here and its Privacy Policy here.

You can learn how to turn off Twitter's personalized ads here.

Supplementary tools

HubSpot

HubSpot is our CRM tool where we track companies interested in purchasing Chameleon and review customer health. We pass data about key events and attributes about customers and companies into this system of record to help us know who to contact, about what, and when.

Learn about HubSpot's Privacy Policy here.

Calendly

Calendly is our meeting scheduling service, helping us find time to talk to our customers and prospects for demo calls, webinars, troubleshooting meetings, etc., which require registration.

Learn about Calendly's Privacy Policy here.

Zoom

Zoom is our video conferencing platform. We also use it for hosting webinars or group calls, which sometimes require registration.

Learn about Zoom's GDPR compliance here and its Privacy Policy here.

Pipedream

Pipedream is a platform for automating interactions with APIs and running code in a serverless environment. Chameleon uses Pipedream to automate invoice-based billing, respond to changes in our various systems, and move data around to other relevant systems.

Learn about Pipedream's Security and Privacy here.

Typeform

Typeform is our microsurveying tool, utilized when gathering ad-hoc customer feedback or for job applications. Chameleon also has a Typeform integration, allowing customers to show Typeform microsurveys to their customers within their products from Chameleon product tours.

Learn about Typeform's GDPR compliance here and its Privacy Policy here.

Dreamdata

Dreamdata is our tool for connecting website visits and inbound leads to new customers and revenue.

Learn about Dreamdata's GDPR compliance here and its Privacy Policy here.

DocuSign

DocuSign is our contract management tool, which we use to collect e-signatures in contracts with our larger customers.

Learn about DocuSign's GDPR compliance here and its Privacy Policy here.

WorkOS

WorkOS is a tool for managing SSO connections for our customers. Customers use the WorkOS portal to configure their connection details and provisioning connection.

Learn about WorkOS's GDPR compliance here and its Privacy Policy here.

OpenAI

OpenAI is a tool for using and running AI-based workflows. Chameleon's customers indirectly interact with OpenAI when they use Chameleon's AI features such as A/B testing, copy improvement, etc.

Learn about OpenAI's GDPR compliance here and its Privacy Policy here.

More information

Any maintenance, outage and operational or security issues are reported on our status page.
To report a vulnerability via our Responsible Disclosure program, please review our policy and submit a report here.
For further information on our standards please refer to our Terms of Service, Privacy Policy, and Help Center.

Tours

Tooltips

Surveys

Launchers

HelpBar

A/B Testing

Styling

Rate Limiting

Templates

Alerts

Segmentation

Product Tours

Modals

Banners

Embedded Cards

Tooltips

Checklists

Resource Centers

NPS & Microsurveys

CMD+K Search

AI Answers

Inspiration Gallery

Quick-Start Videos

Help Center

Chameleon 101

Interactive Demos

In-App Glossary