Security at Cheqpoint

Security Overview

We take the security of your data and your AI Assistants' decisions seriously.

Data Encryption

Data is transmitted over TLS 1.3 and encrypted at rest with AES-256. Connection Keys are hashed and never transmitted in plaintext after creation.

Multi-Tenant Isolation

Every query is filtered by workspaceId at the ORM layer to ensure isolation. No query can access another workspace's data.

Session Security

Sessions use HMAC-SHA256 signed cookies. No JWTs are stored in localStorage. Sessions rotate on sensitive actions such as password changes and permission changes.

Audit Trail

Decisions are permanently logged with reviewers and rules. Audit trails cannot be deleted, and CSV exports are tamper-evident.

Connection Keys

Connection Keys are hashed before storage and can be rotated at any time. Rotating a key immediately invalidates the previous one.

Rate Limiting

Hourly and daily rate limits are enforced at the edge. Violations result in automatic rejection with a reason returned to the SDK.

In progress

SOC 2 Type II

SOC 2 Type II audit is in progress (expected Q3 2026). Enterprise customers can contact security@cheqpoint.co for pre-certification documentation.

Responsible Disclosure

Email security@cheqpoint.co to report vulnerabilities. We acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Infrastructure

Hosted on Vercel (UK/EU regions). Database: PostgreSQL with automated daily backups and point-in-time recovery. We target 99.9% uptime. See real-time status at /status.

Compliance

GDPR

Ready

Full GDPR compliance for EU and UK customers. DPA available. Right to erasure and data portability supported in-product.

Download DPA

CCPA

Compliant

California Consumer Privacy Act. Residents can request data deletion or export from Settings. We do not sell personal data.

Privacy Policy

HIPAA

Ready

Cheqpoint provides the safeguards required for HIPAA compliance, including RBAC, audit trails, and encryption. Healthcare customers can request a BAA.

Request BAA

SOC 2

Ready

Controls mapped to all Trust Service Criteria. Formal Type II audit planned for Q3 2026. Security documentation is available on request.

Request docs

EU AI Act

Ready

Cheqpoint adds the human oversight required by EU AI Act Article 14. Audit trails and decision logging are built-in for high-risk systems.

How it works

ISO 27001

Aligned

Our controls align with ISO 27001 domains including access control, incident management, and cryptography. Formal certification planned following SOC 2 completion.

Contact us

Security questions or enterprise review?

Email security@cheqpoint.co for vulnerability reports, enterprise security reviews, and compliance documentation requests.

Read our DPAPrivacy Policy