Security at DataChonk
We take the security of your data seriously. This page outlines our security practices, controls, and commitment to protecting your information.
Last updated: January 30, 2026
SOC 2 Compliance Commitment
DataChonk is committed to meeting SOC 2 Type II compliance standards. We have implemented controls aligned with the Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Data Encryption
Encryption in Transit
All data transmitted to and from DataChonk is encrypted using TLS 1.3. We enforce HTTPS for all connections and use HSTS (HTTP Strict Transport Security) with a two-year max-age to prevent downgrade attacks.
Encryption at Rest
Sensitive data including database credentials, API keys, and authentication tokens are encrypted using AES-256-CBC encryption before storage. Database storage is provided by Supabase with built-in encryption at rest.
Key Management
Encryption keys are managed securely and rotated according to our key management policy. Keys are never stored in code repositories or transmitted in plain text.
Access Controls
- Authentication: Secure authentication via Supabase Auth with email verification and optional magic links.
- Authorization: Role-based access control (RBAC) with Row Level Security (RLS) policies ensuring users can only access their own data.
- Session Management: Secure session handling with automatic timeout after 24 hours and idle timeout after 30 minutes.
- API Security: API endpoints are protected with rate limiting and require valid authentication tokens.
- Admin Access: Administrative functions require additional verification and are limited to authorized personnel.
Data Retention Policy
| Data Type | Retention Period | Justification |
|---|---|---|
| Account Data | Until account deletion + 30 days | Account recovery period |
| Project Data | Until project deletion + 30 days | Accidental deletion recovery |
| Security Audit Logs | 7 years | Compliance and forensics |
| Activity Logs | 1 year | User experience and debugging |
| Session Logs | 90 days | Security monitoring |
| Failed Login Attempts | 90 days | Security analysis |
| Payment Records | 7 years | Tax and legal compliance |
Infrastructure Security
- Hosting: Deployed on Vercel's secure, SOC 2 compliant infrastructure.
- Database: Supabase (PostgreSQL) with automatic backups, point-in-time recovery, and encryption at rest.
- DDoS Protection: Built-in DDoS mitigation through Vercel's edge network.
- Rate Limiting: Distributed rate limiting via Upstash Redis to prevent abuse.
- Security Headers: Comprehensive security headers including CSP, HSTS, X-Frame-Options, and more.
Incident Response
We maintain an incident response plan that includes:
- 1.Detection and analysis of security events
- 2.Containment and eradication procedures
- 3.Recovery and post-incident review
- 4.Customer notification within 72 hours of confirmed breach
To report a security vulnerability, please email security@datachonk.dev
Questions about our security?
Contact our security team for more information or to request our security documentation.
Contact Security Team