Legal

Security Policy

Last updated: June 1, 2026

Our Commitment

Security is foundational to ChartGPT. We handle your database connections and business data with the same care we would apply to our own. This document describes the technical and operational controls we have in place.

Security Measures

๐Ÿ”’

Encryption in Transit

All traffic is encrypted using TLS 1.2+. HTTP connections are automatically redirected to HTTPS.

๐Ÿ—„๏ธ

Encryption at Rest

Database credentials are encrypted using AES-128-CBC (Fernet) before storage. Passwords are hashed with bcrypt (cost factor 12).

๐Ÿ”‘

Authentication

JWT access tokens (15-min expiry) with opaque refresh token rotation. Tokens are stored in HTTP-only secure cookies.

๐Ÿข

Workspace Isolation

All resources (connections, queries, dashboards) are scoped to a workspace with enforced server-side ownership checks. Users cannot access data from other workspaces.

๐Ÿค–

AI Query Safety

We pass only schema metadata and natural language intent to the AI model โ€” raw data rows are never sent to external AI APIs unless you explicitly share a result.

๐Ÿ›ก๏ธ

Read-Only Recommendations

We strongly recommend creating dedicated read-only database users for ChartGPT connections to limit the blast radius of credential compromise.

๐Ÿ“‹

Audit Logging

All queries executed against your databases are logged with timestamps and user context for 90 days.

๐Ÿ”„

Dependency Scanning

Dependencies are regularly scanned for known vulnerabilities using automated tools. Critical patches are applied within 48 hours.

Infrastructure

  • Production services run in isolated containers with minimal attack surface.
  • Database credentials for ChartGPT's own infrastructure are rotated regularly.
  • Access to production systems is restricted to authorised personnel with MFA.
  • Regular penetration testing is conducted by internal security engineers.

Your Responsibilities

  • Use strong, unique passwords and enable MFA when available.
  • Create a dedicated read-only database user for ChartGPT instead of using admin credentials.
  • Restrict database network access using IP allowlists to only allow ChartGPT's IPs.
  • Rotate credentials immediately if you suspect compromise.
  • Review query audit logs regularly for unexpected access.

Responsible Disclosure

We appreciate the security community's efforts to help keep ChartGPT safe. If you discover a security vulnerability, please report it responsibly:

Email: security@chartgpt.in

PGP key: Available on request

Response SLA: Initial acknowledgement within 24 hours; triage within 72 hours

Scope: chartgpt.in and all subdomains, our APIs, and mobile clients

Out of scope: Social engineering, physical attacks, denial of service

Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to investigate and remediate. We do not pursue legal action against researchers acting in good faith.

Bug Bounty

We are in the process of establishing a formal bug bounty programme. In the meantime, we recognise and thank researchers who report valid vulnerabilities responsibly.

Contact

General security enquiries: security@chartgpt.in ยท YT Corporation, India.