Docs

Security

How chrt protects your data in transit and at rest.

chrt takes your security seriously. This page covers how we encrypt your data at rest, how we secure traffic in transit, and what we do (and don’t) keep when you delete data.

Encryption at rest

When using chrt, your files are encrypted by default while at rest using AES-GCM (256-bit Advanced Encryption Standard Galois/Counter Mode).

Each file is encrypted with a unique key. All file keys are encrypted with a main key. The main key is rotated frequently and automatically.

We do not want, or expect, to ever put your data at risk of being readable by someone who doesn’t have your permission.

When you upload a file, or when we generate a file for you, we store that data redundantly on multiple machines in one or more datacenters. When you request that a file be deleted, all copies are deleted. If a service outage prevents the full deletion of your data, that will be shown in the user interface so that it’s clear. When you delete your data, we no longer have a copy of it.

The only data we retain after deletion is basic account information. For more detail, see our full Terms of Service and Privacy Policy.

Encryption in transit

All traffic to and from chrt occurs over encrypted connections (HTTPS). We use modern web best practices for encrypting traffic.

  • HTTPS only. We route traffic through a load balancer that automatically redirects insecure HTTP traffic to secure HTTPS. You can test this by opening http://chrt.com — you’ll still end up at https://chrt.com.
  • Modern TLS. Our servers default to TLS 1.3, the newest version of the TLS protocol. They are also backwards compatible with TLS 1.2 for convenience if you’re using a somewhat old browser. We don’t accept anything older than TLS 1.2.
  • Modern ciphers. Since TLS allows for a choice of encryption cipher, our servers only allow modern ones — the sort that are not vulnerable to decryption. The specific list we allow: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384.
  • Domain-level integrity. We prevent DNS spoofing by using DNSSEC to establish a chain of trust from the Certificate Authority to each of our hosted sites (for example, chrt.com, docs.chrt.com, and api.chrt.com). We sign our key using ECDSA Curve P-256 with SHA-256. You can verify this in Google Chrome by clicking the settings button next to the URL, then Connection is secure, then Certificate is valid to open a window showing our certificate details.