ChartPull
Start Free
Security

We can read your Google directory.
We can never change it.

Read-only access. 15-minute cache. Encrypted everywhere. Your employee data is never sold or shared.

Data Handling

We ask for the least access possible

One read-only permission. A 15-minute cache. No permanent copies. That's it.

Read-Only Access

We look. We never touch. ChartPull requests a single OAuth scope: admin.directory.user.readonly. We never write, modify, or delete any data in your Google Workspace.

Ephemeral Cache

Your data passes through. It doesn't stay. Directory data is cached for 15 minutes to improve performance. No permanent copy of your employee directory is stored on our servers.

Encryption Everywhere

Locked in transit. Locked at rest. All data is encrypted with TLS 1.2+ in transit and AES-256 at rest. API keys and tokens are stored using industry-standard encryption.

Infrastructure

Boring infrastructure. On purpose.

No exotic tech. Just battle-tested platforms your IT team already knows and trusts.

Vercel Edge Network

Deployed on Vercel with built-in DDoS protection, automated SSL certificate management, and a global CDN for low-latency access worldwide.

Neon PostgreSQL

ChartPull runs on SOC 2 Type II certified infrastructure (Vercel, Neon PostgreSQL). ChartPull itself is not independently SOC 2 certified — we prioritize transparent security practices and are evaluating independent certification.

Sentry Monitoring

Real-time error tracking and performance monitoring via Sentry. No personally identifiable information (PII) is captured in error logs.

Authentication

Who gets in — and who doesn't

Every request is verified. Every user is scoped to their own Workspace. No exceptions.

  • Google OAuth 2.0 with PKCE for all user authentication
  • SAML 2.0 SSO for enterprise identity providers (Okta, Azure AD, Google)
  • Domain-level access control -- only your Workspace users can see your data
  • Scoped API keys with granular read-only permissions
  • Audit logging with 90-day retention for all administrative actions
Compliance

The compliance stuff your team cares about

GDPR CompliantEU data protection regulations
Google API Limited UseCompliant with Google API Services User Data Policy
No Data SharingYour data is never sold, shared, or used for advertising
90-Day Audit RetentionFull administrative action trail
HTTP Headers

Security headers

Every response includes hardened HTTP security headers to prevent common web attacks.

Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
X-Frame-OptionsDENY
Content-Security-Policydefault-src 'self'; script-src 'self'
X-Content-Type-Optionsnosniff

Data Residency

Data is processed in the United States. CDN edge nodes serve static content globally via Vercel's Edge Network.

Responsible Disclosure

Found a vulnerability? We take security seriously. Contact security@chartpull.com for responsible disclosure.

Your IT team will have questions. We're ready.

Send us your security questionnaire. We'll fill it out. Or read our privacy policy first -- it's written in plain English.

Privacy PolicySecurity Questionnaire