Security and Privacy

At ChatForm, trust is our paramount principle, and we prioritize your privacy and security accordingly. Our policies are designed to uphold the utmost confidentiality and integrity in the handling of your data. 

‍

1. Data Controller and Processor Responsibilities 

_{ChatForm acts as the data processor, handling data strictly according to the terms set out in our Data Processing Agreement (DPA) with clients. For data collected through the platform, the client is the data controller. ChatForm serves as the data controller for personal data related to our clients’ employees (such as usernames and named contacts, but not our client’s chat visitors or their own end-customers).}

2. Data Retention and Deletion Policy 

_{ChatForm retains personal data only for the duration specified in our contract with clients. Clients have the option to request the deletion of personal data at earlier intervals, such as after a ticket session's completion. At the end of the contract term, all personal data in client accounts is permanently deleted, in line with our commitment to data protection.}

3. Secure Hosting and Network Security  

_{ChatForm’s infrastructure is hosted within US based DigitalOcean data centers, which are secured by advanced physical measures and meet several key certifications, including ISO 27001, PCI Certification, and SOC reports. For detailed information on their certifications, please refer to the Digital Ocean Security and Compliance web pages.
Our network architecture is designed to isolate and protect sensitive data effectively. The production network, where customer data is processed, is kept separate from development and testing environments. System access within the production network is restricted to engineers who have a verified operational need.}

4. Sub-processorsData Retention and Deletion Policy 

_{The list of sub-processors for our services is available upon request by reaching out to privacy@chatform.com.}

5. Data access 

_{Access to your data within ChatForm is granted to various teams based on the requirements of their roles and the specific services they are providing, regardless of whether ChatForm is acting as a data controller or processor.
It is the responsibility of our customers to manage and control their users' access within their ChatForm accounts.
In our role as a data processor, similar to other SaaS providers, we depend on third-party sub-processors to help deliver our services effectively. The list of sub-processors for our services is available upon request by reaching out to privacy@chatform.com.}

6. Government Access 

_{ChatForm does not grant any government authority unrestricted access to customer data. Should a government request be received, any response from us would be strictly limited to what is legally required, after thorough validation by our Privacy and Legal teams. We aim to direct any such requests to the relevant customer and notify you when possible, unless prohibited by law.}

7. Penetration Testing 

_{We hire independent experts to carry out regular penetration tests on our applications and infrastructure. The outcomes are reviewed by our team, where we evaluate, prioritize, and systematically address any issues until they are resolved.}

8. Authentication Security Measures  

_{ChatForm enforces multi-factor authentication for accessing systems that handle sensitive data, utilizing private keys where applicable and appropriate. Administrative access to production servers requires adherence to strict security protocols, including the use of complex, auto-generated passwords that meet high security standards.
We permit the use of approved password managers for our personnel. These tools are essential for generating, storing, and managing strong, unique passwords, thus reducing the risk of password reuse and vulnerability to phishing attacks.}

9. Data and media disposal  

_{Upon deletion or when the message retention period expires, customer data is immediately removed, and backups are destroyed within 14 days. We adhere to best practices for data destruction and require that all media be properly sanitized before disposal. ChatForm’s hosting providers are responsible for ensuring the proper removal of data.}

10. Network security 

_{ChatForm segregates its network systems to enhance the security of sensitive data. The infrastructure supporting our testing and development efforts is distinctly isolated from the infrastructure used for our production applications. Customer data is strictly confined to our production network, which is subject to the highest level of control. Only engineers with a clearly defined business requirement are granted administrative access to systems within this network.
Modifications to the configuration of ChatForm's production network are exclusively undertaken by authorized personnel.}

11. Access controls and personnel security 

_{Access to data is governed by the principle of least privilege, ensuring team members access only data necessary for their job functions. All team members undergo regular reviews of their access rights to maintain security integrity.
Our personnel, including employees and contractors, must pass background checks and agree to confidentiality terms before gaining system access. Security training is mandatory for all personnel, covering key areas like malware prevention and incident reporting. Access is revoked immediately upon termination of their employment.}

12. Policies and standards  

_{ChatForm maintains and regularly updates a set of security policies and standards to guide our operations. These documents ensure adherence to ethical and legal standards and the secure operation of our services. We also employ a version-controlled system for all code development, with changes undergoing peer review and testing to ensure robustness before deployment.}