Chameleon Creator

Technology Trust Summary

Purpose of this document

This document will outline the high level security posture for Chameleon. It will document our application/data concerns and the controls we have in place for our business.


This document outlines the security program and policies required to operate Chameleon as an application and business. Where possible we rely on the security of our infrastructure providers, however their security is out of scope for this document.

Application and Data


We develop our application using an Agile Methodology, with an integrated CI/CD process, using a container based deployment. Our application is hosted by Heroku on Amazon AWS, Both being SOC2 and ISO27001 certified. Heroku ensures that our database and underlying disk storage is encrypted at rest, and all data is encrypted using TLS 1.2 or greater between the client and the server. We use automated dependency management and CI based patch verification and can deploy important security fixes in under 30mins.


Our application and data reside in the US, within the AWS US-east-1 region. It is not moved from here, nor is moved between application environments. Where requests are received for access from relevant local authorities, they are handled on a case by case basis.


We have a privacy policy and a terms of service that are agreed to when signing up with chameleon. We collect only the data required to provide our service and prevent access to only first party, authorised individuals, when required. On a breach of privacy including unauthorised access, the affected individuals will be notified within a timely manner, in accordance with local requirements and the best interests of the individuals.


We are a multi-tenancy SaaS application, with the data interleaved across tenants. We use an application level access control via a tenancy key scoped to the request. In combination with a RBAC based authorisation platform, only users with appropriate users will have access to your data. All editable actions are logged in an event sourced model.


All data is stored either as object storage or relational data. All relational data is backed by both nightly capture the world backups with 30 day retention and 4 days of point-in-time recovery. We only offer system level data recovery in the case of corruption. We perform regular backup and recovery tests. Unless otherwise negotiated, all customer data is removed no sooner than 30 days after the cessation of contract terms.


Under some conditions we offer an initial response SLA for support. This is variable based on organisational needs. Our deployment process is a zero downtime one, with deployments occurring on an as needed basis for system and application patching. Feature deployment is rolled out on a more limited basis as needed.

Business Controls

Human Resources

All Chameleon Creator employees are subject to confidentiality agreements thats include customer data. We communicate regular about threats faced by our organisation including BEC, physical security, phishing and more.

Penetration Testing

We perform regular penetration testing to ensure we continue to have 3rd party confidence in our development processes. Our latest reports can be made available on request.

Business Continuity

We strategically plan for the continuation of business operations during disruptions. We maintain appropriate and up to date records of response. Associated, our disaster recovery policy is maintained and tested regularly. Policy and test results can be made available on request.

Incident Response

We maintain an Incident Response plan that details how we will detect and response to potential cyber based incidents that impact on availability, confidentiality or integrity of the Chameleon Application. We also maintain a security incident record. Our incident response plan can be made available on request.