Security

In transit. All traffic to and from Chatalott is served over HTTPS with TLS 1.2 or higher. We send a strict HTTP Strict Transport Security header with a two-year max-age and includeSubDomains; preload, so once a browser has talked to us it will refuse any future unencrypted connection — even over Wi-Fi that tries to downgrade it.

At rest. Our Postgres database on Neon, our Redis tier on Upstash, our Blob object storage, and daily backups are all AES-256 encrypted at rest by the underlying providers.

Passwords are hashed with bcrypt at cost factor 10 — we never store plaintext and never transmit your password anywhere except to validate a login.

Two-factor authentication (TOTP). Any user can enable 2FA from Settings → Two-Factor Auth. We use the standard RFC 6238 TOTP spec so you can use Google Authenticator, 1Password, Authy, Bitwarden, or any other authenticator app. Enrolling issues 8 single-use backup codes in case you lose your phone.

Sessions. Session tokens are HMAC-signed JWTs stored in an HTTP-only, Secure, SameSite cookie. They expire after 7 days of inactivity. Logging out everywhere is instant.

Rate limiting. The login endpoint enforces two layers of rate limits keyed on IP and on email, implemented in Upstash Redis. That blocks credential-stuffing bots from the internet side and targeted brute force against a specific account.

We set a content-security policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict referrer policy, and a locked-down permissions policy on every HTML response. These are served from our edge middleware so no route can forget them.

Every database call goes through a parameterized SQL tagged-template helper — we don't concatenate user input into queries, period. Inputs are validated at the API boundary with Zod schemas.

Admin impersonation (“God View”) actions are read-only and written to an audit log that can't be edited by the admin performing the action.

Chatalott runs on Vercel, backed by Neon for PostgreSQL, Upstash for Redis, and Vercel Blob for object storage. See our full Subprocessors list for details on every vendor that touches customer data.

Secrets are stored in Vercel's encrypted environment-variable store. They're never committed to the repository, never logged, and rotated on staff departure.

Backups run daily on Neon with seven-day point-in-time recovery. Restores have been tested.

All customer data is scoped to a user_id or team_id. Every read and write through our API layer is gated by a session lookup that resolves to one specific user — there is no code path that serves cross-tenant data. We've written integration tests around the boundaries where tenants meet (team invites, shared templates) to catch regressions before they ship.

Found something? We want to hear about it. Email security@chatalott.com with a description of the issue and a way to reproduce it. See our security.txt for the full policy and PGP key.

We commit to:

• Acknowledging your report within 2 business days.
• Providing a remediation timeline within 7 days of triage.
• Crediting you publicly (by name or handle, your preference) once the issue is fixed, if you'd like that.
• Not pursuing legal action against researchers who act in good faith, stay within the scope of our disclosure policy, and don't exfiltrate customer data.

Scope. The Chatalott web application, the API, and the Postalott Chrome extension. Subprocessor issues should go to the subprocessor directly, though we're happy to help route them.

Out of scope. Denial-of-service attacks, volumetric testing, social engineering of our staff, physical security, third-party services, and findings from automated scanners without a proof-of-concept.

We've had zero customer-impacting security incidents to date. If that changes, we will publish a post-mortem here and email every affected customer within 72 hours, per our DPA.